Ssh – Apache2 SSL Certificate error

apache-2.2debiansshsslssl-certificate

I bought a Cert. at checkdomain.
They gave me two files a .crt and a .ca-bundle and .key.
I moved them to "/etc/ssl/g/".
I enabled SSL with "a2enmod ssl" and restarted the apache by using "sudo service apache2 restart", no error till then.

Then I edited default-ssl.conf:

<VirtualHost *:443>
ServerName mrgrimod.de
DocumentRoot "/var/www/html"

SSLEngine on
SSLCertificateFile    /etc/ssl/g/g.crt
SSlCertificateKeyFile /etc/ssl/g/g.key
</VirtualHost>

Then I tried to restart the apache by using "sudo service apache2 restart" but it fails to restart and spills out that error: Job for apache2.service failed. See 'systemctl status apache2.service' and 'journalctl -xn' for details.

The apache error log contained these lines:

 Fri Mar 30 17:03:50.143429 2018] [ssl:error] [pid 10598:tid 3074262784] AH02579: Init: Private key not found
[Fri Mar 30 17:03:50.143530 2018] [ssl:error] [pid 10598:tid 3074262784] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Mar 30 17:03:50.143557 2018] [ssl:error] [pid 10598:tid 3074262784] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Fri Mar 30 17:03:50.143578 2018] [ssl:error] [pid 10598:tid 3074262784] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Mar 30 17:03:50.143599 2018] [ssl:error] [pid 10598:tid 3074262784] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Fri Mar 30 17:03:50.143620 2018] [ssl:error] [pid 10598:tid 3074262784] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Fri Mar 30 17:03:50.143640 2018] [ssl:error] [pid 10598:tid 3074262784] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Mar 30 17:03:50.143660 2018] [ssl:error] [pid 10598:tid 3074262784] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Fri Mar 30 17:03:50.143674 2018] [ssl:emerg] [pid 10598:tid 3074262784] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
[Fri Mar 30 17:03:50.143704 2018] [ssl:emerg] [pid 10598:tid 3074262784] AH02564: Failed to configure encrypted (?) private key server1.server1.de:443:0, check /etc/ssl/ssl.key/server.key

Best Answer

You could use the command apachectl -t to check for any syntax error's before restart the apache service. The command should output Syntax OK if no error's are found.

You should include more details regarding your .conf files before we could decide what's the error.

Regardless, this is a configuration example for enabling SSL support:

<VirtualHost *:443>
ServerName example.com
DocumentRoot "/var/www/html"

SSLEngine on
SSLCertificateFile /etc/httpd/ssl/mycert.pem
SSlCertificateKeyFile /etc/httpd/ssl/mycert.pem
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite HIGH:!aNULL:!MD5
</VirtualHost>

To enable SSL, the configuration file must include at minimal the following options:

SSLEngine On: turn support for SSL.

SSLCertificateFile: The location of the singed certificate you were provided.

SSlCertificateKeyFile: The key file that was generated on your system.

Also, a required approach by many browser to justify the request's to your site, is to include the chain file -the one called bundle- using the configuration option SSLCertificateChainFile

And I would suggest the following reference's: Apache how-to : https://httpd.apache.org/docs/2.4/en/ssl/ssl_howto.html

Related Solutions

Linux/Unix – SSL Certificate Location Guide

For system-wide use, OpenSSL should provide you /etc/ssl/certs and /etc/ssl/private. The latter of which will be restricted 700 to root:root.

If you have an application that doesn’t perform initial privilege separation from root, then it might suit you to locate them somewhere local to the application with the relevantly restricted ownership and permissions.

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Best Answer

Related Solutions

Linux/Unix – SSL Certificate Location Guide

SSL Certificate – How to Download SSL Certificate from a Website

Related Topic