Ubuntu – Have a legitimate ssl certificate, but I fail at installing it

apache-2.2ssl-certificateUbuntu

I'm running an Ubuntu 10.04 LTS server that has been running Apache2 with a self signed certificate up until now. I finally purchased a real certificate but I can't manage to install it. I received three files from the provider:

AddTrustExternalCARoot.crt
mynewdomain_com.crt
PositiveSSLCA2.crt

Currently in my sites-enabled/ssl I have this for my self signed certificate:

    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/cert.pem

So I googled how to convert crt files to pem and it just looks to be a concatination of all the crt files. This is the guide I found that mostly matched what I'm using (I am using namecheap for my DNS now). So I created my new pem file, and pointed my config at it. When I run

service apache2 restart

the daemon fails to start. I figured that I must have put the crts in the wrong order, but it still fails to start. What am I doing wrong? How can I use my new certificate?

As for Key files, I generated one called server.key (which was used to create my csr). It now resides in /etc/apache2/server.key

When starting apache I get these errors:

[Sat Mar 17 13:44:43 2012] [warn] RSA server certificate is a CA certificate  (BasicConstraints: CA == TRUE !?)
[Sat Mar 17 13:44:43 2012] [warn] RSA server certificate CommonName (CN) `PositiveSSL CA 2' does NOT match server name!?
[Sat Mar 17 13:44:43 2012] [error] Unable to configure RSA server private key
[Sat Mar 17 13:44:43 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Best Answer

Can you provide information on how you generated the certificate?

You're missing the private key (probably a .key file) which was used to generate the .csr file that you sent to the certificate authority. That specific private key is required for Apache to be able to use the public key that you were given.

Edit:

With that key file, you'll need something like this added to your config:

SSLCertificateKeyFile /etc/apache2/server.key

Make sure that file is set to a permission mode where it's not viewable to everything on the server - mode 600 should be good.

If it won't start after that's added, let me know what errors come up (on the console or in the Apache error log).

With the .crt files that you got concatenated together, your Apache server should be sending full certificate chains properly; you can verify that it's working with openssl s_client -connect localhost:443 -showcerts.

Related Solutions

SSL Error – Unable to Read Server Certificate from File

Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi in "show me the binary" mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt.

If each line ends with a control-M, like this

you've got a file in Windows line-terminated format, and apache doesn't love those.

Your options include moving the file over again, taking more care; or using the dos2unix command to strip those out; you can also remove them inside vi, if you're careful.

Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don't cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.

Generate RSA Key Without Passphrase – Apache 2.2 HTTPS OpenSSL

If you are generating a self signed cert, you can do both the key and cert in one command like so:

openssl req  -nodes -new -x509  -keyout server.key -out server.cert

Oh, and what @MadHatter said in his answer about omitting the -des3 flag.

Best Answer

Related Solutions

SSL Error – Unable to Read Server Certificate from File

Generate RSA Key Without Passphrase – Apache 2.2 HTTPS OpenSSL

Related Topic