Hello!
I'm got a curious error which I'm hoping you all can help with. First of
all, I'm running mod_ssl-2.6.2-1.3.12. Perhaps the first advice you'll
give is that I should upgrade Apache+mod_ssl. :)
This configuration has been running fine for a while, and we have a single
domain working under mod_ssl successfully for nearly a year. Now we are
working on adding a second domain, and the configuration is failing
with a "key value mismatch" error. We purchased our certificate from
Equifax Secure and are working with the key they returned.
Now for some meaty technical detail. :)
Current error:
When I restart the server, I get "key value mismatch error":
[12/Feb/2001 12:04:01 80944] [error] Init: (www.softskull.com:443)
Unable to configure RSA server private key (OpenSSL library error follows)
[12/Feb/2001 12:04:01 80944] [error] OpenSSL: error:0B080074:x509
certificate routines:X509_check_private_key:key values mismatch
Things I tried:
I tried using the domain.com private key as both encrypted and
unecrypted, neither of which would work for me. The above error
is when using the unencrypted private key.
Below is the revelent part of my httpd.conf file. It includes two virtual
domain entries. The first one, which works great, and the second one which
fails.
My intuition is that this configuration problem and not a keys problem,
but at the moment I'm stuck. Any insight is appreciated. Thanks!
-mark
<IfDefine SSL>
<VirtualHost secure.domain1.com:443>
# General setup for the virtual host
DocumentRoot /usr/local/apache/htdocs
ServerName secure.domain1.com
ServerAdmin [EMAIL PROTECTED]
ErrorLog /var/log/httpd-error_log
TransferLog /var/log/httpd-access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
#SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time.
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file.
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
SSLCACertificatePath /usr/local/apache/conf/ssl.crt
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means
that
# the standard Auth/DBMAuth methods can be used for access control.
The
# user name is the `one line' version of the client's X.509
certificate.
# Note that no password is obtained from the user. Every entry in the
user
# file needs this password: `xxj31ZMTZzkVA'.
# ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT
and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# CompatEnvVars:
# This exports obsolete environment variables for backward
compatibility
# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use
this
# to provide compatibility to existing CGI scripts.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost www.domain2.com:443>
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/domain2/www
ServerName www.domain2.com
ServerAlias domain2.com
ErrorLog /home/domain2/logs/httpd-error_log
TransferLog /home/domain2/logs/httpd-access_log
<Directory /home/domain2/www/cgi-bin>
Options ExecCGI
</Directory>
ScriptAlias /cgi-bin/ /home/domain2/www/cgi-bin/
User domain2
Group domain2
ErrorDocument 404 /errdocs/404.html
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time.
SSLCertificateFile /usr/local/apache/conf/ssl.crt/domain2.com.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file.
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domain2.com.key
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
SSLCACertificatePath /usr/local/apache/conf/ssl.crt
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt
</VirtualHost>
</IfDefine>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
