Double check that you have put the certificate files in the correct order - the digicert URL lists the correct order but be sure you have them that way.
Also check the permissions so the file is readable by root, but not by everyone. You list root:root 644 which would mean anyone on that host could potentially read your secret key which is very bad and pound may be guarding against that. Mode 640 should be sufficient. -T On Jan 6, 2015, at 10:35 AM, chharrison <[email protected]> wrote: > Hello All, > > recently I got a new ssl cert. while trying to install for pound's use I > keep getting the SSL_CTX_use_Privatekey_file failed error aborted. it's > gotten me up to seriously frustrated. > > I have the original server.key and the server.csr files generated from openssl > > I have the server.cer file from commodo > > as an aside, I also have and have tried the cert only and intermediates files > as well) > > I have used openssl to check all the files > > I have tried every version of concatenating the files into a new pem file as > listed by > https://www.digicert.com/ssl-support/pem-ssl-creation.htm > I have check the cert order by concatenated a new pem from the cert only and > intermediary files > cat server.key server.cer > server.pem as the default > > the pem file has each of the sections as expected. > > -----BEGIN RSA PRIVATE KEY----- > -----END RSA PRIVATE KEY----- > -----BEGIN CERTIFICATE----- > -----END CERTIFICATE----- > -----BEGIN CERTIFICATE----- > -----END CERTIFICATE----- > > as you can see the key is not encrypted. > > the pound.cfg: > > User "nobody" > Group "nobody" > LogLevel 1 > LogFacility local3 > Client 20 > TimeOut 20 > Grace 20 > Alive 5 > > #redirect unencrypted to encrypted > ListenHTTP > Address xxx.xxx.xxx.20 > Port 80 > xHTTP 2 > Service > Redirect "https://server.com"; > End > End > > #unecrypt and send to the backend > ListenHTTPS > Address xxx.xxx.xxx.20 > Port 443 > Cert "etc/oldserver.pem" > Cert "/etc/server.pem" > SSLHonorCipherOrder 1 > SSLAllowClientRenegotiation 0 > Ciphers > "RC4-SHA:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" > Service > BackEnd > Address 127.0.0.127 > Port 80 > End > End > End > > at this point I am not sure what I am missing. should the cert file be owned > by a specific user or group? should there be permissions other than 644 for > root:root? > > Thanks for any help you can offer. > Cheers > Taz > > > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions.
signature.asc
Description: Message signed with OpenPGP using GPGMail
