Re: Init: Private key not found

Sat, 02 Jun 2001 18:24:33 -0700 

Hi there,

On Sun, 3 Jun 2001, Carl Bowden wrote:

> but apachectl startssl refuses to start
> 
> this is the /var/log/httpd/ssl_engine_log:
> [03/Jun/2001 10:59:15 06923] [info]  Server: Apache/1.3.19,
> Interface: mod_ssl/2.8.3, Library: OpenSSL/0.9.6a
> [03/Jun/2001 10:59:15 06923] [info]  Init: 1st startup round
> (still not detached)
> [03/Jun/2001 10:59:15 06923] [info]  Init: Initializing
> OpenSSL library
> [03/Jun/2001 10:59:15 06923] [info]  Init: Loading
> certificate & private key of SSL-aware server
> secure.macpac.co.nz:443
> [03/Jun/2001 10:59:15 06923] [error] Init: Private key not
> found (OpenSSL library error follows)
> [03/Jun/2001 10:59:15 06923] [error] OpenSSL:
> error:0D084064:asn1 encoding routines:d2i_ASN1_SET:bad class
> [03/Jun/2001 10:59:15 06923] [error] OpenSSL:
> error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing
> [03/Jun/2001 10:59:15 06923] [error] OpenSSL:
> error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> lib
> 
> the key really is there but i cant find any info on this bad
> class error

Weird, it looks like the problem is nothing really to do with mod_ssl - the
loading of the key itself seems to be having decoding errors. Can you run a
couple of checks on the key file? (and don't mail me or the list any output
containing data about your key :-).

* Run the key file through;
    openssl asn1parse -inform PEM -in <keyfile.pem> -i
  Does it also report decoding errors or does the data appear well-formed?

* Check the text in the key file - does it have any weird line-wrapping problems
  or anything else obvious to distinguish it from a known-to-work key file (eg.
  a demo test cert and key created by mod_ssl's "make certificate" target).

* Try running openssl's "s_server" using a combination of your key, certificate,
  and CA file;
    openssl s_server -key <keyfile.pem> -cert <certfile.pem> \
        -CAfile <cafile.pem> -state -www
  If that starts without an error, the keyfile should be OK - but you can make
  sure by hitting it with a web-browser or openssl' "s_client" to double-check
  everything.

Hope that helps? (And if it does, can I get a free backpack next time I'm back
home? (Wellington BTW, I noticed it was an "NZ" domain ... :-)).

Cheers,
Geoff


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to