trouble with changing crt
Rhel 7.9 server
I have an issue with a crt. It comes from godaddy. When I replace the existing, expired cert(which I've done before), I receive this error. Mon Jun 07 10:43:18.476221 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jun 07 10:43:18.476287 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error [Mon Jun 07 10:43:18.476312 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jun 07 10:43:18.476335 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA) [Mon Jun 07 10:43:18.476359 2021] [ssl:error] [pid 124791] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib [Mon Jun 07 10:43:18.476380 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jun 07 10:43:18.476401 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO) I receive the 3 kiles, 2 crt and 1 pem. Normally, I just name them to match the current ones, so I don't have to change the ssl.conf I've converted the pem to a .key, but I can't seem to clear this error. I have other certs for other sites, and changing them in the same way has not been an issue. So, maybe it's a problem with the cert from godaddy? Or maybe the pem to key conversion is the problem? |
Print the public cert contents with:
Code:
openssl x509 -in cert.pem -noout -text |
Not sure what you might be looking for, but there are no errors present in the output, that I can see. Maybe reconverting the .pem into a .key? Perhaps the first conversion wasn't actually successful?
|
|
Quote:
If you copied those files from Windows box, it may have introduced CR/LF. Compare the hash values with md5sum or sha1 - whatever option you have - to make sure files are the same... |
Maybe explain what conversion you're doing and what the 3 files from GoDaddy are. You should have generated a private key that you saved and a CSR for GoDaddy. They should send you the certificate and a certificate chain. They should not have your private key.
|
I get 3 files from GD. a crt and pem file named the same, and a crt that is the intermediate crt. I get these in a zip, which I have extracted on my win10 box, that I then copy to to whichever server it may be fore. Then I use openssl to convert the pem to a key. I rename the 3 files to match what the current names are. This way I don't need to change the ssl.conf file. I've done this for others, no problem.
This has been the only server that's been an issue. So, I wonder if I got a bad set from GD. |
All times are GMT -5. The time now is 11:37 PM. |