I think you may be missing one. If you have an intermediate certificate it needs be key/cert/intermediate/root.
-T On Jan 6, 2015, at 2:16 PM, chharrison <[email protected]> wrote: > changed permissions to 640 > > as for the order I have actually tried ALL possible combination I have tried > all the combination of cert with interm and seperate cert and interms: > > key/cert/interm key/interm/cert cert/interm/key cert/key/interm > interm/cert/key interm/key/cert. I have used the cert that includes the > intermedaries I have tried building it from the cert and seperate > intermediaries cert. > > if the key is not first I merely get the SSL_CTX_use_certificate_chain_file > failed -aborted > > > Taz > > On 1/6/15 1:47 PM, Todd Fleisher wrote: >> Double check that you have put the certificate files in the correct order - >> the digicert URL lists the correct order but be sure you have them that way. >> >> Also check the permissions so the file is readable by root, but not by >> everyone. You list root:root 644 which would mean anyone on that host could >> potentially read your secret key which is very bad and pound may be guarding >> against that. Mode 640 should be sufficient. >> >> -T >> >> On Jan 6, 2015, at 10:35 AM, chharrison <[email protected]> wrote: >> >>> Hello All, >>> >>> recently I got a new ssl cert. while trying to install for pound's use I >>> keep getting the SSL_CTX_use_Privatekey_file failed error aborted. it's >>> gotten me up to seriously frustrated. >>> >>> I have the original server.key and the server.csr files generated from >>> openssl >>> >>> I have the server.cer file from commodo >>> >>> as an aside, I also have and have tried the cert only and intermediates >>> files as well) >>> >>> I have used openssl to check all the files >>> >>> I have tried every version of concatenating the files into a new pem file >>> as listed by >>> https://www.digicert.com/ssl-support/pem-ssl-creation.htm >>> I have check the cert order by concatenated a new pem from the cert only >>> and intermediary files >>> cat server.key server.cer > server.pem as the default >>> >>> the pem file has each of the sections as expected. >>> >>> -----BEGIN RSA PRIVATE KEY----- >>> -----END RSA PRIVATE KEY----- >>> -----BEGIN CERTIFICATE----- >>> -----END CERTIFICATE----- >>> -----BEGIN CERTIFICATE----- >>> -----END CERTIFICATE----- >>> >>> as you can see the key is not encrypted. >>> >>> the pound.cfg: >>> >>> User "nobody" >>> Group "nobody" >>> LogLevel 1 >>> LogFacility local3 >>> Client 20 >>> TimeOut 20 >>> Grace 20 >>> Alive 5 >>> >>> #redirect unencrypted to encrypted >>> ListenHTTP >>> Address xxx.xxx.xxx.20 >>> Port 80 >>> xHTTP 2 >>> Service >>> Redirect "https://server.com"; >>> End >>> End >>> >>> #unecrypt and send to the backend >>> ListenHTTPS >>> Address xxx.xxx.xxx.20 >>> Port 443 >>> Cert "etc/oldserver.pem" >>> Cert "/etc/server.pem" >>> SSLHonorCipherOrder 1 >>> SSLAllowClientRenegotiation 0 >>> Ciphers >>> "RC4-SHA:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" >>> Service >>> BackEnd >>> Address 127.0.0.127 >>> Port 80 >>> End >>> End >>> End >>> >>> at this point I am not sure what I am missing. should the cert file be >>> owned by a specific user or group? should there be permissions other than >>> 644 for root:root? >>> >>> Thanks for any help you can offer. >>> Cheers >>> Taz >>> >>> >>> -- >>> To unsubscribe send an email with subject unsubscribe to [email protected]. >>> Please contact [email protected] for questions. > > -- > Chris “Taz” Harrison [email protected] > Chief Technological Officer 858-822-0553 > Sally Ride EarthKAM earthkam.ucsd.edu > GRAIL MoonKAM moonkam.ucsd.edu > > > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions.
signature.asc
Description: Message signed with OpenPGP using GPGMail
