Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
installing ssl cert for apache2
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2381
Location: Kentucky

PostPosted: Sat Oct 12, 2024 7:57 pm    Post subject: installing ssl cert for apache2 Reply with quote

I only do this infrequently, so I forget how from year to year.

I have a set of SSL certificate files from netsol:
Code:

  -rw-r--r--  1 rj users 2487 Oct 12 14:39 ELILABS.COM.crt
  -rw-r--r--  1 rj users 1516 Oct 12 14:39 SSL_BASIC_CertificateAuthorityRoot.crt
  -rw-r--r--  1 rj users 1967 Oct 12 14:39 SSL_BASIC_IntermediateCA_2.crt
  -rw-r--r--  1 rj users 2272 Oct 12 14:39 SSL_BASIC_IntermediateCA_3.crt


I have the following files on my server:
Code:

  /ssh:root@eli:/etc/apache2/ssl:
  drwxr-xr-x 2 root root   52 Jul 24  2023 .
  drwxr-xr-x 6 root root  152 Sep 26  2020 ..
  -rw-r--r-- 1 root root    0 Aug  9  2006 .keep
  -r-------- 1 root root 2414 Jul 24  2023 server.crt
  -rw------- 1 root root 1704 Jul 16  2023 server.key


which files go where?
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3468

PostPosted: Sat Oct 12, 2024 8:18 pm    Post subject: Reply with quote

Root CA belongs in the visitor's browser's trust store, so there's nothing for you to do with this one.
Apache likes having chain in a separate file, but you can just concatenate domain's cert with intermediaries and deploy the resulting bundle as server.crt I'm not quite sure what is apache's preferred order, but bottom-up works well on my haproxy (starting with the leaf, followed by intermediary; you have 2 intermediaries, so the lower rank which signed your domain would most likely go second, and the higher rank which signed the other intermediary goes third)

You can inspect cert files as well as the old bundle by pasting it section by section into command:
openssl x509 -noout -text
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2381
Location: Kentucky

PostPosted: Mon Oct 14, 2024 2:34 pm    Post subject: Reply with quote

I used the technique above to view the currently installed expired cert, and also the new cert. The old cert used a 256 bit encryption, while the new cert used a 3** bit encryption. I installed the new cert and attempted to restart apache, but it would not start with the new cert. So I replaced the old cert and apache started up fine.

I am running an rather old version of apache, which is embarrassing, but I do not want to update the apache server until I move the equipment from our old location to our new location, which I hope will be within a month or so. I will have to take all the machines offline to do the move, and I plan to perform full updates, kernel included, to all of them as long as they are offline anyway.

I suspect the reason the new cert would not work is because the old version of apache I am running does not support the stronger encryption used in the new cert.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2381
Location: Kentucky

PostPosted: Tue Oct 22, 2024 2:10 pm    Post subject: Reply with quote

I am running apache 2.2.31 and the current version is apache 2.4.62

The old cert uses 256 bit SHA for the signature, whereas the new cert uses 384 bit SHA for the signature.

Both certs use a 2048 bit key for the diffie-helman public key.

Why would the server not work with the new cert?

Do I need a new private key? I thought that the private key was submitted as part of the CSR...
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
sMueggli
Guru
Guru


Joined: 03 Sep 2022
Posts: 501

PostPosted: Tue Oct 22, 2024 2:35 pm    Post subject: Reply with quote

Yes, you need the private key. Otherwise the webserver would not be able to decrypt incoming messages encrypted with the public key of the webserver.

And without the private key the webserver is not able to sign outgoing messages.

If you have the public and private key pair in place and it still fails then please check the logs. One reason for failing is that the private key is password protected.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3468

PostPosted: Tue Oct 22, 2024 2:51 pm    Post subject: Reply with quote

Hash algorithm doesn't matter as long as it's supported and allowed.
Private key is not a part of CSR, that would have defeated the purpose of issuing a CSR in the first place; it is used to _sign_ a CSR, and the privkey file contains the public key as well, which is a part of CSR and the final certificate, but I think signing the CSR with it's related privkey is more of a policy thing than a technical thing. I don't think the privkey is actually used anywhere in the cert signing process, so signing a CSR only prevents you from mistakenly ordering a certificate you can't use.

This said, depending on the way you generated the new csr your key may or may not have changed. You should have saved the privkey you used to sign your CSR somewhere, as it is complementary to the final certificate.
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
saturnalia0
Apprentice
Apprentice


Joined: 13 Oct 2016
Posts: 159

PostPosted: Wed Oct 23, 2024 8:53 pm    Post subject: Reply with quote

Did you concatenate the .crt files (PEM I assume) as szatox suggested? That would be `cat ELILABS.COM.crt SSL_BASIC_IntermediateCA_*.crt >server.crt`. What error did Apache give?
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2381
Location: Kentucky

PostPosted: Wed Oct 30, 2024 2:49 pm    Post subject: Reply with quote

Yes, and that resulted in not being able to start the web server also. :evil:
Code:

Oct 30 10:45:35 eli /etc/init.d/apache2[7830]: start-stop-daemon: failed to start `/usr/sbin/apache2'
Oct 30 10:45:50 eli /etc/init.d/apache2[7809]: ERROR: apache2 failed to start

_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3468

PostPosted: Wed Oct 30, 2024 4:27 pm    Post subject: Reply with quote

Is your system up to date already?
Is there nothing in error log?
Have you tried testing the config for errors? apache2 -t

Finally, running things under strace might give some answers even in hopeless cases.
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22768

PostPosted: Wed Oct 30, 2024 5:57 pm    Post subject: Reply with quote

Moriah stated earlier that the installed apache is very out of date. I don't see any subsequent posts saying that he updated apache, so I suspect it is still out of date. Moriah: what is the output of emerge --info www-servers/apache?

Moriah: saturnalia0 asked for the error from apache. You provided the output from the init.d script that tells us apache failed, but that isn't the apache error itself. Per szatox's suggestion, please check and share the apache error log, which may (or may not, depending on configuration) be found at /var/log/apache2/error_log.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3468

PostPosted: Sun Nov 10, 2024 10:57 am    Post subject: Reply with quote

I just stumbled over a possibly related issue.
Not sure which update exactly changed the requirements, but I had to regenerate dhparams, since the old one is no longer considered secure enough.
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2381
Location: Kentucky

PostPosted: Sun Nov 10, 2024 4:50 pm    Post subject: Reply with quote

Interesting! 8O

I will give that a look into. I feel fairly certain that this all has something to do with the fact thet the old cert had a shorter key (in bits) than the new one.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum