Again, this part of the config file you gave us looks wrong: >>>> Cert "etc/oldserver.pem" >>>> Cert "/etc/server.pem"
Regards, Simon > the interm is actually the intermediate and root together. > > specifically as defined by my cert provider: > > X509 Intermediates/root only, Base64 encoded > > Taz > > On 1/6/15 2:41 PM, Todd Fleisher wrote: >> I think you may be missing one. If you have an intermediate certificate >> it needs be key/cert/intermediate/root. >> >> -T >> >> On Jan 6, 2015, at 2:16 PM, chharrison <[email protected]> wrote: >> >>> changed permissions to 640 >>> >>> as for the order I have actually tried ALL possible combination I have >>> tried all the combination of cert with interm and seperate cert and >>> interms: >>> >>> key/cert/interm key/interm/cert cert/interm/key cert/key/interm >>> interm/cert/key interm/key/cert. I have used the cert that includes >>> the intermedaries I have tried building it from the cert and seperate >>> intermediaries cert. >>> >>> if the key is not first I merely get the >>> SSL_CTX_use_certificate_chain_file failed -aborted >>> >>> >>> Taz >>> >>> On 1/6/15 1:47 PM, Todd Fleisher wrote: >>>> Double check that you have put the certificate files in the correct >>>> order - the digicert URL lists the correct order but be sure you have >>>> them that way. >>>> >>>> Also check the permissions so the file is readable by root, but not by >>>> everyone. You list root:root 644 which would mean anyone on that host >>>> could potentially read your secret key which is very bad and pound may >>>> be guarding against that. Mode 640 should be sufficient. >>>> >>>> -T >>>> >>>> On Jan 6, 2015, at 10:35 AM, chharrison <[email protected]> wrote: >>>> >>>>> Hello All, >>>>> >>>>> recently I got a new ssl cert. while trying to install for pound's >>>>> use I keep getting the SSL_CTX_use_Privatekey_file failed error >>>>> aborted. it's gotten me up to seriously frustrated. >>>>> >>>>> I have the original server.key and the server.csr files generated >>>>> from openssl >>>>> >>>>> I have the server.cer file from commodo >>>>> >>>>> as an aside, I also have and have tried the cert only and >>>>> intermediates files as well) >>>>> >>>>> I have used openssl to check all the files >>>>> >>>>> I have tried every version of concatenating the files into a new pem >>>>> file as listed by >>>>> https://www.digicert.com/ssl-support/pem-ssl-creation.htm >>>>> I have check the cert order by concatenated a new pem from the cert >>>>> only and intermediary files >>>>> cat server.key server.cer > server.pem as the default >>>>> >>>>> the pem file has each of the sections as expected. >>>>> >>>>> -----BEGIN RSA PRIVATE KEY----- >>>>> -----END RSA PRIVATE KEY----- >>>>> -----BEGIN CERTIFICATE----- >>>>> -----END CERTIFICATE----- >>>>> -----BEGIN CERTIFICATE----- >>>>> -----END CERTIFICATE----- >>>>> >>>>> as you can see the key is not encrypted. >>>>> >>>>> the pound.cfg: >>>>> >>>>> User "nobody" >>>>> Group "nobody" >>>>> LogLevel 1 >>>>> LogFacility local3 >>>>> Client 20 >>>>> TimeOut 20 >>>>> Grace 20 >>>>> Alive 5 >>>>> >>>>> #redirect unencrypted to encrypted >>>>> ListenHTTP >>>>> Address xxx.xxx.xxx.20 >>>>> Port 80 >>>>> xHTTP 2 >>>>> Service >>>>> Redirect "https://server.com"; >>>>> End >>>>> End >>>>> >>>>> #unecrypt and send to the backend >>>>> ListenHTTPS >>>>> Address xxx.xxx.xxx.20 >>>>> Port 443 >>>>> Cert "etc/oldserver.pem" >>>>> Cert "/etc/server.pem" >>>>> SSLHonorCipherOrder 1 >>>>> SSLAllowClientRenegotiation 0 >>>>> Ciphers >>>>> "RC4-SHA:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" >>>>> Service >>>>> BackEnd >>>>> Address 127.0.0.127 >>>>> Port 80 >>>>> End >>>>> End >>>>> End >>>>> >>>>> at this point I am not sure what I am missing. should the cert file >>>>> be owned by a specific user or group? should there be permissions >>>>> other than 644 for root:root? >>>>> >>>>> Thanks for any help you can offer. >>>>> Cheers >>>>> Taz >>>>> >>>>> >>>>> -- >>>>> To unsubscribe send an email with subject unsubscribe to >>>>> [email protected]. >>>>> Please contact [email protected] for questions. >>> -- >>> Chris Taz Harrison [email protected] >>> Chief Technological Officer 858-822-0553 >>> Sally Ride EarthKAM earthkam.ucsd.edu >>> GRAIL MoonKAM moonkam.ucsd.edu >>> >>> >>> -- >>> To unsubscribe send an email with subject unsubscribe to >>> [email protected]. >>> Please contact [email protected] for questions. > > -- > Chris Taz Harrison [email protected] > Chief Technological Officer 858-822-0553 > Sally Ride EarthKAM earthkam.ucsd.edu > GRAIL MoonKAM moonkam.ucsd.edu > > > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions. > -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
