HPE Community
Operating System - HP-UX
1836359 Members
2394 Online
110100 Solutions
New Discussion

SSL - unable to get private key from /opt/hpws/apache/conf/ssl.key/server.key

 
Geoff Wild
Honored Contributor

‎06-21-2005 01:28 AM

‎06-21-2005 01:28 AM

SSL - unable to get private key from /opt/hpws/apache/conf/ssl.key/server.key

Having issue with Apache and SSL.

System is new RP3440 with HP-UX 11iv2 - default install.

I generated client and server keys with:

/opt/hpws/apache/util/mkcert.sh --client

then

/opt/hpws/apache/util/mkcert.sh --server

I sent the /opt/hpws/apache/conf/ssl.crt/server.csr off to Soltrus - they sent back a certificate...

So I replaced /opt/hpws/apache/conf/ssl.crt/server.crt with the one from them...

Apache with ssl won't start - I get:

[Tue Jun 21 07:28:37 2005] [error] Unable to configure RSA server private key
[Tue Jun 21 07:28:37 2005] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

I check with openssl:

# openssl s_server -key /opt/hpws/apache/conf/ssl.key/server.key -cert /opt/hpws/apache/conf/ssl.crt/server.crt
Using default temp DH parameters
unable to get private key from '/opt/hpws/apache/conf/ssl.key/server.key'
19806:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:389:

I can read the certificate with:

openssl x509 -noout -text -in /opt/hpws/apache/conf/ssl.crt/server.crt

and the private key with:

openssl rsa -noout -text -in /opt/hpws/apache/conf/ssl.key/server.key

The modulus do not match...

Any ideas?

Thanks...Geoff



Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
4 REPLIES 4
Steven E. Protter
Exalted Contributor

‎06-21-2005 01:56 AM

‎06-21-2005 01:56 AM

Re: SSL - unable to get private key from /opt/hpws/apache/conf/ssl.key/server.key

You've gone through the simple stuff like making sure if you used ftp to upload your certificate to the HP box you did the transfer binary. The Micro$oft ftp default is ascii.

I found this process baffling when I did it so I was forced to write a cheat sheet script. I think you might manipulate this to automate the task of properly placing your ssl certificate or use it to vette the process you used.

#!/bin/sh

echo "name is: $1"


touch certindex.txt
touch index.txt
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650 -con
fig /etc/openssl.cnf
openssl req -new -nodes -out ${1}-req.pem -keyout private/${1}-key.pem -config /
etc/openssl.cnf
openssl ca -out ${1}-cert.pem -config /etc/openssl.cnf -infiles ${1}-req.pem

certf="${1}-cert.pem"
keyf="private/${1}-key.pem"


cp $keyf /etc/httpd/conf/ssl.key/
cp $certf /etc/httpd/conf/sss.crt/


SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Geoff Wild
Honored Contributor

‎06-21-2005 02:10 AM

‎06-21-2005 02:10 AM

Re: SSL - unable to get private key from /opt/hpws/apache/conf/ssl.key/server.key

Thanks for the info Steven...

Okay - well - I didn't use ftp - I simply cut'n'paste from notepad to putty session...

As far as openssl.cnf - all I have is:

/opt/hpwebadmin/conf/openssl.cnf
/opt/openssl/openssl.cnf
/opt/hpws/webmin/acl/openssl.cnf

For apache, I use:
/opt/hpws/apache/conf/ssl.conf

In that file,

SSLCertificateFile /opt/hpws/apache/conf/ssl.crt/server.crt

SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/server.key


But the openssl.cnf files don't match anything at all...

Should I be configuring them? - which one?

The dir setting in all of them does NOT exist...


Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Steven E. Protter
Exalted Contributor

‎06-21-2005 02:23 AM

‎06-21-2005 02:23 AM

Re: SSL - unable to get private key from /opt/hpws/apache/conf/ssl.key/server.key

Should I be configuring them? - which one?

I remember having to do this.

I used the docs at openssl.org they are better than what I found in hp's system.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Geoff Wild
Honored Contributor

‎06-22-2005 01:11 AM

‎06-22-2005 01:11 AM

Re: SSL - unable to get private key from /opt/hpws/apache/conf/ssl.key/server.key

I now have this working:

# openssl s_server -key /opt/hpws/apache/conf/ssl.key/server.key -cert /opt/hpws/apache/conf/ssl.crt/server.crt
Using default temp DH parameters
ACCEPT

I think part of the issue was - I was using a different server key then the one that was created when I made the CSR...

I also followed these steps to create a key and CSR:

https://digitalid.soltrus.com/csr/v01_ApacheSSL.html

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.