apache ssl_mod can't see new certificatds

krnlcrash · 03-26-2007, 12:16 PM

I finally found someone selling ssl certs at a cheap enough price to go ahead and buy one. Now that I got it, I can't seem to get my apache server to use them. The server keeps wanting to use only the ones in the default location /etc/ssl/apache/server.crt My Version is:
# httpd -v
Server version: Apache/2.0.54
Server built: Jan 5 2006 11:10:01
# cat /proc/version
Linux version 2.6.12-12mdksmp (apatard@n1.mandriva.com) (gcc version 4.0.1 (4.0.1-5mdk for Mandriva Linux release 2006.0)) #1 SMP Fri Sep 9 17:43:23 CEST 2005

Now I downloaded the new certificates and placed them in /etc/ssl/apache/official
# ls /etc/ssl/apache/official/
gd_intermediate_bundle.crt
my.domain.com.crt
my.domain.com.csr
my.domain.com.key

I double checked the permissions, all should be fine.

Here is my httpd.conf file that specifies the ssl config:

Code:

LoadModule ssl_module /usr/lib/apache-extramodules/mod_ssl.so

<IfDefine SSL>
    Listen 80
    Listen 443

    SSLMutex /var/log/httpd/ssl_mutex
    SSLSessionCache dbm:/var/log/httpd/ssl_gcache_data
    SSLRandomSeed startup builtin

    SSLLog /var/log/httpd/ssl.log
    SSLLogLevel warn

  <VirtualHost my.domain.com:443>

    SSLEngine On
    SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
    SSLCertificateKeyFile /etc/ssl/apache/official/my.domain.com.key
    SSLCertificateFile /etc/ssl/apache/official/my.domain.com.crt
    SSLCertificateChainFile /etc/ssl/apache/official/gd_intermediate_bundle.crt
    ServerName my.domain.com
    ServerAlias domain.com
    DocumentRoot /var/www/cgi-bin
    CustomLog /var/log/httpd/access_log.my.domain.com combined
    ErrorLog /var/log/httpd/error_log.my.domain.com
    SetEnvIf User-Agent ".*MSIE.*" \
           nokeepalive ssl-unclean-shutdown \
           downgrade-1.0 force-response-1.0
    <Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$">
          SSLOptions +StdEnvVars
    </Files>
  </VirtualHost>
</IfDefine>

Am I missing something? Why doesn't Apache find the new certificates?

I've already tried replacing the default certificate with the new one, but this causes httpd to hang on startup.

Any help would be appreciated.

thanks

krnlcrash · 03-27-2007, 06:41 AM

Ok, I found out that I have a file /etc/httpd/modules.d/httd41_mod_ssl.default-vhost.conf that defines where the certificatds are, effectively trumping any setting I place in /etc/httpd/conf/httpd.conf.

So when I change the settings to point to the correct certificates, my web server hangs on startup. I am assuming it is because I am supposed to be prompted for the password to open the key file, but I do not get such a prompt when running /etc/init.d/httpd restart.

Anyone able to point me in the right direction to get Apache set up correctly?

krnlcrash · 03-27-2007, 08:24 AM

Don't you hate it when after you post you find your answer and in the end makes you look not so smat?

If anyone else runs into this, here is the answer:

# Remove the encryption from the RSA private key (while keeping a backup copy of the original file):

$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key

# Make sure the server.key file is only readable by root:

$ chmod 400 server.key

Find more helpful tips at: http://httpd.apache.org/docs/2.0/ssl...movepassphrase