installing ssl cert for apache2

Moriah · Posted: Sat Oct 12, 2024 7:57 pm Post subject: installing ssl cert for apache2

I only do this infrequently, so I forget how from year to year.

I have a set of SSL certificate files from netsol:

szatox · Advocate Joined: 27 Aug 2013 Posts: 3469

Root CA belongs in the visitor's browser's trust store, so there's nothing for you to do with this one.
Apache likes having chain in a separate file, but you can just concatenate domain's cert with intermediaries and deploy the resulting bundle as server.crt I'm not quite sure what is apache's preferred order, but bottom-up works well on my haproxy (starting with the leaf, followed by intermediary; you have 2 intermediaries, so the lower rank which signed your domain would most likely go second, and the higher rank which signed the other intermediary goes third)

You can inspect cert files as well as the old bundle by pasting it section by section into command:
openssl x509 -noout -text
_________________
Make Computing Fun Again

Moriah · Posted: Mon Oct 14, 2024 2:34 pm Post subject:

I used the technique above to view the currently installed expired cert, and also the new cert. The old cert used a 256 bit encryption, while the new cert used a 3** bit encryption. I installed the new cert and attempted to restart apache, but it would not start with the new cert. So I replaced the old cert and apache started up fine.

I am running an rather old version of apache, which is embarrassing, but I do not want to update the apache server until I move the equipment from our old location to our new location, which I hope will be within a month or so. I will have to take all the machines offline to do the move, and I plan to perform full updates, kernel included, to all of them as long as they are offline anyway.

I suspect the reason the new cert would not work is because the old version of apache I am running does not support the stronger encryption used in the new cert.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

Moriah · Posted: Tue Oct 22, 2024 2:10 pm Post subject:

I am running apache 2.2.31 and the current version is apache 2.4.62

The old cert uses 256 bit SHA for the signature, whereas the new cert uses 384 bit SHA for the signature.

Both certs use a 2048 bit key for the diffie-helman public key.

Why would the server not work with the new cert?

Do I need a new private key? I thought that the private key was submitted as part of the CSR...
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

sMueggli · Guru Joined: 03 Sep 2022 Posts: 503

Yes, you need the private key. Otherwise the webserver would not be able to decrypt incoming messages encrypted with the public key of the webserver.

And without the private key the webserver is not able to sign outgoing messages.

If you have the public and private key pair in place and it still fails then please check the logs. One reason for failing is that the private key is password protected.

szatox · Advocate Joined: 27 Aug 2013 Posts: 3469

Hash algorithm doesn't matter as long as it's supported and allowed.
Private key is not a part of CSR, that would have defeated the purpose of issuing a CSR in the first place; it is used to _sign_ a CSR, and the privkey file contains the public key as well, which is a part of CSR and the final certificate, but I think signing the CSR with it's related privkey is more of a policy thing than a technical thing. I don't think the privkey is actually used anywhere in the cert signing process, so signing a CSR only prevents you from mistakenly ordering a certificate you can't use.

This said, depending on the way you generated the new csr your key may or may not have changed. You should have saved the privkey you used to sign your CSR somewhere, as it is complementary to the final certificate.
_________________
Make Computing Fun Again

saturnalia0 · Apprentice Joined: 13 Oct 2016 Posts: 159

Did you concatenate the .crt files (PEM I assume) as szatox suggested? That would be `cat ELILABS.COM.crt SSL_BASIC_IntermediateCA_*.crt >server.crt`. What error did Apache give?

Moriah · Posted: Wed Oct 30, 2024 2:49 pm Post subject:

Yes, and that resulted in not being able to start the web server also. :evil:

szatox · Advocate Joined: 27 Aug 2013 Posts: 3469

Is your system up to date already?
Is there nothing in error log?
Have you tried testing the config for errors? apache2 -t

Finally, running things under strace might give some answers even in hopeless cases.
_________________
Make Computing Fun Again

Hu · Administrator Joined: 06 Mar 2007 Posts: 22769

Moriah stated earlier that the installed apache is very out of date. I don't see any subsequent posts saying that he updated apache, so I suspect it is still out of date. Moriah: what is the output of emerge --info www-servers/apache?

Moriah: saturnalia0 asked for the error from apache. You provided the output from the init.d script that tells us apache failed, but that isn't the apache error itself. Per szatox's suggestion, please check and share the apache error log, which may (or may not, depending on configuration) be found at /var/log/apache2/error_log.

szatox · Advocate Joined: 27 Aug 2013 Posts: 3469

I just stumbled over a possibly related issue.
Not sure which update exactly changed the requirements, but I had to regenerate dhparams, since the old one is no longer considered secure enough.
_________________
Make Computing Fun Again

Moriah · Posted: Sun Nov 10, 2024 4:50 pm Post subject:

Interesting!

I will give that a look into. I feel fairly certain that this all has something to do with the fact thet the old cert had a shorter key (in bits) than the new one.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.