Operating System - HP-UX
1834056 Members
2286 Online
110063 Solutions
New Discussion

Re: SSL - unable to get private key from /opt/hpws/apache/conf/ssl.key/server.key

 
Geoff Wild
Honored Contributor

SSL - unable to get private key from /opt/hpws/apache/conf/ssl.key/server.key

Having issue with Apache and SSL.

System is new RP3440 with HP-UX 11iv2 - default install.

I generated client and server keys with:

/opt/hpws/apache/util/mkcert.sh --client

then

/opt/hpws/apache/util/mkcert.sh --server

I sent the /opt/hpws/apache/conf/ssl.crt/server.csr off to Soltrus - they sent back a certificate...

So I replaced /opt/hpws/apache/conf/ssl.crt/server.crt with the one from them...

Apache with ssl won't start - I get:

[Tue Jun 21 07:28:37 2005] [error] Unable to configure RSA server private key
[Tue Jun 21 07:28:37 2005] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

I check with openssl:

# openssl s_server -key /opt/hpws/apache/conf/ssl.key/server.key -cert /opt/hpws/apache/conf/ssl.crt/server.crt
Using default temp DH parameters
unable to get private key from '/opt/hpws/apache/conf/ssl.key/server.key'
19806:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:389:

I can read the certificate with:

openssl x509 -noout -text -in /opt/hpws/apache/conf/ssl.crt/server.crt

and the private key with:

openssl rsa -noout -text -in /opt/hpws/apache/conf/ssl.key/server.key

The modulus do not match...

Any ideas?

Thanks...Geoff



Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
4 REPLIES 4
Steven E. Protter
Exalted Contributor

Re: SSL - unable to get private key from /opt/hpws/apache/conf/ssl.key/server.key

You've gone through the simple stuff like making sure if you used ftp to upload your certificate to the HP box you did the transfer binary. The Micro$oft ftp default is ascii.

I found this process baffling when I did it so I was forced to write a cheat sheet script. I think you might manipulate this to automate the task of properly placing your ssl certificate or use it to vette the process you used.

#!/bin/sh

echo "name is: $1"


touch certindex.txt
touch index.txt
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650 -con
fig /etc/openssl.cnf
openssl req -new -nodes -out ${1}-req.pem -keyout private/${1}-key.pem -config /
etc/openssl.cnf
openssl ca -out ${1}-cert.pem -config /etc/openssl.cnf -infiles ${1}-req.pem

certf="${1}-cert.pem"
keyf="private/${1}-key.pem"


cp $keyf /etc/httpd/conf/ssl.key/
cp $certf /etc/httpd/conf/sss.crt/


SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Geoff Wild
Honored Contributor

Re: SSL - unable to get private key from /opt/hpws/apache/conf/ssl.key/server.key

Thanks for the info Steven...

Okay - well - I didn't use ftp - I simply cut'n'paste from notepad to putty session...

As far as openssl.cnf - all I have is:

/opt/hpwebadmin/conf/openssl.cnf
/opt/openssl/openssl.cnf
/opt/hpws/webmin/acl/openssl.cnf

For apache, I use:
/opt/hpws/apache/conf/ssl.conf

In that file,

SSLCertificateFile /opt/hpws/apache/conf/ssl.crt/server.crt

SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/server.key


But the openssl.cnf files don't match anything at all...

Should I be configuring them? - which one?

The dir setting in all of them does NOT exist...


Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Steven E. Protter
Exalted Contributor

Re: SSL - unable to get private key from /opt/hpws/apache/conf/ssl.key/server.key

Should I be configuring them? - which one?

I remember having to do this.

I used the docs at openssl.org they are better than what I found in hp's system.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Geoff Wild
Honored Contributor

Re: SSL - unable to get private key from /opt/hpws/apache/conf/ssl.key/server.key

I now have this working:

# openssl s_server -key /opt/hpws/apache/conf/ssl.key/server.key -cert /opt/hpws/apache/conf/ssl.crt/server.crt
Using default temp DH parameters
ACCEPT

I think part of the issue was - I was using a different server key then the one that was created when I made the CSR...

I also followed these steps to create a key and CSR:

https://digitalid.soltrus.com/csr/v01_ApacheSSL.html

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.