Troubles with Thawte EV SSL Cert

Discussion in 'ISPConfig 3 Priority Support' started by DantePasquale, Feb 8, 2015.

  1. DantePasquale

    DantePasquale Member HowtoForge Supporter

    Hi All,
    I'm pretty sure what has caused the issue, but is it fixable? Here's what happened. Since the previous cert, we've re-installed and upgraded the webserver. During that process everything regarding SSL for the website was fine. EV from Thawte worked fine too.

    But, when I went to renew the cert, that's when we had problems.

    Original CSR was not quite right as the values of Domain, Organization and Organization unit were not matching what Thawte had. After decoding the CSR what was different was the the value for Organization was using the companies initials (from decoding the CSR) but the SSL Cert and Bundle had the name spelled out. For example, Organization in ISPConfig was ABC but Thawte had America Broadcast Company.

    So I changed the value in ISPConfig to be the proper name, cleared out the CERT and BUNDLE fields and asked for a new CERT. Clicked Save and retrieved the new CSR. I also changed the DOMAIN from abc.com to www.abc.com per instructions from Thawte.The new CSR was fine with Thawte as now everything matched.

    So I then installed the Thawte .crt and bundle (they call Intermediate), and Apache won't start - it was a key mismatch.

    In the /var/www/client/client1/web2/ssl directory both the old and new files regarding the DOMAIN are there. In other words, both abc.com.key and www.abc.com.key are there.

    I think I should have deleted the old SSL cert from ISPConfig CP, but I didn't.

    I don't know which key file was used to generate the CSR, but I'm thinking it was abc.com.key NOT www.abc.com.key.

    I can revoke the cert and request a new one, but if I don't get things stable, there's no point in doing this.
    -Thanks
    -PS I have the website up and running on the self signed cert generated by ISPConfiig and it works fine, but customer is not happy, to say the least :)
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Which exact ISPConfig version do you use?
     
  3. DantePasquale

    DantePasquale Member HowtoForge Supporter

    We are running a bit down revision since all changes have been frozen from Dec 1 until Feb 1 :( I should be OK to upgrade it this evening.
    Currently running 3.0.5.4p4
    I have screenshots of the ssl dir that I can send to you, if that would help. It's a bit difficult to get to the server, VPN into the customer's network, login to ILO for server then can only get files off via a ssh jump box.
     
  4. DantePasquale

    DantePasquale Member HowtoForge Supporter

    Here is a ls -l of the ssl directory -- currently running with self signed certificate
     

    Attached Files:

  5. till

    till Super Moderator Staff Member ISPConfig Developer

    You can you can test it like this:

    https://kb.wisc.edu/middleware/page.php?id=4064

    If you found the correct matching key, then rename the file so that it matches with the new cert.
     
  6. DantePasquale

    DantePasquale Member HowtoForge Supporter

    Will I need to update the fields in DBISPCONFIG database for the site (ssl columns)?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    You should update them as well, but this can be done in ispconfig. just paster the content into the fields.select no action and press save.
     
  8. DantePasquale

    DantePasquale Member HowtoForge Supporter

    Thanks for the link to that sight -- very useful information -- and I couldn't find the correct key for the cert :( So, I've requested an updated crt from Thawte with the CSR that matches the right key :) Thanks
     
  9. DantePasquale

    DantePasquale Member HowtoForge Supporter

    Ok, I'm really, really baffled. This time, I made sure that the .key, .csr, and the self signed.crt all matched:
    Code:
    openssl x509 -noout -modulus -in ./www.sfpi.com.crt-self-signed | openssl md5
    (stdin)= 1b770cb12d8bccfe9189d95871161989
    openssl req -noout -modulus -in ./www.sfpi.com.csr | openssl md5
    (stdin)= 1b770cb12d8bccfe9189d95871161989
    openssl rsa -noout -modulus -in ./www.sfpi.com.key | openssl md5
    (stdin)= 1b770cb12d8bccfe9189d95871161989
    So, I asked thawte for a replacement using the above .csr file. When I check that I get:

    Code:
    penssl x509 -noout -modulus -in ./ssl_certificate.crt | openssl md5
    (stdin)= 8c7cce551cbda54babbcddb70b17d94e
    I thought I'd give that a try anyway -- copied the above ssl_certificate to www.sfpi.com.crt and copied IntermediateCA.crt to www.sfpi.com.bundle and restarted Apache2, which fails:

    Code:
    [Wed Feb 11 13:56:06.210770 2015] [ssl:warn] [pid 14205] AH01909: RSA certificate configured for sfpi.com:443 does NOT include an ID which matches the server name
    [Wed Feb 11 13:56:06.210804 2015] [ssl:emerg] [pid 14205] AH02238: Unable to configure RSA server private key
    [Wed Feb 11 13:56:06.210821 2015] [ssl:emerg] [pid 14205] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    [Wed Feb 11 13:56:38.412198 2015] [ssl:warn] [pid 14258] AH01909: RSA certificate configured for sfpi.com:443 does NOT include an ID which matches the server name
    [Wed Feb 11 13:56:38.412230 2015] [ssl:emerg] [pid 14258] AH02238: Unable to configure RSA server private key
    [Wed Feb 11 13:56:38.412248 2015] [ssl:emerg] [pid 14258] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    Which is what I thought would happen. Any ideas on what's going on here?
     
  10. DantePasquale

    DantePasquale Member HowtoForge Supporter

    Thawte thinks it's related to their CSR Checker saying that the CSR needs a passphrase. They had me manually generate w/o -des3 flag. I'll update this thread when I get new ssl cert.
     
    till likes this.
  11. DantePasquale

    DantePasquale Member HowtoForge Supporter

    By manually generating the CSR without -des3 flag fixed the problem. I don't know why Thawte CSR checker says that the CSR Generated by ISPConfig required a passphrase. Should I open a bug ticket on this with ISPConfig?
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, please make a bugreport. But I guess they should fix their csr checker as triple des is a valid cipher and supported by all other ssl authorities.
     

Share This Page