Re: private key not found
O...okay. I see it now. One of those 'duh, it's right in front of me' things. Ok, so now I've changed the DocumentRoot, but the only line I could find already had the correct path in it. There was one other type line: SSLOptions +StdEnvVars But it didn't have any effect when I changed it so I changed it back. On Friday 14 March 2003 13:45, Ron Gedye wrote: > > > > DocumentRoot "/srv/www/htdocs" > > ServerName matrix.pelathe.org > > ServerAdmin [EMAIL PROTECTED] > > ErrorLog /var/log/httpd/error_log > > TransferLog /var/log/httpd/access_log > > Is DocumentRoot above the actual content of your site? (betting not) Maybe > compare this setting to what is set for port 80 (http) > Other than that I had no problems with getting to your site via https. > > # > # DocumentRoot: The directory out of which you will serve your > # documents. By default, all requests are taken from this directory, but > # symbolic links and aliases may be used to point to other locations. > # > DocumentRoot "/home/httpd/html" > > There is usually a related setting (maybe not in virtual hosts, little > rusty - brainfog) > # > # This should be changed to whatever you set DocumentRoot to. > # > > > - Original Message ----- > From: "A. Putnam" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, March 15, 2003 4:02 PM > Subject: Re: private key not found > > > Changed the SeverName - thanks, I was wondering about that. > > How do I check my Docroot? "& add ?" What does that mean? > > On Friday 14 March 2003 12:53, Ron Gedye wrote: > > Quick check... > > Check your Docroot (& add ?). Just looked at your site & > > I > > > get http fine (with content) but https shows SuSE test page. > > > > FYI - to remove this error: > > [15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) RSA > > server > > certificate CommonName (CN) `www.pelathe.org' does NOT match se > > rver name!? > > > > change this line... > > ServerName matrix.pelathe.org > > (no big deal...) > > > > - Original Message - > > From: "A. Putnam" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Saturday, March 15, 2003 3:07 PM > > Subject: Re: private key not found > > > > > > I found the SSLLogLevel, thanks. Here is the engine log from today. I'm > > not > > > really sure what to make of it... > > > > [15/Mar/2003 14:30:18 11313] [info] Server: Apache/1.3.26, Interface: > > mod_ssl/2.8.10, Library: OpenSSL/0.9.6g > > [15/Mar/2003 14:30:18 11313] [info] Init: 1st startup round (still not > > detached) > > [15/Mar/2003 14:30:18 11313] [info] Init: Initializing OpenSSL library > > [15/Mar/2003 14:30:18 11313] [info] Init: Loading certificate & private > > key of SSL-aware server matrix.pelathe.org:443 > > [15/Mar/2003 14:30:18 11313] [info] Init: Seeding PRNG with 136 bytes of > > entropy > > [15/Mar/2003 14:30:18 11313] [info] Init: Generating temporary RSA > > private > > > keys (512/1024 bits) > > [15/Mar/2003 14:30:18 11313] [info] Init: Configuring temporary DH > > parameters > > (512/1024 bits) > > [15/Mar/2003 14:30:20 11314] [info] Init: 2nd startup round (already > > detached) > > [15/Mar/2003 14:30:20 11314] [info] Init: Reinitializing OpenSSL library > > [15/Mar/2003 14:30:20 11314] [info] Init: Seeding PRNG with 136 bytes of > > entropy > > [15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary RSA > > private keys (512/1024 bits) > > [15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary DH > > parameters > > (512/1024 bits) > > [15/Mar/2003 14:30:20 11314] [info] Init: Initializing (virtual) servers > > for > > SSL > > [15/Mar/2003 14:30:20 11314] [info] Init: Configuring server > > matrix.pelathe.org:443 for SSL protocol > > [15/Mar/2003 14:30:20 11314] [info] Init: (matrix.pelathe.org:443) RSA > > server > > certificate enables Server Gated Cryptography (SGC) > > [15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) RSA > > server > > certificate CommonName (CN) `www.pelathe.org' does NOT match se > > rver name!? > > [15/Mar/2003 14:34:52 11671] [info] Connection to child 2 established > > (server > > matrix.pelathe.org:443, client 24.124.34.100) > > [15/Mar/2003 14:34:52 11671] [info] Seeding PRNG with 1160 bytes of > > entropy [15/Mar/2003 14:37:04 11671] [info] Connection: Client I
Re: private key not found
> > DocumentRoot "/srv/www/htdocs" > ServerName matrix.pelathe.org > ServerAdmin [EMAIL PROTECTED] > ErrorLog /var/log/httpd/error_log > TransferLog /var/log/httpd/access_log Is DocumentRoot above the actual content of your site? (betting not) Maybe compare this setting to what is set for port 80 (http) Other than that I had no problems with getting to your site via https. # # DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # DocumentRoot "/home/httpd/html" There is usually a related setting (maybe not in virtual hosts, little rusty - brainfog) # # This should be changed to whatever you set DocumentRoot to. # - Original Message - From: "A. Putnam" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, March 15, 2003 4:02 PM Subject: Re: private key not found Changed the SeverName - thanks, I was wondering about that. How do I check my Docroot? "& add ?" What does that mean? On Friday 14 March 2003 12:53, Ron Gedye wrote: > Quick check... > Check your Docroot (& add ?). Just looked at your site & I > get http fine (with content) but https shows SuSE test page. > > FYI - to remove this error: > [15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) RSA > server > certificate CommonName (CN) `www.pelathe.org' does NOT match se > rver name!? > > change this line... > ServerName matrix.pelathe.org > (no big deal...) > > - Original Message ----- > From: "A. Putnam" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, March 15, 2003 3:07 PM > Subject: Re: private key not found > > > I found the SSLLogLevel, thanks. Here is the engine log from today. I'm not > really sure what to make of it... > > [15/Mar/2003 14:30:18 11313] [info] Server: Apache/1.3.26, Interface: > mod_ssl/2.8.10, Library: OpenSSL/0.9.6g > [15/Mar/2003 14:30:18 11313] [info] Init: 1st startup round (still not > detached) > [15/Mar/2003 14:30:18 11313] [info] Init: Initializing OpenSSL library > [15/Mar/2003 14:30:18 11313] [info] Init: Loading certificate & private > key of SSL-aware server matrix.pelathe.org:443 > [15/Mar/2003 14:30:18 11313] [info] Init: Seeding PRNG with 136 bytes of > entropy > [15/Mar/2003 14:30:18 11313] [info] Init: Generating temporary RSA private > keys (512/1024 bits) > [15/Mar/2003 14:30:18 11313] [info] Init: Configuring temporary DH > parameters > (512/1024 bits) > [15/Mar/2003 14:30:20 11314] [info] Init: 2nd startup round (already > detached) > [15/Mar/2003 14:30:20 11314] [info] Init: Reinitializing OpenSSL library > [15/Mar/2003 14:30:20 11314] [info] Init: Seeding PRNG with 136 bytes of > entropy > [15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary RSA > private keys (512/1024 bits) > [15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary DH > parameters > (512/1024 bits) > [15/Mar/2003 14:30:20 11314] [info] Init: Initializing (virtual) servers > for > SSL > [15/Mar/2003 14:30:20 11314] [info] Init: Configuring server > matrix.pelathe.org:443 for SSL protocol > [15/Mar/2003 14:30:20 11314] [info] Init: (matrix.pelathe.org:443) RSA > server > certificate enables Server Gated Cryptography (SGC) > [15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) RSA > server > certificate CommonName (CN) `www.pelathe.org' does NOT match se > rver name!? > [15/Mar/2003 14:34:52 11671] [info] Connection to child 2 established > (server > matrix.pelathe.org:443, client 24.124.34.100) > [15/Mar/2003 14:34:52 11671] [info] Seeding PRNG with 1160 bytes of > entropy [15/Mar/2003 14:37:04 11671] [info] Connection: Client IP: > 24.124.34.100, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits) > [15/Mar/2003 14:37:04 11671] [info] Initial (No.1) HTTPS request received > for > child 2 (server matrix.pelathe.org:443) > [15/Mar/2003 14:37:16 11671] [info] Subsequent (No.2) HTTPS request > received > for child 2 (server matrix.pelathe.org:443) > [15/Mar/2003 14:37:33 11671] [info] Connection to child 2 closed with > standard shutdown (server matrix.pelathe.org:443, client 24.124.34.100) > [15/Mar/2003 14:52:36 11499] [info] Connection to child 1 established > (server > matrix.pelathe.org:443, client 24.124.34.100) > [15/Mar/2003 14:52:36 11499] [info] Seeding PRNG with 1160 bytes of > entropy [15/Mar/2003 14:52:36 11499] [info] Connection: Client IP: > 24.124.34.100, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits) > [15/Mar/2003 14:52:36 11499] [info] Initial (No.1) HTTPS request received > for &g
Re: private key not found
Changed the SeverName - thanks, I was wondering about that. How do I check my Docroot? "& add ?" What does that mean? On Friday 14 March 2003 12:53, Ron Gedye wrote: > Quick check... > Check your Docroot (& add ?). Just looked at your site & I > get http fine (with content) but https shows SuSE test page. > > FYI - to remove this error: > [15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) RSA > server > certificate CommonName (CN) `www.pelathe.org' does NOT match se > rver name!? > > change this line... > ServerName matrix.pelathe.org > (no big deal...) > > - Original Message - > From: "A. Putnam" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, March 15, 2003 3:07 PM > Subject: Re: private key not found > > > I found the SSLLogLevel, thanks. Here is the engine log from today. I'm not > really sure what to make of it... > > [15/Mar/2003 14:30:18 11313] [info] Server: Apache/1.3.26, Interface: > mod_ssl/2.8.10, Library: OpenSSL/0.9.6g > [15/Mar/2003 14:30:18 11313] [info] Init: 1st startup round (still not > detached) > [15/Mar/2003 14:30:18 11313] [info] Init: Initializing OpenSSL library > [15/Mar/2003 14:30:18 11313] [info] Init: Loading certificate & private > key of SSL-aware server matrix.pelathe.org:443 > [15/Mar/2003 14:30:18 11313] [info] Init: Seeding PRNG with 136 bytes of > entropy > [15/Mar/2003 14:30:18 11313] [info] Init: Generating temporary RSA private > keys (512/1024 bits) > [15/Mar/2003 14:30:18 11313] [info] Init: Configuring temporary DH > parameters > (512/1024 bits) > [15/Mar/2003 14:30:20 11314] [info] Init: 2nd startup round (already > detached) > [15/Mar/2003 14:30:20 11314] [info] Init: Reinitializing OpenSSL library > [15/Mar/2003 14:30:20 11314] [info] Init: Seeding PRNG with 136 bytes of > entropy > [15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary RSA > private keys (512/1024 bits) > [15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary DH > parameters > (512/1024 bits) > [15/Mar/2003 14:30:20 11314] [info] Init: Initializing (virtual) servers > for > SSL > [15/Mar/2003 14:30:20 11314] [info] Init: Configuring server > matrix.pelathe.org:443 for SSL protocol > [15/Mar/2003 14:30:20 11314] [info] Init: (matrix.pelathe.org:443) RSA > server > certificate enables Server Gated Cryptography (SGC) > [15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) RSA > server > certificate CommonName (CN) `www.pelathe.org' does NOT match se > rver name!? > [15/Mar/2003 14:34:52 11671] [info] Connection to child 2 established > (server > matrix.pelathe.org:443, client 24.124.34.100) > [15/Mar/2003 14:34:52 11671] [info] Seeding PRNG with 1160 bytes of > entropy [15/Mar/2003 14:37:04 11671] [info] Connection: Client IP: > 24.124.34.100, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits) > [15/Mar/2003 14:37:04 11671] [info] Initial (No.1) HTTPS request received > for > child 2 (server matrix.pelathe.org:443) > [15/Mar/2003 14:37:16 11671] [info] Subsequent (No.2) HTTPS request > received > for child 2 (server matrix.pelathe.org:443) > [15/Mar/2003 14:37:33 11671] [info] Connection to child 2 closed with > standard shutdown (server matrix.pelathe.org:443, client 24.124.34.100) > [15/Mar/2003 14:52:36 11499] [info] Connection to child 1 established > (server > matrix.pelathe.org:443, client 24.124.34.100) > [15/Mar/2003 14:52:36 11499] [info] Seeding PRNG with 1160 bytes of > entropy [15/Mar/2003 14:52:36 11499] [info] Connection: Client IP: > 24.124.34.100, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits) > [15/Mar/2003 14:52:36 11499] [info] Initial (No.1) HTTPS request received > for > child 1 (server matrix.pelathe.org:443) > [15/Mar/2003 14:52:52 11499] [info] Connection to child 1 closed with > standard shutdown (server matrix.pelathe.org:443, client 24.124.34.100) > ssl_engine_log lines 394-440/440 (END) > > I'll go ahead and post the mod_ssl section of my httpd.conf as well, sans > the > descriptive text: > > > > SSLPassPhraseDialog builtin > > #SSLSessionCachenone > #SSLSessionCacheshmht:/var/run/ssl_scache(512000) > #SSLSessionCacheshmcb:/var/run/ssl_scache(512000) > SSLSessionCache dbm:/var/run/ssl_scache > SSLSessionCacheTimeout 300 > > SSLMutex file:/var/run/ssl_mutex > > SSLRandomSeed startup builtin > SSLRandomSeed connect builtin > #SSLRandomSeed startup file:/dev/random 512 > #SSLRandomSeed startup file:/dev/urandom 512 > #SSLRandomSeed connect file:/dev/random 512 > #SSLRandomSeed connect file:/dev/urandom 512 > > SSLLog /var/log/ht
Re: private key not found
Quick check...
Check your Docroot (& add ?). Just looked at your site & I
get http fine (with content) but https shows SuSE test page.
FYI - to remove this error:
[15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) RSA
server
certificate CommonName (CN) `www.pelathe.org' does NOT match se
rver name!?
change this line...
ServerName matrix.pelathe.org
(no big deal...)
- Original Message -
From: "A. Putnam" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, March 15, 2003 3:07 PM
Subject: Re: private key not found
I found the SSLLogLevel, thanks. Here is the engine log from today. I'm not
really sure what to make of it...
[15/Mar/2003 14:30:18 11313] [info] Server: Apache/1.3.26, Interface:
mod_ssl/2.8.10, Library: OpenSSL/0.9.6g
[15/Mar/2003 14:30:18 11313] [info] Init: 1st startup round (still not
detached)
[15/Mar/2003 14:30:18 11313] [info] Init: Initializing OpenSSL library
[15/Mar/2003 14:30:18 11313] [info] Init: Loading certificate & private key
of SSL-aware server matrix.pelathe.org:443
[15/Mar/2003 14:30:18 11313] [info] Init: Seeding PRNG with 136 bytes of
entropy
[15/Mar/2003 14:30:18 11313] [info] Init: Generating temporary RSA private
keys (512/1024 bits)
[15/Mar/2003 14:30:18 11313] [info] Init: Configuring temporary DH
parameters
(512/1024 bits)
[15/Mar/2003 14:30:20 11314] [info] Init: 2nd startup round (already
detached)
[15/Mar/2003 14:30:20 11314] [info] Init: Reinitializing OpenSSL library
[15/Mar/2003 14:30:20 11314] [info] Init: Seeding PRNG with 136 bytes of
entropy
[15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary RSA private
keys (512/1024 bits)
[15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary DH
parameters
(512/1024 bits)
[15/Mar/2003 14:30:20 11314] [info] Init: Initializing (virtual) servers
for
SSL
[15/Mar/2003 14:30:20 11314] [info] Init: Configuring server
matrix.pelathe.org:443 for SSL protocol
[15/Mar/2003 14:30:20 11314] [info] Init: (matrix.pelathe.org:443) RSA
server
certificate enables Server Gated Cryptography (SGC)
[15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) RSA
server
certificate CommonName (CN) `www.pelathe.org' does NOT match se
rver name!?
[15/Mar/2003 14:34:52 11671] [info] Connection to child 2 established
(server
matrix.pelathe.org:443, client 24.124.34.100)
[15/Mar/2003 14:34:52 11671] [info] Seeding PRNG with 1160 bytes of entropy
[15/Mar/2003 14:37:04 11671] [info] Connection: Client IP: 24.124.34.100,
Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[15/Mar/2003 14:37:04 11671] [info] Initial (No.1) HTTPS request received
for
child 2 (server matrix.pelathe.org:443)
[15/Mar/2003 14:37:16 11671] [info] Subsequent (No.2) HTTPS request
received
for child 2 (server matrix.pelathe.org:443)
[15/Mar/2003 14:37:33 11671] [info] Connection to child 2 closed with
standard shutdown (server matrix.pelathe.org:443, client 24.124.34.100)
[15/Mar/2003 14:52:36 11499] [info] Connection to child 1 established
(server
matrix.pelathe.org:443, client 24.124.34.100)
[15/Mar/2003 14:52:36 11499] [info] Seeding PRNG with 1160 bytes of entropy
[15/Mar/2003 14:52:36 11499] [info] Connection: Client IP: 24.124.34.100,
Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[15/Mar/2003 14:52:36 11499] [info] Initial (No.1) HTTPS request received
for
child 1 (server matrix.pelathe.org:443)
[15/Mar/2003 14:52:52 11499] [info] Connection to child 1 closed with
standard shutdown (server matrix.pelathe.org:443, client 24.124.34.100)
ssl_engine_log lines 394-440/440 (END)
I'll go ahead and post the mod_ssl section of my httpd.conf as well, sans
the
descriptive text:
SSLPassPhraseDialog builtin
#SSLSessionCachenone
#SSLSessionCacheshmht:/var/run/ssl_scache(512000)
#SSLSessionCacheshmcb:/var/run/ssl_scache(512000)
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
SSLLog /var/log/httpd/ssl_engine_log
SSLLogLevel trace
##
## SSL Virtual Host Context
##
DocumentRoot "/srv/www/htdocs"
ServerName matrix.pelathe.org
ServerAdmin [EMAIL PROTECTED]
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/ssl.crt/www.pelathe.org.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/www.pelathe.org.key
SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
SSLCARevocationPath /etc/httpd/ssl.crl
SSLVerifyClient none
SSLVerifyDepth 10
#
#SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#
Re: private key not found
I found the SSLLogLevel, thanks. Here is the engine log from today. I'm not
really sure what to make of it...
[15/Mar/2003 14:30:18 11313] [info] Server: Apache/1.3.26, Interface:
mod_ssl/2.8.10, Library: OpenSSL/0.9.6g
[15/Mar/2003 14:30:18 11313] [info] Init: 1st startup round (still not
detached)
[15/Mar/2003 14:30:18 11313] [info] Init: Initializing OpenSSL library
[15/Mar/2003 14:30:18 11313] [info] Init: Loading certificate & private key
of SSL-aware server matrix.pelathe.org:443
[15/Mar/2003 14:30:18 11313] [info] Init: Seeding PRNG with 136 bytes of
entropy
[15/Mar/2003 14:30:18 11313] [info] Init: Generating temporary RSA private
keys (512/1024 bits)
[15/Mar/2003 14:30:18 11313] [info] Init: Configuring temporary DH parameters
(512/1024 bits)
[15/Mar/2003 14:30:20 11314] [info] Init: 2nd startup round (already
detached)
[15/Mar/2003 14:30:20 11314] [info] Init: Reinitializing OpenSSL library
[15/Mar/2003 14:30:20 11314] [info] Init: Seeding PRNG with 136 bytes of
entropy
[15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary RSA private
keys (512/1024 bits)
[15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary DH parameters
(512/1024 bits)
[15/Mar/2003 14:30:20 11314] [info] Init: Initializing (virtual) servers for
SSL
[15/Mar/2003 14:30:20 11314] [info] Init: Configuring server
matrix.pelathe.org:443 for SSL protocol
[15/Mar/2003 14:30:20 11314] [info] Init: (matrix.pelathe.org:443) RSA server
certificate enables Server Gated Cryptography (SGC)
[15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) RSA server
certificate CommonName (CN) `www.pelathe.org' does NOT match se
rver name!?
[15/Mar/2003 14:34:52 11671] [info] Connection to child 2 established (server
matrix.pelathe.org:443, client 24.124.34.100)
[15/Mar/2003 14:34:52 11671] [info] Seeding PRNG with 1160 bytes of entropy
[15/Mar/2003 14:37:04 11671] [info] Connection: Client IP: 24.124.34.100,
Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[15/Mar/2003 14:37:04 11671] [info] Initial (No.1) HTTPS request received for
child 2 (server matrix.pelathe.org:443)
[15/Mar/2003 14:37:16 11671] [info] Subsequent (No.2) HTTPS request received
for child 2 (server matrix.pelathe.org:443)
[15/Mar/2003 14:37:33 11671] [info] Connection to child 2 closed with
standard shutdown (server matrix.pelathe.org:443, client 24.124.34.100)
[15/Mar/2003 14:52:36 11499] [info] Connection to child 1 established (server
matrix.pelathe.org:443, client 24.124.34.100)
[15/Mar/2003 14:52:36 11499] [info] Seeding PRNG with 1160 bytes of entropy
[15/Mar/2003 14:52:36 11499] [info] Connection: Client IP: 24.124.34.100,
Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[15/Mar/2003 14:52:36 11499] [info] Initial (No.1) HTTPS request received for
child 1 (server matrix.pelathe.org:443)
[15/Mar/2003 14:52:52 11499] [info] Connection to child 1 closed with
standard shutdown (server matrix.pelathe.org:443, client 24.124.34.100)
ssl_engine_log lines 394-440/440 (END)
I'll go ahead and post the mod_ssl section of my httpd.conf as well, sans the
descriptive text:
SSLPassPhraseDialog builtin
#SSLSessionCachenone
#SSLSessionCacheshmht:/var/run/ssl_scache(512000)
#SSLSessionCacheshmcb:/var/run/ssl_scache(512000)
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
SSLLog /var/log/httpd/ssl_engine_log
SSLLogLevel trace
##
## SSL Virtual Host Context
##
DocumentRoot "/srv/www/htdocs"
ServerName matrix.pelathe.org
ServerAdmin [EMAIL PROTECTED]
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/ssl.crt/www.pelathe.org.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/www.pelathe.org.key
SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
SSLCARevocationPath /etc/httpd/ssl.crl
SSLVerifyClient none
SSLVerifyDepth 10
#
#SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
I hope this helps
Re: private key not found
A. Putnam said: > Right then. I moved my certificates into their respective directories > and re-reeditted my httpd.conf file to reflect those changes and set > the SSLVerifyClient to 'none'. I was not sure where to go to change > the logging to 'trace' though. But, I can get into the secure server > now so it technically works. (thank you again Camun, and DuFresne and > Stromas too) SSLLogLevel trace > > However, I am finding that all of the pages I've visited while in https > are pulling up 404 errors. The same pages pull up fine in http. Do I > need to have a mirrored web directory just for https to get the files > to show up or something? This is the only real conclusion I can think > of. What does the access log say? If you still can't figure it out looking at logs you should post your httpd.conf> > On Thursday 13 March 2003 11:55, cam wrote: >> --- On Fri 03/14, A. Putnam < [EMAIL PROTECTED] > wrote: >> >I get this error moeesage: >> > >> >"www.pelathe.org has received an incorrect or unexpected message. >> >Error >> > Code: -12227" I've never seen an error code like that before. Does >> > anyone know what it means? >> >> Again, a guess, but you haven't set SSLVerifyClient Require have you? >> You (presumably, otherwise, get reading on client certificates) want >> 'none' here. If not, in fact, in any case, have a look in your SSL log >> files (not the 'normal' log files) which will have been specified in >> httpd.conf... The logs are your friend. >> >> cam >> >> ___ >> No banners. No pop-ups. No kidding. >> Introducing My Way - http://www.myway.com >> __ >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> User Support Mailing List [EMAIL PROTECTED] >> Automated List Manager[EMAIL PROTECTED] > > -- > A. Putnam > Assistant IT Administrator > Pelathe Community Resource Center > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- Aaron Stromas | "Tik-tik-tik!!!... ja, Pantani is weg..." [EMAIL PROTECTED]| BRTN commentator +1 (301) 493 4933 | L'Alpe d'Huez http://www.izoard.com | 1995 Tour de France __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
Right then. I moved my certificates into their respective directories and re-reeditted my httpd.conf file to reflect those changes and set the SSLVerifyClient to 'none'. I was not sure where to go to change the logging to 'trace' though. But, I can get into the secure server now so it technically works. (thank you again Camun, and DuFresne and Stromas too) However, I am finding that all of the pages I've visited while in https are pulling up 404 errors. The same pages pull up fine in http. Do I need to have a mirrored web directory just for https to get the files to show up or something? This is the only real conclusion I can think of. On Thursday 13 March 2003 11:55, cam wrote: > --- On Fri 03/14, A. Putnam < [EMAIL PROTECTED] > wrote: > >I get this error moeesage: > > > >"www.pelathe.org has received an incorrect or unexpected message. Error > > Code: -12227" I've never seen an error code like that before. Does anyone > > know what it means? > > Again, a guess, but you haven't set SSLVerifyClient Require have you? You > (presumably, otherwise, get reading on client certificates) want 'none' > here. If not, in fact, in any case, have a look in your SSL log files (not > the 'normal' log files) which will have been specified in httpd.conf... The > logs are your friend. > > cam > > ___ > No banners. No pop-ups. No kidding. > Introducing My Way - http://www.myway.com > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- A. Putnam Assistant IT Administrator Pelathe Community Resource Center __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
--- On Fri 03/14, A. Putnam < [EMAIL PROTECTED] > wrote: >I get this error moeesage: >"www.pelathe.org has received an incorrect or unexpected message. Error Code: -12227" >I've never seen an error code like that before. Does anyone know what it means? Again, a guess, but you haven't set SSLVerifyClient Require have you? You (presumably, otherwise, get reading on client certificates) want 'none' here. If not, in fact, in any case, have a look in your SSL log files (not the 'normal' log files) which will have been specified in httpd.conf... The logs are your friend. cam ___ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
Just a guess: have you also added the CA certificate to the CA certificate bundle? Also, set your logging to "trace", it should give you a clue. -a A. Putnam said: > I went ahead and changed my httpd.conf file to reflect the new > directory. And when I went to restart Apache, it worked! (THANK YOU!!) > However, when I go to my shopping cart and click 'checkout' (thus > sending me to the secure server) I get this error moeesage: > > "www.pelathe.org has received an incorrect or unexpected message. Error > Code: -12227" > > I've never seen an error code like that before. Does anyone know what > it means? > > On Friday 14 March 2003 13:37, A. Putnam wrote: >> Okay, I cleaned out all of the older versions of the keys and ran the >> scripts again. I ended up with this: >> >> 1 out of 1 certificate requests certified, commit? [y/n]y >> Write out database with 1 new entries >> Data Base Updated >> CA verifying: www.pelathe.org.crt <-> CA cert >> www.pelathe.org.crt: OK >> >> That does mean it worked, right? Everything is good? If so, should I >> move the new files I have to their respective directories or should I >> change my httpd.conf file to point to the new directory? I don't know >> if moving or copying/patsing damages the integrity of the encryptions >> or not. >> >> On Thursday 13 March 2003 05:01, camun2020 wrote: >> > --- On Thu 03/13, A. Putnam < [EMAIL PROTECTED] > wrote: >> > >> > Still no luck. I get the same error with this script too. Thank you >> > for pointing out the script though. It was a LOT easier to use than >> > the other one I had been using. >> > >> > OK, now I'm getting vague but could this be to do with the fact that >> > you have some 'incomplete' keys and data in your ca.db.certs >> > directory from the previous failed attempts? >> > >> > Make sure you start in a whole new clean directory... >> > >> > Having said that, I haven't actually tried those scripts with the >> > most recent openssl so perhaps there are new problems. >> > >> > cam >> > >> > ___ >> > No banners. No pop-ups. No kidding. >> > Introducing My Way - http://www.myway.com >> > __ >> > Apache Interface to OpenSSL (mod_ssl) >> > www.modssl.org User Support Mailing List >> > [EMAIL PROTECTED] Automated List Manager >> > [EMAIL PROTECTED] > > -- > A. Putnam > Assistant IT Administrator > Pelathe Community Resource Center > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- Aaron Stromas | "Tik-tik-tik!!!... ja, Pantani is weg..." [EMAIL PROTECTED]| BRTN commentator +1 (301) 493 4933 | L'Alpe d'Huez http://www.izoard.com | 1995 Tour de France __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
--- On Fri 03/14, A. Putnam < [EMAIL PROTECTED] > wrote: >That does mean it worked, right? Everything is good? Everything is rosy... >If so, should I move the >new files I have to their respective directories or should I change >my httpd.conf >file to point to the new directory? I would personally suggest that you protect (chmod 700;chown root.root) the area where the files are currently stored and copy the key and the crt to the httpd.conf area where you should set appropriate perms on them too. See e.g. here for some guidance: http://en.tldp.org/HOWTO/SSL-RedHat-HOWTO-4.html >I don't know if >moving or copying/patsing damages the integrity of the encryptions >or >not. No, not in any way that I know of... ___ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
I went ahead and changed my httpd.conf file to reflect the new directory. And when I went to restart Apache, it worked! (THANK YOU!!) However, when I go to my shopping cart and click 'checkout' (thus sending me to the secure server) I get this error moeesage: "www.pelathe.org has received an incorrect or unexpected message. Error Code: -12227" I've never seen an error code like that before. Does anyone know what it means? On Friday 14 March 2003 13:37, A. Putnam wrote: > Okay, I cleaned out all of the older versions of the keys and ran the > scripts again. I ended up with this: > > 1 out of 1 certificate requests certified, commit? [y/n]y > Write out database with 1 new entries > Data Base Updated > CA verifying: www.pelathe.org.crt <-> CA cert > www.pelathe.org.crt: OK > > That does mean it worked, right? Everything is good? If so, should I move > the new files I have to their respective directories or should I change my > httpd.conf file to point to the new directory? I don't know if moving or > copying/patsing damages the integrity of the encryptions or not. > > On Thursday 13 March 2003 05:01, camun2020 wrote: > > --- On Thu 03/13, A. Putnam < [EMAIL PROTECTED] > wrote: > > > > Still no luck. I get the same error with this script too. Thank you for > > pointing out the script though. It was a LOT easier to use than the other > > one I had been using. > > > > OK, now I'm getting vague but could this be to do with the fact that you > > have some 'incomplete' keys and data in your ca.db.certs directory from > > the previous failed attempts? > > > > Make sure you start in a whole new clean directory... > > > > Having said that, I haven't actually tried those scripts with the most > > recent openssl so perhaps there are new problems. > > > > cam > > > > ___ > > No banners. No pop-ups. No kidding. > > Introducing My Way - http://www.myway.com > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] -- A. Putnam Assistant IT Administrator Pelathe Community Resource Center __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
you should beable to safely move then into place. make sure perms are restricted as possible to prevent their info from being leaked. On Fri, 14 Mar 2003, A. Putnam wrote: > Okay, I cleaned out all of the older versions of the keys and ran the scripts > again. I ended up with this: > > 1 out of 1 certificate requests certified, commit? [y/n]y > Write out database with 1 new entries > Data Base Updated > CA verifying: www.pelathe.org.crt <-> CA cert > www.pelathe.org.crt: OK > > That does mean it worked, right? Everything is good? If so, should I move the > new files I have to their respective directories or should I change my > httpd.conf file to point to the new directory? I don't know if moving or > copying/patsing damages the integrity of the encryptions or not. > > > On Thursday 13 March 2003 05:01, camun2020 wrote: > > --- On Thu 03/13, A. Putnam < [EMAIL PROTECTED] > wrote: > > > > Still no luck. I get the same error with this script too. Thank you for > > pointing out the script though. It was a LOT easier to use than the other > > one I had been using. > > > > OK, now I'm getting vague but could this be to do with the fact that you > > have some 'incomplete' keys and data in your ca.db.certs directory from the > > previous failed attempts? > > > > Make sure you start in a whole new clean directory... > > > > Having said that, I haven't actually tried those scripts with the most > > recent openssl so perhaps there are new problems. > > > > cam > > > > ___ > > No banners. No pop-ups. No kidding. > > Introducing My Way - http://www.myway.com > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
You can copy your cert and key files to apache's conf directory. A. Putnam said: > Okay, I cleaned out all of the older versions of the keys and ran the > scripts again. I ended up with this: > > 1 out of 1 certificate requests certified, commit? [y/n]y > Write out database with 1 new entries > Data Base Updated > CA verifying: www.pelathe.org.crt <-> CA cert > www.pelathe.org.crt: OK > > That does mean it worked, right? Everything is good? If so, should I > move the new files I have to their respective directories or should I > change my httpd.conf file to point to the new directory? I don't know > if moving or copying/patsing damages the integrity of the encryptions > or not. > > > On Thursday 13 March 2003 05:01, camun2020 wrote: >> --- On Thu 03/13, A. Putnam < [EMAIL PROTECTED] > wrote: >> >> Still no luck. I get the same error with this script too. Thank you >> for pointing out the script though. It was a LOT easier to use than >> the other one I had been using. >> >> OK, now I'm getting vague but could this be to do with the fact that >> you have some 'incomplete' keys and data in your ca.db.certs directory >> from the previous failed attempts? >> >> Make sure you start in a whole new clean directory... >> >> Having said that, I haven't actually tried those scripts with the most >> recent openssl so perhaps there are new problems. >> >> cam >> >> ___ >> No banners. No pop-ups. No kidding. >> Introducing My Way - http://www.myway.com >> __ >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> User Support Mailing List [EMAIL PROTECTED] >> Automated List Manager[EMAIL PROTECTED] > > -- > A. Putnam > Assistant IT Administrator > Pelathe Community Resource Center > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- Aaron Stromas | "Tik-tik-tik!!!... ja, Pantani is weg..." [EMAIL PROTECTED]| BRTN commentator +1 (301) 493 4933 | L'Alpe d'Huez http://www.izoard.com | 1995 Tour de France __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
Okay, I cleaned out all of the older versions of the keys and ran the scripts again. I ended up with this: 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: www.pelathe.org.crt <-> CA cert www.pelathe.org.crt: OK That does mean it worked, right? Everything is good? If so, should I move the new files I have to their respective directories or should I change my httpd.conf file to point to the new directory? I don't know if moving or copying/patsing damages the integrity of the encryptions or not. On Thursday 13 March 2003 05:01, camun2020 wrote: > --- On Thu 03/13, A. Putnam < [EMAIL PROTECTED] > wrote: > > Still no luck. I get the same error with this script too. Thank you for > pointing out the script though. It was a LOT easier to use than the other > one I had been using. > > OK, now I'm getting vague but could this be to do with the fact that you > have some 'incomplete' keys and data in your ca.db.certs directory from the > previous failed attempts? > > Make sure you start in a whole new clean directory... > > Having said that, I haven't actually tried those scripts with the most > recent openssl so perhaps there are new problems. > > cam > > ___ > No banners. No pop-ups. No kidding. > Introducing My Way - http://www.myway.com > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- A. Putnam Assistant IT Administrator Pelathe Community Resource Center __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
--- On Thu 03/13, A. Putnam < [EMAIL PROTECTED] > wrote: Still no luck. I get the same error with this script too. Thank you for pointing out the script though. It was a LOT easier to use than the other one I had been using. OK, now I'm getting vague but could this be to do with the fact that you have some 'incomplete' keys and data in your ca.db.certs directory from the previous failed attempts? Make sure you start in a whole new clean directory... Having said that, I haven't actually tried those scripts with the most recent openssl so perhaps there are new problems. cam ___ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
Still no luck. I get the same error with this script too. Thank you for pointing out the script though. It was a LOT easier to use than the other one I had been using. On Monday 10 March 2003 04:42, camun2020 wrote: > >1 out of 1 certificate requests certified, commit? [y/n]y > >Write out database with 1 new entries > >ata Base Updated > >CA verifying: server.crt <-> CA cert > >server.crt: /C=US/ST=Kansas/L=Lawrence/O=Pelathe > >Center/CN=www.pelathe.org/[EMAIL PROTECTED] > >error 18 at 0 depth lookup:self signed certificate > >/C=US/ST=Kansas/L=Lawrence/O=Pelathe > >Center/CN=www.pelathe.org/[EMAIL PROTECTED] > >error 7 at 0 depth lookup:certificate signature failure > > > >What is an 'error 18 at depth 0' and an 'error 7 at depth 0'? Would >this > > be a reason why my server cannot find the Private Key? > > I've no idea what this error means but I've seen it several times but never > seen an explanation on the list. I would strongly recommend that you use > the alternative certificate scripts available as ssl.ca-0.1.tar.gz at: > > http://www.openssl.org/contrib/ > > These have fixed this problem for me numerous times. > > ___ > No banners. No pop-ups. No kidding. > Introducing My Way - http://www.myway.com > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- A. Putnam Assistant IT Administrator Pelathe Community Resource Center __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
>1 out of 1 certificate requests certified, commit? [y/n]y >Write out database with 1 new entries >ata Base Updated >CA verifying: server.crt <-> CA cert >server.crt: /C=US/ST=Kansas/L=Lawrence/O=Pelathe >Center/CN=www.pelathe.org/[EMAIL PROTECTED] >error 18 at 0 depth lookup:self signed certificate >/C=US/ST=Kansas/L=Lawrence/O=Pelathe >Center/CN=www.pelathe.org/[EMAIL PROTECTED] >error 7 at 0 depth lookup:certificate signature failure > >What is an 'error 18 at depth 0' and an 'error 7 at depth 0'? Would >this be a >reason why my server cannot find the Private Key? I've no idea what this error means but I've seen it several times but never seen an explanation on the list. I would strongly recommend that you use the alternative certificate scripts available as ssl.ca-0.1.tar.gz at: http://www.openssl.org/contrib/ These have fixed this problem for me numerous times. ___ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
oh goody... LOL The CA tells me it was on an Apache server, and the owner tells me it was on a *nix system, but, with them downloading the file and tinkering, maybe something got tinkered the wrong way... - Original Message - From: "Carlos Villegas" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 07, 2003 4:57 PM Subject: Re: private key not found > > On Fri, 7 Mar 2003, Justin Williams wrote: > > > don't think you can make a key from a crt... only works the other way > > around... Tempted to do that, though... > > You're right, it doesn't work the other way around. otherwise SSL would be > worthless... > > It seems to me that your keys might be corrupted, my guess is that the > other server was a windows box and this one is unix (or the other way > around, but I doubt it), so you have all the end of lines messed up (with > a bunch of ^M at the end of each line or similar). > > Carlos > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
On Fri, 7 Mar 2003, Justin Williams wrote: > don't think you can make a key from a crt... only works the other way > around... Tempted to do that, though... You're right, it doesn't work the other way around. otherwise SSL would be worthless... It seems to me that your keys might be corrupted, my guess is that the other server was a windows box and this one is unix (or the other way around, but I doubt it), so you have all the end of lines messed up (with a bunch of ^M at the end of each line or similar). Carlos __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
don't think you can make a key from a crt... only works the other way around... Tempted to do that, though... - Original Message - From: "A. Putnam" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, March 08, 2003 6:01 PM Subject: Re: private key not found Oh, I see now. Well, it's nothing like that. Pelathe has had its domain since '98. We've had a sever that died and had to transfer everything to a new Linux box, but this is the first time we've ever tried to make a ssl server, so I don't think that would make a difference. It's really strange that the crt for your transferred domain won't work though. Maybe there is some fundamental difference between the two servers that would cause problems? Can you just make new keys for the domain instead? Or is that not how it works? On Friday 07 March 2003 13:38, Justin Williams wrote: > I had a domain that was transferred to my server, and with it came the key > and crt files from the old server. That particular domain the SSL is > blowing up... More accurately, Apache refuses to start, with the same > error you get, when I try to enable the SSL for that domain... > > - Original Message - > From: "A. Putnam" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, March 08, 2003 4:48 PM > Subject: Re: private key not found > > > I'm not too sure what you mean when you ask if the domain was transferred. > What domain? All I know I did was that I generated the key/csr/crts and > self-signed the CA. > > On Thursday 06 March 2003 14:03, Justin Williams wrote: > > was the domain moved over to your server, or did you generate > > key/csr/crt? > > > > I'm having the same difficulty with one where the domain, cert and key > > were > > > transferred; all my others work properly... > > > > - Original Message - > > From: "A. Putnam" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, March 07, 2003 5:20 PM > > Subject: Re: private key not found > > > > > > The permissions for the server.crt file are rw-r--r-- but it still cannot > > find > > the Private Key. > > > > On Thursday 06 March 2003 13:36, Ron Gedye wrote: > > > Please check the permissions on your private key. They should be > > > readable only by owner (400) > > > > > > (knee-jerk first guess reaction) > > > > > > Best of luck > > > > > > - Original Message - > > > From: "A. Putnam" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Friday, March 07, 2003 3:42 PM > > > Subject: private key not found > > > > > > > > > I'm trying to get mod_ssl to work on my server, but each time I try to > > > restart > > > apache with mod_ssl activated, it gives me this error: > > > > > > /etc/init.d/apache start returned 7 (Program is not running.) > > > Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass > > > Phrase Dialog) > > > Some of your private key files are encrypted for security reasons. > > > In order to read them you have to provide us with the pass phrases. > > > > > > Server matrix.pelathe.org:443 (RSA) > > > Enter pass phrase: > > > Apache:mod_ssl:Error: Private key not found. > > > **Stopped > > > stty: standard input: Inappropriate ioctl for device > > > ..failed > > > > > > What I don't understand is how it can't find the Private key. The > > > SSLCertificateKeyFile path in httpd.conf matches the location of the > > > key > > > > in > > > > > my directory. Isn't the SSLCertificateKeyFile the Private Key path? > > > > > > I'm including the Virtual Host code (sans the explination text and a > > > passkey). > > > I'm very new to this so I won't be surprised if there is a glaring > > > error > > > > in > > > > > here that I missed... > > > > > > > > > > > > DocumentRoot "/srv/www/htdocs" > > > ServerName matrix.pelathe.org > > > ServerAdmin [EMAIL PROTECTED] > > > ErrorLog /var/log/httpd/error_log > > > TransferLog /var/log/httpd/access_log > > > > > > SSLEngine on > > > > > > SSLCipherSuite > > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > > > > > SSLCertificateFile /etc/httpd/ssl.crt/server.crt > > >
Re: private key not found
Oh, I see now. Well, it's nothing like that. Pelathe has had its domain since '98. We've had a sever that died and had to transfer everything to a new Linux box, but this is the first time we've ever tried to make a ssl server, so I don't think that would make a difference. It's really strange that the crt for your transferred domain won't work though. Maybe there is some fundamental difference between the two servers that would cause problems? Can you just make new keys for the domain instead? Or is that not how it works? On Friday 07 March 2003 13:38, Justin Williams wrote: > I had a domain that was transferred to my server, and with it came the key > and crt files from the old server. That particular domain the SSL is > blowing up... More accurately, Apache refuses to start, with the same > error you get, when I try to enable the SSL for that domain... > > - Original Message - > From: "A. Putnam" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, March 08, 2003 4:48 PM > Subject: Re: private key not found > > > I'm not too sure what you mean when you ask if the domain was transferred. > What domain? All I know I did was that I generated the key/csr/crts and > self-signed the CA. > > On Thursday 06 March 2003 14:03, Justin Williams wrote: > > was the domain moved over to your server, or did you generate > > key/csr/crt? > > > > I'm having the same difficulty with one where the domain, cert and key > > were > > > transferred; all my others work properly... > > > > ----- Original Message - > > From: "A. Putnam" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, March 07, 2003 5:20 PM > > Subject: Re: private key not found > > > > > > The permissions for the server.crt file are rw-r--r-- but it still cannot > > find > > the Private Key. > > > > On Thursday 06 March 2003 13:36, Ron Gedye wrote: > > > Please check the permissions on your private key. They should be > > > readable only by owner (400) > > > > > > (knee-jerk first guess reaction) > > > > > > Best of luck > > > > > > - Original Message - > > > From: "A. Putnam" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Friday, March 07, 2003 3:42 PM > > > Subject: private key not found > > > > > > > > > I'm trying to get mod_ssl to work on my server, but each time I try to > > > restart > > > apache with mod_ssl activated, it gives me this error: > > > > > > /etc/init.d/apache start returned 7 (Program is not running.) > > > Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass > > > Phrase Dialog) > > > Some of your private key files are encrypted for security reasons. > > > In order to read them you have to provide us with the pass phrases. > > > > > > Server matrix.pelathe.org:443 (RSA) > > > Enter pass phrase: > > > Apache:mod_ssl:Error: Private key not found. > > > **Stopped > > > stty: standard input: Inappropriate ioctl for device > > > ..failed > > > > > > What I don't understand is how it can't find the Private key. The > > > SSLCertificateKeyFile path in httpd.conf matches the location of the > > > key > > > > in > > > > > my directory. Isn't the SSLCertificateKeyFile the Private Key path? > > > > > > I'm including the Virtual Host code (sans the explination text and a > > > passkey). > > > I'm very new to this so I won't be surprised if there is a glaring > > > error > > > > in > > > > > here that I missed... > > > > > > > > > > > > DocumentRoot "/srv/www/htdocs" > > > ServerName matrix.pelathe.org > > > ServerAdmin [EMAIL PROTECTED] > > > ErrorLog /var/log/httpd/error_log > > > TransferLog /var/log/httpd/access_log > > > > > > SSLEngine on > > > > > > SSLCipherSuite > > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > > > > > SSLCertificateFile /etc/httpd/ssl.crt/server.crt > > > #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt > > > > > > SSLCertificateKeyFile /etc/httpd/ssl.key/server.key > > > #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key > > > > > > SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt > >
Re: private key not found
I had a domain that was transferred to my server, and with it came the key
and crt files from the old server. That particular domain the SSL is
blowing up... More accurately, Apache refuses to start, with the same error
you get, when I try to enable the SSL for that domain...
- Original Message -
From: "A. Putnam" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, March 08, 2003 4:48 PM
Subject: Re: private key not found
I'm not too sure what you mean when you ask if the domain was transferred.
What domain? All I know I did was that I generated the key/csr/crts and
self-signed the CA.
On Thursday 06 March 2003 14:03, Justin Williams wrote:
> was the domain moved over to your server, or did you generate key/csr/crt?
>
> I'm having the same difficulty with one where the domain, cert and key
were
> transferred; all my others work properly...
>
> - Original Message -
> From: "A. Putnam" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, March 07, 2003 5:20 PM
> Subject: Re: private key not found
>
>
> The permissions for the server.crt file are rw-r--r-- but it still cannot
> find
> the Private Key.
>
> On Thursday 06 March 2003 13:36, Ron Gedye wrote:
> > Please check the permissions on your private key. They should be
> > readable only by owner (400)
> >
> > (knee-jerk first guess reaction)
> >
> > Best of luck
> >
> > - Original Message -
> > From: "A. Putnam" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Friday, March 07, 2003 3:42 PM
> > Subject: private key not found
> >
> >
> > I'm trying to get mod_ssl to work on my server, but each time I try to
> > restart
> > apache with mod_ssl activated, it gives me this error:
> >
> > /etc/init.d/apache start returned 7 (Program is not running.)
> > Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass
> > Phrase Dialog)
> > Some of your private key files are encrypted for security reasons.
> > In order to read them you have to provide us with the pass phrases.
> >
> > Server matrix.pelathe.org:443 (RSA)
> > Enter pass phrase:
> > Apache:mod_ssl:Error: Private key not found.
> > **Stopped
> > stty: standard input: Inappropriate ioctl for device
> > ..failed
> >
> > What I don't understand is how it can't find the Private key. The
> > SSLCertificateKeyFile path in httpd.conf matches the location of the key
>
> in
>
> > my directory. Isn't the SSLCertificateKeyFile the Private Key path?
> >
> > I'm including the Virtual Host code (sans the explination text and a
> > passkey).
> > I'm very new to this so I won't be surprised if there is a glaring error
>
> in
>
> > here that I missed...
> >
> >
> >
> > DocumentRoot "/srv/www/htdocs"
> > ServerName matrix.pelathe.org
> > ServerAdmin [EMAIL PROTECTED]
> > ErrorLog /var/log/httpd/error_log
> > TransferLog /var/log/httpd/access_log
> >
> > SSLEngine on
> >
> > SSLCipherSuite
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >
> > SSLCertificateFile /etc/httpd/ssl.crt/server.crt
> > #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
> >
> > SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
> > #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
> >
> > SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
> >
> > #SSLCACertificatePath /etc/httpd/ssl.crt
> > SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
> >
> > SSLCARevocationPath /etc/httpd/ssl.crl
> > #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
> >
> > SSLVerifyClient require
> > SSLVerifyDepth 10
> >
> > #
> > #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> > #and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> > #and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> > #and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> > #and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> > # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> > #
> >
> > #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
> >
> > SSLOptions +StdEnvVars
> >
> >
> > SSLOptions +StdEnvVars
> >
> >
> > SetEnvIf User-Agent ".*MSIE.*" \
> > nokeepalive ssl-unclean-shutdown \
> > downgrade-1.
Re: private key not found
I'm not too sure what you mean when you ask if the domain was transferred.
What domain? All I know I did was that I generated the key/csr/crts and
self-signed the CA.
On Thursday 06 March 2003 14:03, Justin Williams wrote:
> was the domain moved over to your server, or did you generate key/csr/crt?
>
> I'm having the same difficulty with one where the domain, cert and key were
> transferred; all my others work properly...
>
> - Original Message -
> From: "A. Putnam" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, March 07, 2003 5:20 PM
> Subject: Re: private key not found
>
>
> The permissions for the server.crt file are rw-r--r-- but it still cannot
> find
> the Private Key.
>
> On Thursday 06 March 2003 13:36, Ron Gedye wrote:
> > Please check the permissions on your private key. They should be
> > readable only by owner (400)
> >
> > (knee-jerk first guess reaction)
> >
> > Best of luck
> >
> > - Original Message -
> > From: "A. Putnam" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Friday, March 07, 2003 3:42 PM
> > Subject: private key not found
> >
> >
> > I'm trying to get mod_ssl to work on my server, but each time I try to
> > restart
> > apache with mod_ssl activated, it gives me this error:
> >
> > /etc/init.d/apache start returned 7 (Program is not running.)
> > Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass
> > Phrase Dialog)
> > Some of your private key files are encrypted for security reasons.
> > In order to read them you have to provide us with the pass phrases.
> >
> > Server matrix.pelathe.org:443 (RSA)
> > Enter pass phrase:
> > Apache:mod_ssl:Error: Private key not found.
> > **Stopped
> > stty: standard input: Inappropriate ioctl for device
> > ..failed
> >
> > What I don't understand is how it can't find the Private key. The
> > SSLCertificateKeyFile path in httpd.conf matches the location of the key
>
> in
>
> > my directory. Isn't the SSLCertificateKeyFile the Private Key path?
> >
> > I'm including the Virtual Host code (sans the explination text and a
> > passkey).
> > I'm very new to this so I won't be surprised if there is a glaring error
>
> in
>
> > here that I missed...
> >
> >
> >
> > DocumentRoot "/srv/www/htdocs"
> > ServerName matrix.pelathe.org
> > ServerAdmin [EMAIL PROTECTED]
> > ErrorLog /var/log/httpd/error_log
> > TransferLog /var/log/httpd/access_log
> >
> > SSLEngine on
> >
> > SSLCipherSuite
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >
> > SSLCertificateFile /etc/httpd/ssl.crt/server.crt
> > #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
> >
> > SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
> > #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
> >
> > SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
> >
> > #SSLCACertificatePath /etc/httpd/ssl.crt
> > SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
> >
> > SSLCARevocationPath /etc/httpd/ssl.crl
> > #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
> >
> > SSLVerifyClient require
> > SSLVerifyDepth 10
> >
> > #
> > #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> > #and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> > #and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> > #and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> > #and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> > # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> > #
> >
> > #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
> >
> > SSLOptions +StdEnvVars
> >
> >
> > SSLOptions +StdEnvVars
> >
> >
> > SetEnvIf User-Agent ".*MSIE.*" \
> > nokeepalive ssl-unclean-shutdown \
> > downgrade-1.0 force-response-1.0
> >
> > CustomLog /var/log/httpd/ssl_request_log \
> > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> >
> >
> >
> > Any help would be greatly appreciated. I'm using Apache 1.3.26 and
> > Mod_SSL 2.8.10 on a SuSE 8.1 box.
> >
> > Thanks,
> > -Andrew
> > __
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
> >
> >
> > __
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
--
A. Putnam
Assistant IT Administrator
Pelathe Community Resource Center
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: private key not found
I'm not sure what you mean. I followed the mod_ssl faq to generate all the key/csr/crt files, then $./sign.sh the server.csr to make the server.crt. /etc/httpd/ssl.key/server.key is the correct path and the file is there. I finally managed to chmod it to 0400. (I got confused to what rw-r--r-- was vs. r). However, the result was still the same. I've since remade the keys, thinking that also might be a problem. Everything was running smoothly until I got to the final step, (using the $./sign.sh on server.csr). It generated an error that I believe I also got the first time I made the keys a couple weks ago (unfortunately I wasn't paying enough attention): 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: /C=US/ST=Kansas/L=Lawrence/O=Pelathe Center/CN=www.pelathe.org/[EMAIL PROTECTED] error 18 at 0 depth lookup:self signed certificate /C=US/ST=Kansas/L=Lawrence/O=Pelathe Center/CN=www.pelathe.org/[EMAIL PROTECTED] error 7 at 0 depth lookup:certificate signature failure What is an 'error 18 at depth 0' and an 'error 7 at depth 0'? Would this be a reason why my server cannot find the Private Key? Thank you everyone for all of your help so far. I really do appreciate it. I know I must sound pretty foolish with these questions, so thanks. I'd bake you all a cake if I could. On Thursday 06 March 2003 14:19, Ron Gedye wrote: > How did you generate the CSR to get the cert? What key file did you use > for this? > > The cert (crt) file perms look ok, (444 would be better) but who owns it? > > does this file exist? > /etc/httpd/ssl.key/server.key (according to your conf) > > if so, the permissions should be > -r- > > This file should be owned by root (in most all cases) and not the webserver > account (nobody/apache). > > - Original Message - > From: "A. Putnam" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, March 07, 2003 4:20 PM > Subject: Re: private key not found > > > The permissions for the server.crt file are rw-r--r-- but it still cannot > find > the Private Key. > > On Thursday 06 March 2003 13:36, Ron Gedye wrote: > > Please check the permissions on your private key. They should be > > readable only by owner (400) > > > > (knee-jerk first guess reaction) > > > > Best of luck > > > > - Original Message - > > From: "A. Putnam" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, March 07, 2003 3:42 PM > > Subject: private key not found > > > > > > I'm trying to get mod_ssl to work on my server, but each time I try to > > restart > > apache with mod_ssl activated, it gives me this error: > > > > /etc/init.d/apache start returned 7 (Program is not running.) > > Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass > > Phrase Dialog) > > Some of your private key files are encrypted for security reasons. > > In order to read them you have to provide us with the pass phrases. > > > > Server matrix.pelathe.org:443 (RSA) > > Enter pass phrase: > > Apache:mod_ssl:Error: Private key not found. > > **Stopped > > stty: standard input: Inappropriate ioctl for device > > ..failed > > > > What I don't understand is how it can't find the Private key. The > > SSLCertificateKeyFile path in httpd.conf matches the location of the key > > in > > > my directory. Isn't the SSLCertificateKeyFile the Private Key path? > > > > I'm including the Virtual Host code (sans the explination text and a > > passkey). > > I'm very new to this so I won't be surprised if there is a glaring error > > in > > > here that I missed... > > > > > > > > DocumentRoot "/srv/www/htdocs" > > ServerName matrix.pelathe.org > > ServerAdmin [EMAIL PROTECTED] > > ErrorLog /var/log/httpd/error_log > > TransferLog /var/log/httpd/access_log > > > > SSLEngine on > > > > SSLCipherSuite > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > > > SSLCertificateFile /etc/httpd/ssl.crt/server.crt > > #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt > > > > SSLCertificateKeyFile /etc/httpd/ssl.key/server.key > > #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key > > > > SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt > > > > #SSLCACertificatePath /etc/httpd/ssl.crt > > SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt > &
Re: private key not found
was the domain moved over to your server, or did you generate key/csr/crt?
I'm having the same difficulty with one where the domain, cert and key were
transferred; all my others work properly...
- Original Message -
From: "A. Putnam" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 07, 2003 5:20 PM
Subject: Re: private key not found
The permissions for the server.crt file are rw-r--r-- but it still cannot
find
the Private Key.
On Thursday 06 March 2003 13:36, Ron Gedye wrote:
> Please check the permissions on your private key. They should be readable
> only by owner (400)
>
> (knee-jerk first guess reaction)
>
> Best of luck
>
> - Original Message -
> From: "A. Putnam" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, March 07, 2003 3:42 PM
> Subject: private key not found
>
>
> I'm trying to get mod_ssl to work on my server, but each time I try to
> restart
> apache with mod_ssl activated, it gives me this error:
>
> /etc/init.d/apache start returned 7 (Program is not running.)
> Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass
> Phrase Dialog)
> Some of your private key files are encrypted for security reasons.
> In order to read them you have to provide us with the pass phrases.
>
> Server matrix.pelathe.org:443 (RSA)
> Enter pass phrase:
> Apache:mod_ssl:Error: Private key not found.
> **Stopped
> stty: standard input: Inappropriate ioctl for device
> ..failed
>
> What I don't understand is how it can't find the Private key. The
> SSLCertificateKeyFile path in httpd.conf matches the location of the key
in
> my directory. Isn't the SSLCertificateKeyFile the Private Key path?
>
> I'm including the Virtual Host code (sans the explination text and a
> passkey).
> I'm very new to this so I won't be surprised if there is a glaring error
in
> here that I missed...
>
>
>
> DocumentRoot "/srv/www/htdocs"
> ServerName matrix.pelathe.org
> ServerAdmin [EMAIL PROTECTED]
> ErrorLog /var/log/httpd/error_log
> TransferLog /var/log/httpd/access_log
>
> SSLEngine on
>
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> SSLCertificateFile /etc/httpd/ssl.crt/server.crt
> #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
>
> SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
> #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
>
> SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
>
> #SSLCACertificatePath /etc/httpd/ssl.crt
> SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
>
> SSLCARevocationPath /etc/httpd/ssl.crl
> #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
>
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> #
> #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> #and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> #and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> #and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> #and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> #
>
> #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
>
> SSLOptions +StdEnvVars
>
>
> SSLOptions +StdEnvVars
>
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> CustomLog /var/log/httpd/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
>
> Any help would be greatly appreciated. I'm using Apache 1.3.26 and Mod_SSL
> 2.8.10 on a SuSE 8.1 box.
>
> Thanks,
> -Andrew
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>
>
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
--
A. Putnam
Assistant IT Administrator
Pelathe Community Resource Center
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: private key not found
He lists the certificate, I'm speaking of the key.
Although this (URL) relates to unencypting (removing passphrase) of the key
(and ver 2.0) it is still relevant, and in some cases will prevent SSL (or
am I speaking of SSH?) the secure socket transport from properly
initializing. I know I've seen this other places in regards to apache, this
was just the first reference I could quickly find.
>From http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html
Make sure the server.key file is now only readable by root:
$ chmod 400 server.key
- Original Message -
From: "R. DuFresne" <[EMAIL PROTECTED]>
To: "A. Putnam" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, March 06, 2003 3:23 PM
Subject: Re: private key not found
> On Fri, 7 Mar 2003, A. Putnam wrote:
>
> > The permissions for the server.crt file are rw-r--r-- but it still
cannot find
> > the Private Key.
>
> which would be 644 rather then 400 as the first person responded.
>
> >
> > On Thursday 06 March 2003 13:36, Ron Gedye wrote:
> > > Please check the permissions on your private key. They should be
readable
> > > only by owner (400)
> > >
> > > (knee-jerk first guess reaction)
> > >
> > > Best of luck
> > >
> > > - Original Message -
> > > From: "A. Putnam" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Friday, March 07, 2003 3:42 PM
> > > Subject: private key not found
> > >
> > >
> > > I'm trying to get mod_ssl to work on my server, but each time I try to
> > > restart
> > > apache with mod_ssl activated, it gives me this error:
> > >
> > > /etc/init.d/apache start returned 7 (Program is not running.)
> > > Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass
> > > Phrase Dialog)
> > > Some of your private key files are encrypted for security reasons.
> > > In order to read them you have to provide us with the pass phrases.
> > >
> > > Server matrix.pelathe.org:443 (RSA)
> > > Enter pass phrase:
> > > Apache:mod_ssl:Error: Private key not found.
> > > **Stopped
> > > stty: standard input: Inappropriate ioctl for device
> > > ..failed
> > >
> > > What I don't understand is how it can't find the Private key. The
> > > SSLCertificateKeyFile path in httpd.conf matches the location of the
key in
> > > my directory. Isn't the SSLCertificateKeyFile the Private Key path?
> > >
> > > I'm including the Virtual Host code (sans the explination text and a
> > > passkey).
> > > I'm very new to this so I won't be surprised if there is a glaring
error in
> > > here that I missed...
> > >
> > >
> > >
> > > DocumentRoot "/srv/www/htdocs"
> > > ServerName matrix.pelathe.org
> > > ServerAdmin [EMAIL PROTECTED]
> > > ErrorLog /var/log/httpd/error_log
> > > TransferLog /var/log/httpd/access_log
> > >
> > > SSLEngine on
> > >
> > > SSLCipherSuite
> > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> > >
> > > SSLCertificateFile /etc/httpd/ssl.crt/server.crt
> > > #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
> > >
> > > SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
> > > #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
> > >
> > > SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
> > >
> > > #SSLCACertificatePath /etc/httpd/ssl.crt
> > > SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
> > >
> > > SSLCARevocationPath /etc/httpd/ssl.crl
> > > #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
> > >
> > > SSLVerifyClient require
> > > SSLVerifyDepth 10
> > >
> > > #
> > > #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> > > #and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> > > #and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> > > #and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> > > #and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> > > # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> > > #
> > >
> > > #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars
+StrictRequire
> > >
> > > SSLOptions +StdEnvVars
> > >
> > >
&
Re: private key not found
On Fri, 7 Mar 2003, A. Putnam wrote:
> The permissions for the server.crt file are rw-r--r-- but it still cannot find
> the Private Key.
which would be 644 rather then 400 as the first person responded.
>
> On Thursday 06 March 2003 13:36, Ron Gedye wrote:
> > Please check the permissions on your private key. They should be readable
> > only by owner (400)
> >
> > (knee-jerk first guess reaction)
> >
> > Best of luck
> >
> > - Original Message -
> > From: "A. Putnam" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Friday, March 07, 2003 3:42 PM
> > Subject: private key not found
> >
> >
> > I'm trying to get mod_ssl to work on my server, but each time I try to
> > restart
> > apache with mod_ssl activated, it gives me this error:
> >
> > /etc/init.d/apache start returned 7 (Program is not running.)
> > Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass
> > Phrase Dialog)
> > Some of your private key files are encrypted for security reasons.
> > In order to read them you have to provide us with the pass phrases.
> >
> > Server matrix.pelathe.org:443 (RSA)
> > Enter pass phrase:
> > Apache:mod_ssl:Error: Private key not found.
> > **Stopped
> > stty: standard input: Inappropriate ioctl for device
> > ..failed
> >
> > What I don't understand is how it can't find the Private key. The
> > SSLCertificateKeyFile path in httpd.conf matches the location of the key in
> > my directory. Isn't the SSLCertificateKeyFile the Private Key path?
> >
> > I'm including the Virtual Host code (sans the explination text and a
> > passkey).
> > I'm very new to this so I won't be surprised if there is a glaring error in
> > here that I missed...
> >
> >
> >
> > DocumentRoot "/srv/www/htdocs"
> > ServerName matrix.pelathe.org
> > ServerAdmin [EMAIL PROTECTED]
> > ErrorLog /var/log/httpd/error_log
> > TransferLog /var/log/httpd/access_log
> >
> > SSLEngine on
> >
> > SSLCipherSuite
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >
> > SSLCertificateFile /etc/httpd/ssl.crt/server.crt
> > #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
> >
> > SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
> > #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
> >
> > SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
> >
> > #SSLCACertificatePath /etc/httpd/ssl.crt
> > SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
> >
> > SSLCARevocationPath /etc/httpd/ssl.crl
> > #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
> >
> > SSLVerifyClient require
> > SSLVerifyDepth 10
> >
> > #
> > #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> > #and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> > #and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> > #and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> > #and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> > # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> > #
> >
> > #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
> >
> > SSLOptions +StdEnvVars
> >
> >
> > SSLOptions +StdEnvVars
> >
> >
> > SetEnvIf User-Agent ".*MSIE.*" \
> > nokeepalive ssl-unclean-shutdown \
> > downgrade-1.0 force-response-1.0
> >
> > CustomLog /var/log/httpd/ssl_request_log \
> > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> >
> >
> >
> > Any help would be greatly appreciated. I'm using Apache 1.3.26 and Mod_SSL
> > 2.8.10 on a SuSE 8.1 box.
> >
> > Thanks,
> > -Andrew
> > __
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
> >
> >
> > __
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
>
>
--
~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: private key not found
How did you generate the CSR to get the cert? What key file did you use for
this?
The cert (crt) file perms look ok, (444 would be better) but who owns it?
does this file exist?
/etc/httpd/ssl.key/server.key (according to your conf)
if so, the permissions should be
-r-
This file should be owned by root (in most all cases) and not the webserver
account (nobody/apache).
- Original Message -
From: "A. Putnam" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 07, 2003 4:20 PM
Subject: Re: private key not found
The permissions for the server.crt file are rw-r--r-- but it still cannot
find
the Private Key.
On Thursday 06 March 2003 13:36, Ron Gedye wrote:
> Please check the permissions on your private key. They should be readable
> only by owner (400)
>
> (knee-jerk first guess reaction)
>
> Best of luck
>
> - Original Message -
> From: "A. Putnam" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, March 07, 2003 3:42 PM
> Subject: private key not found
>
>
> I'm trying to get mod_ssl to work on my server, but each time I try to
> restart
> apache with mod_ssl activated, it gives me this error:
>
> /etc/init.d/apache start returned 7 (Program is not running.)
> Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass
> Phrase Dialog)
> Some of your private key files are encrypted for security reasons.
> In order to read them you have to provide us with the pass phrases.
>
> Server matrix.pelathe.org:443 (RSA)
> Enter pass phrase:
> Apache:mod_ssl:Error: Private key not found.
> **Stopped
> stty: standard input: Inappropriate ioctl for device
> ..failed
>
> What I don't understand is how it can't find the Private key. The
> SSLCertificateKeyFile path in httpd.conf matches the location of the key
in
> my directory. Isn't the SSLCertificateKeyFile the Private Key path?
>
> I'm including the Virtual Host code (sans the explination text and a
> passkey).
> I'm very new to this so I won't be surprised if there is a glaring error
in
> here that I missed...
>
>
>
> DocumentRoot "/srv/www/htdocs"
> ServerName matrix.pelathe.org
> ServerAdmin [EMAIL PROTECTED]
> ErrorLog /var/log/httpd/error_log
> TransferLog /var/log/httpd/access_log
>
> SSLEngine on
>
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> SSLCertificateFile /etc/httpd/ssl.crt/server.crt
> #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
>
> SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
> #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
>
> SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
>
> #SSLCACertificatePath /etc/httpd/ssl.crt
> SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
>
> SSLCARevocationPath /etc/httpd/ssl.crl
> #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
>
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> #
> #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> #and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> #and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> #and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> #and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> #
>
> #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
>
> SSLOptions +StdEnvVars
>
>
> SSLOptions +StdEnvVars
>
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> CustomLog /var/log/httpd/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
>
> Any help would be greatly appreciated. I'm using Apache 1.3.26 and Mod_SSL
> 2.8.10 on a SuSE 8.1 box.
>
> Thanks,
> -Andrew
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>
>
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
--
A. Putnam
Assistant IT Administrator
Pelathe Community Resource Center
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: private key not found
Is it possible that root would need to be able to execute this file?
On Friday 07 March 2003 16:20, A. Putnam wrote:
> The permissions for the server.crt file are rw-r--r-- but it still cannot
> find the Private Key.
>
> On Thursday 06 March 2003 13:36, Ron Gedye wrote:
> > Please check the permissions on your private key. They should be
> > readable only by owner (400)
> >
> > (knee-jerk first guess reaction)
> >
> > Best of luck
> >
> > - Original Message -
> > From: "A. Putnam" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Friday, March 07, 2003 3:42 PM
> > Subject: private key not found
> >
> >
> > I'm trying to get mod_ssl to work on my server, but each time I try to
> > restart
> > apache with mod_ssl activated, it gives me this error:
> >
> > /etc/init.d/apache start returned 7 (Program is not running.)
> > Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass
> > Phrase Dialog)
> > Some of your private key files are encrypted for security reasons.
> > In order to read them you have to provide us with the pass phrases.
> >
> > Server matrix.pelathe.org:443 (RSA)
> > Enter pass phrase:
> > Apache:mod_ssl:Error: Private key not found.
> > **Stopped
> > stty: standard input: Inappropriate ioctl for device
> > ..failed
> >
> > What I don't understand is how it can't find the Private key. The
> > SSLCertificateKeyFile path in httpd.conf matches the location of the key
> > in my directory. Isn't the SSLCertificateKeyFile the Private Key path?
> >
> > I'm including the Virtual Host code (sans the explination text and a
> > passkey).
> > I'm very new to this so I won't be surprised if there is a glaring error
> > in here that I missed...
> >
> >
> >
> > DocumentRoot "/srv/www/htdocs"
> > ServerName matrix.pelathe.org
> > ServerAdmin [EMAIL PROTECTED]
> > ErrorLog /var/log/httpd/error_log
> > TransferLog /var/log/httpd/access_log
> >
> > SSLEngine on
> >
> > SSLCipherSuite
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >
> > SSLCertificateFile /etc/httpd/ssl.crt/server.crt
> > #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
> >
> > SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
> > #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
> >
> > SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
> >
> > #SSLCACertificatePath /etc/httpd/ssl.crt
> > SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
> >
> > SSLCARevocationPath /etc/httpd/ssl.crl
> > #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
> >
> > SSLVerifyClient require
> > SSLVerifyDepth 10
> >
> > #
> > #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> > #and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> > #and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> > #and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> > #and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> > # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> > #
> >
> > #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
> >
> > SSLOptions +StdEnvVars
> >
> >
> > SSLOptions +StdEnvVars
> >
> >
> > SetEnvIf User-Agent ".*MSIE.*" \
> > nokeepalive ssl-unclean-shutdown \
> > downgrade-1.0 force-response-1.0
> >
> > CustomLog /var/log/httpd/ssl_request_log \
> > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> >
> >
> >
> > Any help would be greatly appreciated. I'm using Apache 1.3.26 and
> > Mod_SSL 2.8.10 on a SuSE 8.1 box.
> >
> > Thanks,
> > -Andrew
> > __
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
> >
> >
> > __
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
--
A. Putnam
Assistant IT Administrator
Pelathe Community Resource Center
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: private key not found
The permissions for the server.crt file are rw-r--r-- but it still cannot find
the Private Key.
On Thursday 06 March 2003 13:36, Ron Gedye wrote:
> Please check the permissions on your private key. They should be readable
> only by owner (400)
>
> (knee-jerk first guess reaction)
>
> Best of luck
>
> - Original Message -
> From: "A. Putnam" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, March 07, 2003 3:42 PM
> Subject: private key not found
>
>
> I'm trying to get mod_ssl to work on my server, but each time I try to
> restart
> apache with mod_ssl activated, it gives me this error:
>
> /etc/init.d/apache start returned 7 (Program is not running.)
> Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass
> Phrase Dialog)
> Some of your private key files are encrypted for security reasons.
> In order to read them you have to provide us with the pass phrases.
>
> Server matrix.pelathe.org:443 (RSA)
> Enter pass phrase:
> Apache:mod_ssl:Error: Private key not found.
> **Stopped
> stty: standard input: Inappropriate ioctl for device
> ..failed
>
> What I don't understand is how it can't find the Private key. The
> SSLCertificateKeyFile path in httpd.conf matches the location of the key in
> my directory. Isn't the SSLCertificateKeyFile the Private Key path?
>
> I'm including the Virtual Host code (sans the explination text and a
> passkey).
> I'm very new to this so I won't be surprised if there is a glaring error in
> here that I missed...
>
>
>
> DocumentRoot "/srv/www/htdocs"
> ServerName matrix.pelathe.org
> ServerAdmin [EMAIL PROTECTED]
> ErrorLog /var/log/httpd/error_log
> TransferLog /var/log/httpd/access_log
>
> SSLEngine on
>
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> SSLCertificateFile /etc/httpd/ssl.crt/server.crt
> #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
>
> SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
> #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
>
> SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
>
> #SSLCACertificatePath /etc/httpd/ssl.crt
> SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
>
> SSLCARevocationPath /etc/httpd/ssl.crl
> #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
>
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> #
> #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> #and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> #and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> #and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> #and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> #
>
> #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
>
> SSLOptions +StdEnvVars
>
>
> SSLOptions +StdEnvVars
>
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> CustomLog /var/log/httpd/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
>
> Any help would be greatly appreciated. I'm using Apache 1.3.26 and Mod_SSL
> 2.8.10 on a SuSE 8.1 box.
>
> Thanks,
> -Andrew
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>
>
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
--
A. Putnam
Assistant IT Administrator
Pelathe Community Resource Center
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: private key not found
Please check the permissions on your private key. They should be readable
only by owner (400)
(knee-jerk first guess reaction)
Best of luck
- Original Message -
From: "A. Putnam" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 07, 2003 3:42 PM
Subject: private key not found
I'm trying to get mod_ssl to work on my server, but each time I try to
restart
apache with mod_ssl activated, it gives me this error:
/etc/init.d/apache start returned 7 (Program is not running.)
Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass Phrase
Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server matrix.pelathe.org:443 (RSA)
Enter pass phrase:
Apache:mod_ssl:Error: Private key not found.
**Stopped
stty: standard input: Inappropriate ioctl for device
..failed
What I don't understand is how it can't find the Private key. The
SSLCertificateKeyFile path in httpd.conf matches the location of the key in
my directory. Isn't the SSLCertificateKeyFile the Private Key path?
I'm including the Virtual Host code (sans the explination text and a
passkey).
I'm very new to this so I won't be surprised if there is a glaring error in
here that I missed...
DocumentRoot "/srv/www/htdocs"
ServerName matrix.pelathe.org
ServerAdmin [EMAIL PROTECTED]
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/ssl.crt/server.crt
#SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
#SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
#SSLCACertificatePath /etc/httpd/ssl.crt
SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
SSLCARevocationPath /etc/httpd/ssl.crl
#SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
SSLVerifyClient require
SSLVerifyDepth 10
#
#SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Any help would be greatly appreciated. I'm using Apache 1.3.26 and Mod_SSL
2.8.10 on a SuSE 8.1 box.
Thanks,
-Andrew
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
private key not found
I'm trying to get mod_ssl to work on my server, but each time I try to restart
apache with mod_ssl activated, it gives me this error:
/etc/init.d/apache start returned 7 (Program is not running.)
Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass Phrase
Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server matrix.pelathe.org:443 (RSA)
Enter pass phrase:
Apache:mod_ssl:Error: Private key not found.
**Stopped
stty: standard input: Inappropriate ioctl for device
..failed
What I don't understand is how it can't find the Private key. The
SSLCertificateKeyFile path in httpd.conf matches the location of the key in
my directory. Isn't the SSLCertificateKeyFile the Private Key path?
I'm including the Virtual Host code (sans the explination text and a passkey).
I'm very new to this so I won't be surprised if there is a glaring error in
here that I missed...
DocumentRoot "/srv/www/htdocs"
ServerName matrix.pelathe.org
ServerAdmin [EMAIL PROTECTED]
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/ssl.crt/server.crt
#SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
#SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
#SSLCACertificatePath /etc/httpd/ssl.crt
SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
SSLCARevocationPath /etc/httpd/ssl.crl
#SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
SSLVerifyClient require
SSLVerifyDepth 10
#
#SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Any help would be greatly appreciated. I'm using Apache 1.3.26 and Mod_SSL
2.8.10 on a SuSE 8.1 box.
Thanks,
-Andrew
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
private key not found/server cert sign failed
Can anyone tell me what this error means and how to fix it? I'm running apache 1.3.26 with mod_ssl 2.8.10 on a SuSE8.1 box. /etc/init.d/apache start returned 7 (Program is not running.) Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server matrix.pelathe.org:443 (RSA) Enter pass phrase: Apache:mod_ssl:Error: Private key not found. **Stopped stty: standard input: Inappropriate ioctl for device ..failed How do I get it to take my pass phrases? I must have skipped a file because insofar I've given the same phrase to every file that's asked for it. Did I input the wrong information in one of the .conf files maybe? I get the feeling that this is almost supidly simple to fix, but I just can't seem to get it right. It may or may not have something to do with this error I received when recently self-signing my certificate: 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: /C=US/ST=KS/L=Lawrence/O=Pelathe Community Resource [EMAIL PROTECTED] *this one>>>> error 18 at 0 depth lookup:self signed certificate /C=US/ST=KS/L=Lawrence/O=Pelathe Community Resource [EMAIL PROTECTED] *and this one>>>> error 7 at 0 depth lookup:certificate signature failure Again, I have no clue why it failed these checks or how to fix them. Any help would be appreciated. Thanks. -- A. Putnam Assistant IT Administrator Pelathe Community Resource Center __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Private Key not found
I am working on a new installation of Slackware 8.1. I am trying to get the mod_ssl working. I have generated the key and crt files but when I try to startssl I get an error that the Private Key not found and it doesn't start. I am stumped. Any ideas where to start? Justin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
error private key not found
Ive installed the follow products in a Sun Machine - Apache 1.3.22 - Openssl 0.9.6b - Mod-ssl 2.8.5 - Solaris 8 Ive done the compilation and instalation well but when I start the APACHE program the follow error messages appear: Ive installed the follow products in a Sun Machine - Apache 1.3.22 - Openssl 0.9.6b - Mod-ssl 2.8.5 Ive done the compilation and instalation well but when I start the APACHE program the follow error messages appear: # ./apachectl start [Wed Mar 6 11:35:40 2002] [alert] httpd: Could not determine the server's fully qualified domain name, using 10.32.10.150 for ServerName ./apachectl start: httpd started # ls -l total 10 -rw-r--r-- 1 root other454 Mar 4 21:56 access_log -rw-r--r-- 1 root other556 Mar 6 11:35 error_log -rw-r--r-- 1 root other 4 Mar 6 11:35 httpd.pid -rw-r--r-- 1 root other 1637 Mar 6 11:35 ssl_engine_log -rw--- 1 nobody other 0 Mar 4 21:39 ssl_mutex.479 -rw--- 1 nobody other 0 Mar 6 11:35 ssl_mutex.768 -rw--- 1 nobody other 0 Mar 6 11:35 ssl_scache.dir -rw--- 1 nobody other 0 Mar 6 11:35 ssl_scache.pag # more error_log [Wed Mar 6 11:35:41 2002] [alert] httpd: Could not determine the server's fully qualified domain name, using 10.32.10.150 for ServerName [Wed Mar 6 11:35:41 2002] [notice] Apache/1.3.22 (Unix) mod_ssl/2.8.5 OpenSSL/0.9.6b configured -- resuming normal operations [Wed Mar 6 11:35:41 2002] [notice] Accept mutex: fcntl (Default: fcntl) # more ssl_engine_log [06/Mar/2002 11:35:40 00768] [info] Server: Apache/1.3.22, Interface: mod_ssl/2.8.5, Library: OpenSSL/0.9.6b [06/Mar/2002 11:35:40 00768] [info] Init: 1st startup round (still not detached) [06/Mar/2002 11:35:40 00768] [info] Init: Initializing OpenSSL library [06/Mar/2002 11:35:41 00768] [info] Init: Seeding PRNG with 136 bytes of entropy [06/Mar/2002 11:35:41 00768] [info] Init: Generating temporary RSA private keys (512/1024 bits) [06/Mar/2002 11:35:41 00768] [info] Init: Configuring temporary DH parameters (512/1024 bits) [06/Mar/2002 11:35:41 00769] [info] Init: 2nd startup round (already detached) [06/Mar/2002 11:35:41 00769] [info] Init: Reinitializing OpenSSL library [06/Mar/2002 11:35:41 00769] [info] Init: Seeding PRNG with 136 bytes of entropy [06/Mar/2002 11:35:41 00769] [info] Init: Configuring temporary RSA private keys (512/1024 bits) [06/Mar/2002 11:35:41 00769] [info] Init: Configuring temporary DH parameters (512/1024 bits) [06/Mar/2002 11:35:41 00769] [info] Init: Initializing (virtual) servers for SSL I stop Apache # ./apachectl stop ./apachectl stop: httpd stopped I start Apache SSL # ./apachectl startssl [Wed Mar 6 11:42:25 2002] [alert] httpd: Could not determine the server's fully qualified domain name, using 10.32.10.150 for ServerName Apache:mod_ssl:Error: Private key not found. **Stopped ./apachectl startssl: httpd could not be started The logs # ls -l total 10 -rw-r--r-- 1 root other454 Mar 4 21:56 access_log -rw-r--r-- 1 root other840 Mar 6 11:42 error_log -rw-r--r-- 1 root other 2225 Mar 6 11:42 ssl_engine_log -rw--- 1 nobody other 0 Mar 4 21:39 ssl_mutex.479 # more error_log [Wed Mar 6 11:35:41 2002] [alert] httpd: Could not determine the server's fully qualified domain name, using 10.32.10.150 for ServerName [Wed Mar 6 11:35:41 2002] [notice] Apache/1.3.22 (Unix) mod_ssl/2.8.5 OpenSSL/0.9.6b configured -- resuming normal operations [Wed Mar 6 11:35:41 2002] [notice] Accept mutex: fcntl (Default: fcntl) [Wed Mar 6 11:41:26 2002] [notice] caught SIGTERM, shutting down [Wed Mar 6 11:42:25 2002] [error] mod_ssl: Init: Private key not found (OpenSSL library error follows) [Wed Mar 6 11:42:25 2002] [error] OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long # more ssl_engine_log [05/Mar/2002 09:23:34 00625] [info] Server: Apache/1.3.22, Interface: mod_ssl/2.8.5, Library: OpenSSL/0.9.6b [05/Mar/2002 09:23:34 00625] [info] Init: 1st startup round (still not detached) [05/Mar/2002 09:23:34 00625] [info] Init: Initializing OpenSSL library [05/Mar/2002 09:23:34 00625] [info] Init: Loading certificate & private key of SSL-aware server intsolar8:443 [05/Mar/2002 09:23:35 00625] [error] Init: Private key not found (OpenSSL library error follows) [05/Mar/2002 09:23:35 00625] [error] OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long [06/Mar/2002 11:35:40 00768] [info] Server: Apache/1.3.22, Interface: mod_ssl/2.8.5, Library: OpenSSL/0.9.6b [06/Mar/2002 11:35:40 00768] [info] Init: 1st startup round (still not detached) [06/Mar/2002 11:35:40 00768] [info] Init: Initializing OpenSSL library [06/Mar/2002 11:35:41 00768] [info] Init: Seeding PRNG with 136 bytes of entropy [06/Mar/2002 11:35:41 00768] [info] Init: Generating temporary RSA
Re: Private key not found.
On Wed, Aug 08, 2001 at 10:00:39PM -0700, Breughel Macabuhay wrote: > Hi its me again, > > I have successfully(?) installed modssl as a DSO > module and this time I have recompiled apache but when > I entered 'apachectl sslstart' then it would say: > s/sslstart/startssl/ > Apache:mod_ssl:Error: Private key not found. > **Stopped The error is right there: "Private key not found" Make sure that SSLCertificateKeyFile is pointing to your private key http://www.modssl.org/docs/2.8/ssl_reference.html#ToC11 and make sure that it is a valid key with a matching certificate - see also http://www.modssl.org/docs/2.8/ssl_faq.html#ToC24 vh Mads Toftum -- With a rubber duck, one's never alone. -- "The Hitchhiker's Guide to the Galaxy" __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Private key not found.
Hi its me again, I have successfully(?) installed modssl as a DSO module and this time I have recompiled apache but when I entered 'apachectl sslstart' then it would say: Apache:mod_ssl:Error: Private key not found. **Stopped Can anybody try to help me? Breughel __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Init: Private key not found
I had a similar problem, if you did not remove the password from the key as per the documentation, it will never start, and never ask for the password. I installed a cert it on my W2K server and did not remove the password, and Apache would not start until I did. Jay A. Stoltenberg Mgr. Networks and PC Applications [EMAIL PROTECTED] (412)-854-5688 -Original Message- From: Carl Bowden [mailto:[EMAIL PROTECTED]] Sent: Saturday, June 02, 2001 7:40 PM To: [EMAIL PROTECTED] Subject: Init: Private key not found hi I have been working on this for days now (like a blind shepard i think) I hoping some one may be able to point me some where (nice that is) we have our cert signed buy verisign 128bit gsid and this with the key etc have the correct paths in the http.conf file all paths have been checked with cat (are the permissions on these important they are set to root at the moment) but apachectl startssl refuses to start this is the /var/log/httpd/ssl_engine_log: [03/Jun/2001 10:59:15 06923] [info] Server: Apache/1.3.19, Interface: mod_ssl/2.8.3, Library: OpenSSL/0.9.6a [03/Jun/2001 10:59:15 06923] [info] Init: 1st startup round (still not detached) [03/Jun/2001 10:59:15 06923] [info] Init: Initializing OpenSSL library [03/Jun/2001 10:59:15 06923] [info] Init: Loading certificate & private key of SSL-aware server secure.macpac.co.nz:443 [03/Jun/2001 10:59:15 06923] [error] Init: Private key not found (OpenSSL library error follows) [03/Jun/2001 10:59:15 06923] [error] OpenSSL: error:0D084064:asn1 encoding routines:d2i_ASN1_SET:bad class [03/Jun/2001 10:59:15 06923] [error] OpenSSL: error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing [03/Jun/2001 10:59:15 06923] [error] OpenSSL: error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib the key really is there but i cant find any info on this bad class error please if anyone could help... thanks in advance carl __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Init: Private key not found
On Sun, Jun 03, 2001 at 11:39:49AM +1200, Carl Bowden wrote: > hi > > I have been working on this for days now (like a blind > shepard i think) > > I hoping some one may be able to point me some where (nice > that is) > > we have our cert signed buy verisign 128bit gsid and this > with the key etc have the correct paths in the http.conf > file all paths have been checked with cat (are the > permissions on these important they are set to root at the > moment) this should be ok if you start apache as root. Then the toplevel apache process should be running UID root (that's the process that does the init and other central stuff, and forks the children which handle the actual requests under some UID like 'nobody' or 'wwwuser', etc.). Also, I assume you have the key/cert-file on the *local* harddisk, not on some NFS share with root-exportability disabled... > > but apachectl startssl refuses to start > > this is the /var/log/httpd/ssl_engine_log: > [03/Jun/2001 10:59:15 06923] [info] Server: Apache/1.3.19, > Interface: mod_ssl/2.8.3, Library: OpenSSL/0.9.6a > [03/Jun/2001 10:59:15 06923] [info] Init: 1st startup round > (still not detached) > [03/Jun/2001 10:59:15 06923] [info] Init: Initializing > OpenSSL library > [03/Jun/2001 10:59:15 06923] [info] Init: Loading > certificate & private key of SSL-aware server > secure.macpac.co.nz:443 > [03/Jun/2001 10:59:15 06923] [error] Init: Private key not > found (OpenSSL library error follows) > [03/Jun/2001 10:59:15 06923] [error] OpenSSL: > error:0D084064:asn1 encoding routines:d2i_ASN1_SET:bad class > [03/Jun/2001 10:59:15 06923] [error] OpenSSL: > error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing > [03/Jun/2001 10:59:15 06923] [error] OpenSSL: > error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 > lib > > the key really is there but i cant find any info on this bad > class error I think the "Private key not found" is not to be taken literally, rather meaning something like "An error occured processing the key-file" -- so we can look at the next messages. In essence, I would say they indicate a syntax error while parsing the key-file. (short background info for those interested: ASN1 stands for abstract-syntax-notation-one and is the language which is used in X.509 certificates to describe the data structures. These abstract descriptions are then encoded in DER (distinguished-encoding-rules) format. As DER is a binary format, it is often once more encoded as base64, which gives the PEM-format files) Now, why could there be a syntax error? Not exactly sure -- but maybe you have the key-file in the wrong format. AFAIK, for apache/mod_ssl it has to be in PEM format (DER not allowed) [anyone correct me if I'm wrong], so a typical key-file should look somthing like: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,B8B837A08071289A 4qG0Zu2/S1YAr0j8zuqycKUmUNwaglwFVf9dTBJp9bKTA+z5iFyvrV7PGAj0Dwoi <... the base64-encoded content of the key ...> 0uQ5XwbWaFaCOpQvTtWrRfJf2NGOdDGXJ8OkDt4Jw0y4DCmtwje+lw== -END RSA PRIVATE KEY- You can check the content/readability of the key-file with the command: openssl rsa -noout -text -in .key Otherwise, the key-file might be corrupted. This could for example have happened by accidentally loading/saving a DER file with an editor that does automatic line endings translations (remember, DER is binary, so every bit matters). If that's the case, and you don't have a backup copy of the original uncorrupted file, then you are more or less out of luck -- at least I would consider it *way* over my head to poke around in the DER-encoded ASN.1 descriptions :) -- getting a new certificate would probably be easier... Good luck! - Almut __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Init: Private key not found
thanks heaps for the advise -- Ill try this now as for the backpack -- macpac are the best company i think anyone could work with -- and their packs/gear are bloody good too. have a look at demo.macpac.co.nz this is the "testing/staging" of their new site (this is what the ssl is for) thanks again, I'll see how these tests go... carl On Sat, 2 Jun 2001 18:08:57 -0700 (PDT) Geoff Thorpe <[EMAIL PROTECTED]> wrote: > Hi there, > > On Sun, 3 Jun 2001, Carl Bowden wrote: > > > but apachectl startssl refuses to start > > > > this is the /var/log/httpd/ssl_engine_log: > > [03/Jun/2001 10:59:15 06923] [info] Server: > Apache/1.3.19, > > Interface: mod_ssl/2.8.3, Library: OpenSSL/0.9.6a > > [03/Jun/2001 10:59:15 06923] [info] Init: 1st startup > round > > (still not detached) > > [03/Jun/2001 10:59:15 06923] [info] Init: Initializing > > OpenSSL library > > [03/Jun/2001 10:59:15 06923] [info] Init: Loading > > certificate & private key of SSL-aware server > > secure.macpac.co.nz:443 > > [03/Jun/2001 10:59:15 06923] [error] Init: Private key > not > > found (OpenSSL library error follows) > > [03/Jun/2001 10:59:15 06923] [error] OpenSSL: > > error:0D084064:asn1 encoding routines:d2i_ASN1_SET:bad > class > > [03/Jun/2001 10:59:15 06923] [error] OpenSSL: > > error:0D09D082:asn1 encoding > routines:d2i_RSAPrivateKey:parsing > > [03/Jun/2001 10:59:15 06923] [error] OpenSSL: > > error:0D09B00D:asn1 encoding > routines:d2i_PrivateKey:ASN1 > > lib > > > > the key really is there but i cant find any info on > this bad > > class error > > Weird, it looks like the problem is nothing really to do > with mod_ssl - the > loading of the key itself seems to be having decoding > errors. Can you run a > couple of checks on the key file? (and don't mail me or > the list any output > containing data about your key :-). > > * Run the key file through; > openssl asn1parse -inform PEM -in -i > Does it also report decoding errors or does the data > appear well-formed? > > * Check the text in the key file - does it have any weird > line-wrapping problems > or anything else obvious to distinguish it from a > known-to-work key file (eg. > a demo test cert and key created by mod_ssl's "make > certificate" target). > > * Try running openssl's "s_server" using a combination of > your key, certificate, > and CA file; > openssl s_server -key -cert > \ > -CAfile -state -www > If that starts without an error, the keyfile should be > OK - but you can make > sure by hitting it with a web-browser or openssl' > "s_client" to double-check > everything. > > Hope that helps? (And if it does, can I get a free > backpack next time I'm back > home? (Wellington BTW, I noticed it was an "NZ" domain > ... :-)). > > Cheers, > Geoff > > > __ > Apache Interface to OpenSSL (mod_ssl) > www.modssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager > [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Init: Private key not found
Hi there, On Sun, 3 Jun 2001, Carl Bowden wrote: > but apachectl startssl refuses to start > > this is the /var/log/httpd/ssl_engine_log: > [03/Jun/2001 10:59:15 06923] [info] Server: Apache/1.3.19, > Interface: mod_ssl/2.8.3, Library: OpenSSL/0.9.6a > [03/Jun/2001 10:59:15 06923] [info] Init: 1st startup round > (still not detached) > [03/Jun/2001 10:59:15 06923] [info] Init: Initializing > OpenSSL library > [03/Jun/2001 10:59:15 06923] [info] Init: Loading > certificate & private key of SSL-aware server > secure.macpac.co.nz:443 > [03/Jun/2001 10:59:15 06923] [error] Init: Private key not > found (OpenSSL library error follows) > [03/Jun/2001 10:59:15 06923] [error] OpenSSL: > error:0D084064:asn1 encoding routines:d2i_ASN1_SET:bad class > [03/Jun/2001 10:59:15 06923] [error] OpenSSL: > error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing > [03/Jun/2001 10:59:15 06923] [error] OpenSSL: > error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 > lib > > the key really is there but i cant find any info on this bad > class error Weird, it looks like the problem is nothing really to do with mod_ssl - the loading of the key itself seems to be having decoding errors. Can you run a couple of checks on the key file? (and don't mail me or the list any output containing data about your key :-). * Run the key file through; openssl asn1parse -inform PEM -in -i Does it also report decoding errors or does the data appear well-formed? * Check the text in the key file - does it have any weird line-wrapping problems or anything else obvious to distinguish it from a known-to-work key file (eg. a demo test cert and key created by mod_ssl's "make certificate" target). * Try running openssl's "s_server" using a combination of your key, certificate, and CA file; openssl s_server -key -cert \ -CAfile -state -www If that starts without an error, the keyfile should be OK - but you can make sure by hitting it with a web-browser or openssl' "s_client" to double-check everything. Hope that helps? (And if it does, can I get a free backpack next time I'm back home? (Wellington BTW, I noticed it was an "NZ" domain ... :-)). Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Init: Private key not found
hi I have been working on this for days now (like a blind shepard i think) I hoping some one may be able to point me some where (nice that is) we have our cert signed buy verisign 128bit gsid and this with the key etc have the correct paths in the http.conf file all paths have been checked with cat (are the permissions on these important they are set to root at the moment) but apachectl startssl refuses to start this is the /var/log/httpd/ssl_engine_log: [03/Jun/2001 10:59:15 06923] [info] Server: Apache/1.3.19, Interface: mod_ssl/2.8.3, Library: OpenSSL/0.9.6a [03/Jun/2001 10:59:15 06923] [info] Init: 1st startup round (still not detached) [03/Jun/2001 10:59:15 06923] [info] Init: Initializing OpenSSL library [03/Jun/2001 10:59:15 06923] [info] Init: Loading certificate & private key of SSL-aware server secure.macpac.co.nz:443 [03/Jun/2001 10:59:15 06923] [error] Init: Private key not found (OpenSSL library error follows) [03/Jun/2001 10:59:15 06923] [error] OpenSSL: error:0D084064:asn1 encoding routines:d2i_ASN1_SET:bad class [03/Jun/2001 10:59:15 06923] [error] OpenSSL: error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing [03/Jun/2001 10:59:15 06923] [error] OpenSSL: error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib the key really is there but i cant find any info on this bad class error please if anyone could help... thanks in advance carl __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Private key not found--d2i_ASN1_SET:bad class
Hi I'm hoping someone may be able to help. we have installed apache:mod_ssl got the CA cert and carefully set up httpd.conf to point to the correct .key & .crt files as we startup 'apachectl startssl', this is the error : Apache:mod_ssl:Error: Private key not found. **Stopped the error log as this: mod_ssl: Init: Private key not found (OpenSSL library error follows) OpenSSL: error:0D084064:asn1 encoding routines:d2i_ASN1_SET:bad class OpenSSL: error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing OpenSSL: error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib the paths in httpd.conf are correct full paths, we can 'cat' the key from a comandline with the same path I have no idea what this means, if anyone could point us in the right direction it would be a big help. thanks in advance carl. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Private key not found
I've seen other people post messages with this same problem, but I have yet to find an answer. Any help will be greatly appreciated. I've been running a number of machines with Apache 1.3.19, mod_ssl 2.8.1, and openssl 0.9.6 all on Linux. Some have self-signed certs and some have real ones from Thawte. I've updated two of the machines to openssl 0.9.6a and modssl 2.8.3. One machine works fine with the new versions, and one bombs on start, with the following error(s): mod_ssl: Init: Private key not found (OpenSSL library error follows) OpenSSL: error:0D084069:asn1 encoding routines:d2i_ASN1_SET:bad tag OpenSSL: error:0D09D082:asn1 encoding routines:D2I_RSAPRIVATEKEY:parsing OpenSSL: error:0D09B00D:asn1 encoding routines:D2I_PRIVATEKEY:ASN1 lib mod_ssl: Init: Pass phrase incorrect I didn't touch the apache config, and I didn't touch the certs -- they worked fine previously, so I know they're ok. To my knowledge, the only thing that's changed is the openssl libs and the apache binaries. Regardless, I tried creating new self-signed certs, and I still get the error. Now what really baffles me, is that if I compile openssl 0.9.6 and modssl 2.8.1 back into place, I still get the error. I'm stumped. What the heck am I missing? (I also updated some versions of dependant libraries of PHP during my recompile, such as libxml, gd, etc. I doubt this is the cause though, as I did the same thing on the machine that's working fine.) TIA, -- Alex Howansky Wankwood Associates http://www.wankwood.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl: Private key not found
Hi! I have tryed to create my own ssl server certificate keys, but now the Apache do not start? ( System is Solaris 2.7, Apache 1.3.12 , mod_ssl 2.2.6 and openssl 0.9.6) System has some test keys and they work, but the new ones do not. Errors in logs: [error] mod_ssl: Init: Private key not found (OpenSLL library error follows) [error] OpenSSL: error:0D084069:asn1 encoding routines:d2i_ASN1_SET:bad tag What could be the problem? Nicole Hunt __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl: Init: Private key not found (Apache+mod_perl+mod_php3+mod_ssl)
On Tue, Feb 22, 2000, Stefan Marx wrote: > I've encountered the following error when trying to start my newly compiled > apache(apache 1.3.11, mod_ssl, mod_php3(3.0.14), mod_perl): > > mod_ssl: Init: Private key not found > OpenSSL: error 0D09B08F:asn1 encoding routines:d2i_PrivatKey:unknown public key > type > > I've read about this in former postings to the list. I followed the > instructions for testing the readability of the keys and the certs, they are > OK. > > What now? I've tried several times with new made certs, but there is no > change in this behaviour. Have you just "restarted" Apache or stopped and started it? Because this can happen if you add a certificate/key pair to a new virtual host and just restart the server. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl: Init: Private key not found (Apache+mod_perl+mod_php3+mod_ssl)
Hi, I've encountered the following error when trying to start my newly compiled apache(apache 1.3.11, mod_ssl, mod_php3(3.0.14), mod_perl): mod_ssl: Init: Private key not found OpenSSL: error 0D09B08F:asn1 encoding routines:d2i_PrivatKey:unknown public key type I've read about this in former postings to the list. I followed the instructions for testing the readability of the keys and the certs, they are OK. What now? I've tried several times with new made certs, but there is no change in this behaviour. Thanx in advance for any help that solves the problem, Stefan Marx -- --- CSH Comtron-Shop Handels GmbH Alte Strasse 65 D-44143 Dortmund Germany Tel.: +49 231 562229-12 Fax.: +49 231 562229-29 --- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
HELP: Error: Private key not found. / PrivateKey:unknown public key type
I'm trying to build Apache+mod_ssl+mod_perl with the latest and greatest versions: apache_1.3.9, mod_ssl-2.4.6-1.3.9, mm-1.0.12, mod_perl-1.21 and perl-5.005_03; gcc is version 2.8.1 on HP-UX 10.20. Plain-old Apache runs OK, mod_perl passes the `make test` and a few other homebrew tests, but the whole thing won't work if I try SSL (`apachectl startssl` as opposed to `apachectl start`). Since I'm building this to upgrade an existing production server, I grabbed the existing key and Verisign cert from the production machine, copied them over to my development machine, and installed them in the exact same way I did for production: cd /opt/apache/conf/ssl.crt/ cp /path/to/server.crt /path/to/server.key . chmod 550 server.crt server.key chown httpd:httpd server.crt server.key make My httpd.conf says: SSLCertificateFile/opt/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /opt/apache/conf/ssl.key/server.key Then I try to run Apache: /opt/apache/bin/apachectl startssl And get and error: Apache:mod_ssl:Error: Private key not found. **Stopped /opt/apache/bin/apachectl startssl: httpd could not be started error_log says: mod_ssl: Init: Private key not found (OpenSSL library error follows) OpenSSL: error:0D09B08F:asn1 encoding routines:d2i_PrivateKey:unknown public key type Huh? I'm using the same OpenSSL libraries as the production server (OpenSSL 0.9.3a 29 May 1999), and the old Apache-1.3.6+mod_ssl-2.3.9 has no problem with the same key+cert pair using this library. Am I overlooking something obvious? Maybe I have to re-encode the key or cert? Any help would be greatly appreciated and would justly deserve a beer on me whenever you come over to Mexico City. TIA... Marco Zamora __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
