changed permissions to 640
as for the order I have actually tried ALL possible combination I have
tried all the combination of cert with interm and seperate cert and interms:
key/cert/interm key/interm/cert cert/interm/key cert/key/interm
interm/cert/key interm/key/cert. I have used the cert that includes
the intermedaries I have tried building it from the cert and seperate
intermediaries cert.
if the key is not first I merely get the
SSL_CTX_use_certificate_chain_file failed -aborted
Taz
On 1/6/15 1:47 PM, Todd Fleisher wrote:
Double check that you have put the certificate files in the correct order - the
digicert URL lists the correct order but be sure you have them that way.
Also check the permissions so the file is readable by root, but not by
everyone. You list root:root 644 which would mean anyone on that host could
potentially read your secret key which is very bad and pound may be guarding
against that. Mode 640 should be sufficient.
-T
On Jan 6, 2015, at 10:35 AM, chharrison <[email protected]> wrote:
Hello All,
recently I got a new ssl cert. while trying to install for pound's use I keep
getting the SSL_CTX_use_Privatekey_file failed error aborted. it's gotten me
up to seriously frustrated.
I have the original server.key and the server.csr files generated from openssl
I have the server.cer file from commodo
as an aside, I also have and have tried the cert only and intermediates files
as well)
I have used openssl to check all the files
I have tried every version of concatenating the files into a new pem file as
listed by
https://www.digicert.com/ssl-support/pem-ssl-creation.htm
I have check the cert order by concatenated a new pem from the cert only and
intermediary files
cat server.key server.cer > server.pem as the default
the pem file has each of the sections as expected.
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
as you can see the key is not encrypted.
the pound.cfg:
User "nobody"
Group "nobody"
LogLevel 1
LogFacility local3
Client 20
TimeOut 20
Grace 20
Alive 5
#redirect unencrypted to encrypted
ListenHTTP
Address xxx.xxx.xxx.20
Port 80
xHTTP 2
Service
Redirect "https://server.com";
End
End
#unecrypt and send to the backend
ListenHTTPS
Address xxx.xxx.xxx.20
Port 443
Cert "etc/oldserver.pem"
Cert "/etc/server.pem"
SSLHonorCipherOrder 1
SSLAllowClientRenegotiation 0
Ciphers
"RC4-SHA:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
Service
BackEnd
Address 127.0.0.127
Port 80
End
End
End
at this point I am not sure what I am missing. should the cert file be owned
by a specific user or group? should there be permissions other than 644 for
root:root?
Thanks for any help you can offer.
Cheers
Taz
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
--
Chris “Taz” Harrison [email protected]
Chief Technological Officer 858-822-0553
Sally Ride EarthKAM earthkam.ucsd.edu
GRAIL MoonKAM moonkam.ucsd.edu
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
