View previous topic :: View next topic |
Author |
Message |
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2380 Location: Kentucky
|
Posted: Sat Oct 12, 2024 7:57 pm Post subject: installing ssl cert for apache2 |
|
|
I only do this infrequently, so I forget how from year to year.
I have a set of SSL certificate files from netsol:
Code: |
-rw-r--r-- 1 rj users 2487 Oct 12 14:39 ELILABS.COM.crt
-rw-r--r-- 1 rj users 1516 Oct 12 14:39 SSL_BASIC_CertificateAuthorityRoot.crt
-rw-r--r-- 1 rj users 1967 Oct 12 14:39 SSL_BASIC_IntermediateCA_2.crt
-rw-r--r-- 1 rj users 2272 Oct 12 14:39 SSL_BASIC_IntermediateCA_3.crt
|
I have the following files on my server:
Code: |
/ssh:root@eli:/etc/apache2/ssl:
drwxr-xr-x 2 root root 52 Jul 24 2023 .
drwxr-xr-x 6 root root 152 Sep 26 2020 ..
-rw-r--r-- 1 root root 0 Aug 9 2006 .keep
-r-------- 1 root root 2414 Jul 24 2023 server.crt
-rw------- 1 root root 1704 Jul 16 2023 server.key
|
which files go where? _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3403
|
Posted: Sat Oct 12, 2024 8:18 pm Post subject: |
|
|
Root CA belongs in the visitor's browser's trust store, so there's nothing for you to do with this one.
Apache likes having chain in a separate file, but you can just concatenate domain's cert with intermediaries and deploy the resulting bundle as server.crt I'm not quite sure what is apache's preferred order, but bottom-up works well on my haproxy (starting with the leaf, followed by intermediary; you have 2 intermediaries, so the lower rank which signed your domain would most likely go second, and the higher rank which signed the other intermediary goes third)
You can inspect cert files as well as the old bundle by pasting it section by section into command:
openssl x509 -noout -text _________________ Make Computing Fun Again |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2380 Location: Kentucky
|
Posted: Mon Oct 14, 2024 2:34 pm Post subject: |
|
|
I used the technique above to view the currently installed expired cert, and also the new cert. The old cert used a 256 bit encryption, while the new cert used a 3** bit encryption. I installed the new cert and attempted to restart apache, but it would not start with the new cert. So I replaced the old cert and apache started up fine.
I am running an rather old version of apache, which is embarrassing, but I do not want to update the apache server until I move the equipment from our old location to our new location, which I hope will be within a month or so. I will have to take all the machines offline to do the move, and I plan to perform full updates, kernel included, to all of them as long as they are offline anyway.
I suspect the reason the new cert would not work is because the old version of apache I am running does not support the stronger encryption used in the new cert. _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2380 Location: Kentucky
|
Posted: Tue Oct 22, 2024 2:10 pm Post subject: |
|
|
I am running apache 2.2.31 and the current version is apache 2.4.62
The old cert uses 256 bit SHA for the signature, whereas the new cert uses 384 bit SHA for the signature.
Both certs use a 2048 bit key for the diffie-helman public key.
Why would the server not work with the new cert?
Do I need a new private key? I thought that the private key was submitted as part of the CSR... _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 478
|
Posted: Tue Oct 22, 2024 2:35 pm Post subject: |
|
|
Yes, you need the private key. Otherwise the webserver would not be able to decrypt incoming messages encrypted with the public key of the webserver.
And without the private key the webserver is not able to sign outgoing messages.
If you have the public and private key pair in place and it still fails then please check the logs. One reason for failing is that the private key is password protected. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3403
|
Posted: Tue Oct 22, 2024 2:51 pm Post subject: |
|
|
Hash algorithm doesn't matter as long as it's supported and allowed.
Private key is not a part of CSR, that would have defeated the purpose of issuing a CSR in the first place; it is used to _sign_ a CSR, and the privkey file contains the public key as well, which is a part of CSR and the final certificate, but I think signing the CSR with it's related privkey is more of a policy thing than a technical thing. I don't think the privkey is actually used anywhere in the cert signing process, so signing a CSR only prevents you from mistakenly ordering a certificate you can't use.
This said, depending on the way you generated the new csr your key may or may not have changed. You should have saved the privkey you used to sign your CSR somewhere, as it is complementary to the final certificate. _________________ Make Computing Fun Again |
|
Back to top |
|
|
saturnalia0 Apprentice
Joined: 13 Oct 2016 Posts: 158
|
Posted: Wed Oct 23, 2024 8:53 pm Post subject: |
|
|
Did you concatenate the .crt files (PEM I assume) as szatox suggested? That would be `cat ELILABS.COM.crt SSL_BASIC_IntermediateCA_*.crt >server.crt`. What error did Apache give? |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2380 Location: Kentucky
|
Posted: Wed Oct 30, 2024 2:49 pm Post subject: |
|
|
Yes, and that resulted in not being able to start the web server also.
Code: |
Oct 30 10:45:35 eli /etc/init.d/apache2[7830]: start-stop-daemon: failed to start `/usr/sbin/apache2'
Oct 30 10:45:50 eli /etc/init.d/apache2[7809]: ERROR: apache2 failed to start
|
_________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3403
|
Posted: Wed Oct 30, 2024 4:27 pm Post subject: |
|
|
Is your system up to date already?
Is there nothing in error log?
Have you tried testing the config for errors? apache2 -t
Finally, running things under strace might give some answers even in hopeless cases. _________________ Make Computing Fun Again |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22578
|
Posted: Wed Oct 30, 2024 5:57 pm Post subject: |
|
|
Moriah stated earlier that the installed apache is very out of date. I don't see any subsequent posts saying that he updated apache, so I suspect it is still out of date. Moriah: what is the output of emerge --info www-servers/apache?
Moriah: saturnalia0 asked for the error from apache. You provided the output from the init.d script that tells us apache failed, but that isn't the apache error itself. Per szatox's suggestion, please check and share the apache error log, which may (or may not, depending on configuration) be found at /var/log/apache2/error_log. |
|
Back to top |
|
|
|