Ssl – Pure-ftp SSL Certificate: Key values mismatch

Apache2pureftpdsslssl-certificate

I have received a new SSL certificate from GoDaddy and the old one was from Comodo.

Contents of /etc/ssl/private/pure-ftpd.pem are as follows:

 -----BEGIN PRIVATE KEY-----     
 PRIVATE KEY USED TO CREATE THE CSR
 -----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 CONTENTS OF CRT FILE RECEIVED BY GODADDY
 -----END CERTIFICATE-----

After updating the contents of the file I restarted pure-ftpd then checked the status:

 /etc/init.d/pure-ftpd restart
 /etc/init.d/pure-ftpd status

 [ ok ] pure-ftpd is running.

Everything seems good. Now I try to verify the new cert:

Edit: I added the "bundle" CRT file provided by GoDaddy into /etc/ssl/certs, and now I get this output (but am still unable to restart apache2 because of the errors shown below)

 openssl verify -CApath /etc/ssl/certs /etc/ssl/private/pure-ftpd.pem

 pure-ftpd.pem: OK

Then I tried to restart apache2 (supposing that this will tell the system to use the new certificate):

 apache2ctl graceful

 httpd not running, trying to start
 Action 'graceful' failed.
 The Apache error log may have more information.

Apache error log:

 [error] Unable to configure RSA server private key
 [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Seemingly relevant parts of /etc/apache2/sites-available/default-ssl:
Does the PEM file declared as SSLCertificateFile need to be updated in some way if I have generated a new private key? (If so, what exactly needs to be in it, and how to accomplish this?)

 SSLCertificateFile    /etc/ssl/certs/my.server.net.pem
 SSLCertificateKeyFile /etc/ssl/private/my.server.net.key

I also tried using these commands to compare the modulus of each file and they are the same:

 openssl x509 -noout -modulus -in /etc/ssl/private/pure-ftpd.pem | openssl md5
 openssl rsa -noout -modulus -in /etc/ssl/private/my.server.net.key | openssl md5

Can anyone point me in the right direction?

Another Edit: When I access the FTP server through a client such as FileZilla, I am greeted with the credentials for the new GoDaddy Certificate. So that's great, but this issue is driving me bonkers!

Best Answer

Does the PEM file declared as SSLCertificateFile need to be updated in some way if I have generated a new private key?

Yes, since it is the certificate which means the public part of the key (and other data such as validity dates), so this public part must match the private part in the .key file. You can not generate them separately.

If what you give at the beginning is your new certificate, you must create the 2 files my.server.net.pem and .key by putting the part inside BEGIN PRIVATE KEY/END PRIVATE KEY (including these lines) in the .key file, and the next part (with the headers) in the .pem file. However for Apache2 TLS to work at the end it also depends on the CN + SANs inside your certificate. If it has been made only for the name ftp.myserver.whatever and not also for www.myserver.whatever then the browsers will display an alert (because of the name mismatch).

Related Solutions

SSL Error – Unable to Read Server Certificate from File

Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi in "show me the binary" mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt.

If each line ends with a control-M, like this

you've got a file in Windows line-terminated format, and apache doesn't love those.

Your options include moving the file over again, taking more care; or using the dos2unix command to strip those out; you can also remove them inside vi, if you're careful.

Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don't cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.

SSL certificate key permission – Tomcat APR

The ssl-cert group has traverse permissions on private, and everyone has read permissions on the key itself - so, the user that Tomcat is running as is likely not a member of the ssl-cert group.

Add the user to the group to give it read-only access to the cert:

usermod -a -G ssl-cert tomcatusername

And, although you've got the directory permissions locked down, which should cover you, you may want to change the permissions on the certificate itself to match (some services check for world-readable on private keys):

chown root:ssl-cert /etc/ssl/private/mysite.key
chmod 640 /etc/ssl/private/mysite.key

Best Answer

Related Solutions

SSL Error – Unable to Read Server Certificate from File

SSL certificate key permission – Tomcat APR

Related Topic