openssl on slack 10 unable to read certificate from file

chr15t0 · 07-25-2004, 05:32 PM

I have installed apache with mod_ssl and I'm trying to get it to start, but I keep getting the following:

[code]root@feodor:/etc/apache# apachectl startssl
[Sun Jul 25 23:29:43 2004] [warn] module php4_module is already loaded, skipping
[Sun Jul 25 23:29:43 2004] [warn] module mod_ssl.c is already added, skipping
/usr/sbin/apachectl startssl: httpd could not be started
root@feodor:/etc/apache#
[code]

when I check the /var/log/apache/error_log or the ssl_engine_log, I see the following madness:

Code:

[25/Jul/2004 23:29:43 08323] [error] Init: Unable to read server certificate from file /etc/apache/ssl.crt/toolkit.crt (OpenSSL library error follows)
[25/Jul/2004 23:29:43 08323] [error] OpenSSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[25/Jul/2004 23:29:43 08323] [error] OpenSSL: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

Anybody know what might be causing this? Alternatively, is there perhaps a simpler way to genearte a test certificate - this is really just for testing some https stuff on a local sandbox.

thanks
christo

warbogas · 09-13-2005, 10:46 AM

I had the identical problem on a Redhat ES 2.1 workstation. The problem was a bad certificate file. I had mis-copied it from the CA site. In debugging this, I first tried to view the details of the certificate with the following command; openssl x509 -noout -text -in <certfile.crt> Openssl said it was "Unable to read certificate...no start line ... Expecting: TRUSTED CERTIFICATE" That indicated pretty strongly that the certificate itself was bad. Then, I used the following two commands to compare the modulus of the certificate with that of the key file; 'openssl x509 -noout -modulus -in <certfile.crt>' , and 'openssl rsa -noout -modulus -in <keyfile.key>' The two moduli did not match which confirmed that the certificate was bad. When I recopied the certificate from the CA site, and reran the commands above, all returned normal results, and the two moduli matched. I was able to restart apache successfully with the new certificate in place.