Apache server won't start when configured to use an issued certificate
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Apache server won't start when configured to use an issued certificate
Hello --
We are running Apache 2.2.10 on a Fedora 10 64-bit virtual box. The server currently uses a self-signed certificate and key combination for secure access to the website. I received a request to implement a certificate from a public authority as a replacement.
I went through the motions of generating a new key along with a csr that was submitted via email to the authority. A return email was sent listing the url where I could download the cer file. This file was downloaded directly to the server. The file in question is an X509 Based 64 Encoded file with four, 4, certificate sections. Affter that the file was renamed with the .crt extension, and copied in the ssl.crt directory. A similar action was done for the .key file in the ssl.key folder. The ssl.conf file was modified to reference the new files.
The /etc/init.d/httpd restart command was run, but the Apache server failed to start. The only way to get the server to start was to have it revert back to the private crt and key files.
I checked the log files: ssl_access, ssl_request, access, and error for entries that would indicate the problem, but there weren't any. The only thing that is apparent is the server will not run with the issued certificate.
Does anyone have an idea as to why this is occurring, and what steps need to be done to correct it? Thanks.
I had better list the steps that I had taken to determine what I, probably, did wrong:
1. I received an email indicating that enrollment was successful, and the SSL certificate had been issued for the host. The email listed several links to download the certificate in various formats. The formats listed were the following:
Quote:
X509, Base64 encoded
PKCS#7, Base64 encoded
PKCS#7 Bin Encoded
X509 Certificate only, Base64 encoded
X509 Intermediates/root only Base64 encoded
X509 Intermediates/root only Reverse, Base64 encoded
Each version of the certificate was saved in a different folder.
2. I copied the X509, Base64 encoded file to the appropriate folder, and changed the .cer suffix to the .crt ending. As mentioned previously, the .key file retained its suffix, and it was copied to its directory.
Did I copy the wrong version of the file, or should I have deployed the file and key differently?
I think most likely your crt file contains multiple certs and you did not separate out the web cert before running openssl. Apache configuration expects the CA cert and web cert to be in different files.
I did a comparison of the public crt with that of the private crt, and while the private one had one 'paragraph' with a header and footer, the public one had four paragraphs.
If the procedure is wrong, then what steps should I have taken to complete this task?
I had better list the steps that I had taken to determine what I, probably, did wrong:
1. I received an email indicating that enrollment was successful, and the SSL certificate had been issued for the host. The email listed several links to download the certificate in various formats. The formats listed were the following:
Each version of the certificate was saved in a different folder.
2. I copied the X509, Base64 encoded file to the appropriate folder, and changed the .cer suffix to the .crt ending. As mentioned previously, the .key file retained its suffix, and it was copied to its directory.
Did I copy the wrong version of the file, or should I have deployed the file and key differently?
I'm not an expert by any means, but can you try using the "X509 Certificate only, Base64 encoded" file instead?
Perhaps the first link has some CA chains along with the cerftificate.
I contacted the technical support staff of the certificate issuer, and after talking with them, I made the following configuration changes:
1. I downloaded the ca-bundle file from their website, and renamed it to reflect the name of our server. This file, along with the .crt file was then copied to the /etc/httpd/ssl.crt folder. The key file that had been generated on the server was, in turn, copied to the /etc/httpd/ssl.key folder.
2. The following changes were made to the httpd.conf and ssl.conf files:
httpd.conf
Quote:
SSLEngine On
SSLCertificateKeyFile /etc/httpd/ssl.key/<server.name>.key
SSLCertfiicateFile /etc/httpd/ssl.crt/<server_name>.crt
SSLCertiicateChainFile /etc/httpd/ssl.crt/<server_name>.ca-bundle
I attempted to restart the server, and it failed to do so. During the process of bringing the server back to its original state I noticed two things:
1. The server restarted when the httpd.conf file was left with the changes made, while the ssl.conf had to be brought back to its original configuration.
2. There is another set of ssl.crt and ssl.key folders located in the /etc/httpd/conf directory. The files at these locations were not modified during this procedure.
I contacted the technical support staff of the certificate issuer, and after talking with them, I made the following configuration changes:
1. I downloaded the ca-bundle file from their website, and renamed it to reflect the name of our server. This file, along with the .crt file was then copied to the /etc/httpd/ssl.crt folder. The key file that had been generated on the server was, in turn, copied to the /etc/httpd/ssl.key folder.
2. The following changes were made to the httpd.conf and ssl.conf files:
httpd.conf
ssl.conf
I attempted to restart the server, and it failed to do so. During the process of bringing the server back to its original state I noticed two things:
1. The server restarted when the httpd.conf file was left with the changes made, while the ssl.conf had to be brought back to its original configuration.
2. There is another set of ssl.crt and ssl.key folders located in the /etc/httpd/conf directory. The files at these locations were not modified during this procedure.
Hi Kaplan,
Good thing you are following up on this!
Did you manage to solve the problem and use the certicate sent by your CA?
If not, you should post the error message generated by the service httpd start command (or output of systemctl status httpd if the server is running systemd).
Most likely it was complaining that you had setup two SSL configurations and only one is allowed.
You should put your SSL configuration in ssl.conf, and not int httpd.conf (ssl.conf should be included automatically by httpd.conf)
First it seems you have a typos in the lines above (for example "SSLCertfiicateFile" should be "SSLCertificateFile", etc...).
Second (as mentioned by PastulioLive) why do you define the key, cert and chain in both httpd.conf and ssl.conf. They should be defined only in one place (I suppose ssl.conf where, by the way, also "SSLEngine On" and all the other required SSL related configuration options should be located).
I don't think your problem is related to the certificate itself. Most probably you have a syntax error(s) in the SSL configuration of your Apache server.
You could check your configuration starting the server with the option "configtest".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.