LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   trouble with changing crt (https://www.linuxquestions.org/questions/linux-server-73/trouble-with-changing-crt-4175696119/)

vinmansbrew 06-07-2021 10:58 AM
trouble with changing crt
 
Rhel 7.9 server
I have an issue with a crt. It comes from godaddy.
When I replace the existing, expired cert(which I've done before), I receive this error.

Mon Jun 07 10:43:18.476221 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Jun 07 10:43:18.476287 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Mon Jun 07 10:43:18.476312 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Jun 07 10:43:18.476335 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Mon Jun 07 10:43:18.476359 2021] [ssl:error] [pid 124791] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Mon Jun 07 10:43:18.476380 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Jun 07 10:43:18.476401 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)

I receive the 3 kiles, 2 crt and 1 pem. Normally, I just name them to match the current ones, so I don't have to change the ssl.conf
I've converted the pem to a .key, but I can't seem to clear this error. I have other certs for other sites, and changing them in the same way has not been an issue.
So, maybe it's a problem with the cert from godaddy? Or maybe the pem to key conversion is the problem?

smallpond 06-07-2021 02:19 PM
Print the public cert contents with:

Code:
openssl x509 -in cert.pem -noout -text
Post the output here if you have trouble interpreting it. Don't post your private key. If it gets the same errors when doing this command, then the cert is likely not the right format.

vinmansbrew 06-07-2021 02:38 PM
Not sure what you might be looking for, but there are no errors present in the output, that I can see. Maybe reconverting the .pem into a .key? Perhaps the first conversion wasn't actually successful?

jefro 06-07-2021 02:46 PM
https://www.ssl247.co.uk/kb/ssl-cert...routine-apache

Two ideas.

dc.901 06-07-2021 03:56 PM
Quote:
Originally Posted by vinmansbrew (Post 6257065)
Rhel 7.9 server
I have an issue with a crt. It comes from godaddy.
When I replace the existing, expired cert(which I've done before), I receive this error.

Mon Jun 07 10:43:18.476221 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Jun 07 10:43:18.476287 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Mon Jun 07 10:43:18.476312 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Jun 07 10:43:18.476335 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Mon Jun 07 10:43:18.476359 2021] [ssl:error] [pid 124791] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Mon Jun 07 10:43:18.476380 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Jun 07 10:43:18.476401 2021] [ssl:error] [pid 124791] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)

I receive the 3 kiles, 2 crt and 1 pem. Normally, I just name them to match the current ones, so I don't have to change the ssl.conf
I've converted the pem to a .key, but I can't seem to clear this error. I have other certs for other sites, and changing them in the same way has not been an issue.
So, maybe it's a problem with the cert from godaddy? Or maybe the pem to key conversion is the problem?
Not sure if you tried these things already:
If you copied those files from Windows box, it may have introduced CR/LF.
Compare the hash values with md5sum or sha1 - whatever option you have - to make sure files are the same...

smallpond 06-07-2021 04:17 PM
Maybe explain what conversion you're doing and what the 3 files from GoDaddy are. You should have generated a private key that you saved and a CSR for GoDaddy. They should send you the certificate and a certificate chain. They should not have your private key.

vinmansbrew 06-07-2021 04:25 PM
I get 3 files from GD. a crt and pem file named the same, and a crt that is the intermediate crt. I get these in a zip, which I have extracted on my win10 box, that I then copy to to whichever server it may be fore. Then I use openssl to convert the pem to a key. I rename the 3 files to match what the current names are. This way I don't need to change the ssl.conf file. I've done this for others, no problem.
This has been the only server that's been an issue. So, I wonder if I got a bad set from GD.


All times are GMT -5. The time now is 11:37 PM.