I don't understand what's happen on my server. Just bellow the ssl_error_log
[Sat Sep 30 00:51:07 2017] [warn] RSA server certificate CommonName (CN) `www.website.com' does NOT match server name!?
[Sat Sep 30 01:33:05 2017] [warn] RSA server certificate CommonName (CN) `website.com' does NOT match server name!?
[Sat Sep 30 01:33:05 2017] [error] Unable to configure RSA server private key
[Sat Sep 30 01:33:05 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
I don't understand why the check was done on www.website.com and now on website.com...
I'm not a expert on web but I want to understand this problem. Which information I have to look?
Best regards,
robin
Related
I have just downloaded SSL certificate from cheapsslsecurity, but apache is giving above errors.
[Sun Jul 17 15:30:01.256726 2022] [ssl:emerg] [pid 3640] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Sun Jul 17 15:30:01.256729 2022] [ssl:emerg] [pid 3640] AH02312: Fatal error initialising mod_ssl, exiting.
[Sun Jul 17 16:00:01.434769 2022] [suexec:notice] [pid 3698] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Jul 17 16:00:01.439767 2022] [ssl:emerg] [pid 3698] AH02238: Unable to configure RSA server private key
[Sun Jul 17 16:00:01.439859 2022] [ssl:emerg] [pid 3698] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Sun Jul 17 16:00:01.439862 2022] [ssl:emerg] [pid 3698] AH02312: Fatal error initialising mod_ssl, exiting.
Things I tried
Checked private key and certificate key and they are matching
In SSL certificate entered the path for crt file. Private key entered the private key file. In SSLCACertificateFile entered the bundle path provided by the site.
Removed spaces from private key
Encoding of private key file is UTF-8 and also tried changing .txt to .key
Checked validity of certificae and it is of next year
I am trying to setup the following:
User ---https---> Apache ---http---> Company Proxy ---https---> Third party webserver (nginx)
The Apache must send an SSL client certificate for authentication by the webserver.
I am using Apache 2.4.41 / OpenSSL 1.1.1d.
If I am testing the setup with curl and sending the SSL client cert to the webserver via the company
(i.e. bypassing the Apache), it works perfectly. However, if I am using curl to connect to the Apache,
it fails.
I have configured (relevant parts only) as an Apache VHost
===
ServerName test1.company.com:5140
SSLEngine on
KeepAlive on
SSLProxyEngine On
SSLProxyCheckPeerCN off
SSLProxyVerify none
SSLProxyCheckPeerName off
SSLProxyCACertificateFile conf/ssl/ca-bundle-proxy.crt
# client certificate (contains unencrypted concatenated private key and server certificate)
SSLProxyMachineCertificateFile ssl.client
ProxyRemote "*" "http://proxy.company.de:8080"
ProxyTimeout 30
Timeout 30
# explicity required
ProxyPreserveHost Off
<Location /mycontext>
ProxyPass https://www.thirdparty.com:443/mycontext
ProxyPassReverse https://www.thirdparty.com:443/mycontext
</Location>
I get in the logfile (extract):
[Mon Mar 23 14:18:26.150538 2020] [ssl:trace4] [pid 116307:tid 140486627026688] ssl_engine_io.c(2212): [remote proxy.company.com:8080] OpenSSL: read 5/5 bytes from BIO#7fc57000ddb0 [mem: 7fc57002f863] (BIO dump follows)
[Mon Mar 23 14:18:26.150558 2020] [ssl:trace4] [pid 116307:tid 140486627026688] ssl_engine_io.c(2212): [remote proxy.company.com:8080] OpenSSL: read 117/204 bytes from BIO#7fc57000ddb0 [mem: 7fc57002f868] (BIO dump follows)
[Mon Mar 23 14:18:26.165597 2020] [ssl:trace4] [pid 116307:tid 140486627026688] ssl_engine_io.c(2212): [remote proxy.company.com:8080] OpenSSL: read 87/87 bytes from BIO#7fc57000ddb0 [mem: 7fc57002f8dd] (BIO dump follows)
[Mon Mar 23 14:18:26.165643 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2192): [remote proxy.company.com:8080] OpenSSL: Loop: SSLv3/TLS read server key exchange
[Mon Mar 23 14:18:26.165687 2020] [ssl:debug] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(1943): AH02267: Proxy client certificate callback: (test1.company.com:5140) entered
[Mon Mar 23 14:18:26.165691 2020] [ssl:debug] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2013): AH02269: Proxy client certificate callback: (test1.company.com:5140) no client certificate found!?
[Mon Mar 23 14:18:26.165708 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2192): [remote proxy.company.com:8080] OpenSSL: Loop: SSLv3/TLS read server certificate request
[Mon Mar 23 14:18:26.165712 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2192): [remote proxy.company.com:8080] OpenSSL: Loop: SSLv3/TLS read server done
[Mon Mar 23 14:18:26.165722 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2192): [remote proxy.company.com:8080] OpenSSL: Loop: SSLv3/TLS write client certificate
[Mon Mar 23 14:18:26.165881 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2192): [remote proxy.company.com:8080] OpenSSL: Loop: SSLv3/TLS write client key exchange
[Mon Mar 23 14:18:26.165910 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2192): [remote proxy.company.com:8080] OpenSSL: Loop: SSLv3/TLS write change cipher spec
[Mon Mar 23 14:18:26.165947 2020] [ssl:trace4] [pid 116307:tid 140486627026688] ssl_engine_io.c(2212): [remote proxy.company.com:8080] OpenSSL: write 138/138 bytes to BIO#7fc57000e190 [mem: 7fc57002a5a0] (BIO dump follows)
[Mon Mar 23 14:18:26.235214 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2192): [remote proxy.company.com:8080] OpenSSL: Loop: SSLv3/TLS read change cipher spec
[Mon Mar 23 14:18:26.235242 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2192): [remote proxy.company.com:8080] OpenSSL: Loop: SSLv3/TLS read finished
[Mon Mar 23 14:18:26.235254 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2187): [remote proxy.company.com:8080] OpenSSL: Handshake: done
[Mon Mar 23 14:18:26.235265 2020] [ssl:debug] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2236): [remote proxy.company.com:8080] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
The output of curl via the Apache :
< HTTP/1.1 400 Bad Request
< Date: Mon, 23 Mar 2020 13:18:26 GMT
< Server: nginx
< Content-Type: text/html
< Content-Length: 246
< Connection: close
<
<html>
<head><title>400 No required SSL certificate was sent</title></head>
Questions:
Why does it say "no client certificate found!?" and "write client certificate" ? It's a little bit confusing.
As far as I know, the exchange of the SSL client certificate is done in the SSL handshake. How can the handshake be completed if there is an error with sending the client cert?
Does anybody have an idea what needs to be changed in the Apache configuration to get this working?
Any help is greatly appreciated.
Thanks
Christian
Why does it say "no client certificate found!?" and "write client certificate" ? It's a little bit confusing.
If the server requested a client certificate the client will send the requested Certificate record. But this might contain nothing (i.e. 0 certificates).
As far as I know, the exchange of the SSL client certificate is done in the SSL handshake. How can the handshake be completed if there is an error with sending the client cert?
A client certificate can be mandatory or optional. The client cannot see if it is mandatory or not, only that a certificate is requested. The server or application might decide to check if the certificate is the expected one after the handshake itself is completed. Only if the handshake is completed the client can send a HTTP request and get a HTTP response with the comparably nice error message. Otherwise the client would just get a strange handshake error.
Does anybody have an idea what needs to be changed in the Apache configuration to get this working?
The config you present looks actually good but the problem might be in the details. For example the certificate file might be wrong so that a certificate and key cannot actually be found inside. Hard to tell without having a look at these kind of details. Or the certificate does not match the list of CA the server presented as possible issuers for the client certificate.
I just created a ssl certificate shown here : http://www.tecchannel.de/a/owncloud-9-unter-ubuntu-server-16-04-lts-installieren,3277807,2
now if I start apache I get no error but with service apache2 status I get a error , error log :
[Fri Mar 31 14:55:59.639400 2017] [ssl:error] [pid 21071] AH02579: Init: Private key not found
[Fri Mar 31 14:55:59.639479 2017] [ssl:error] [pid 21071] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Mar 31 14:55:59.639494 2017] [ssl:error] [pid 21071] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Fri Mar 31 14:55:59.639504 2017] [ssl:error] [pid 21071] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Mar 31 14:55:59.639515 2017] [ssl:error] [pid 21071] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Fri Mar 31 14:55:59.639526 2017] [ssl:error] [pid 21071] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Fri Mar 31 14:55:59.639536 2017] [ssl:error] [pid 21071] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Mar 31 14:55:59.639547 2017] [ssl:error] [pid 21071] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Fri Mar 31 14:55:59.639553 2017] [ssl:emerg] [pid 21071] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
[Fri Mar 31 14:55:59.639558 2017] [ssl:emerg] [pid 21071] AH02564: Failed to configure encrypted (?) private key localhost:443:0, check /etc/apache2/ssl/apache.crt
AH00016: Configuration Failed
but whats wrong ? the file in /etc/apache2/ssl/apache.crt exists of course ... and why "Private key not found" ? apache.key exists too.
any help ? :(
While generating CRS request, it generates 2 files
example.csr
example.key -> You need to include this file in SSL configuration.
Make sure you have included key file in ssl configuration.
Key file should look like :
-----BEGIN PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END PRIVATE KEY-----
I think you should recheck your configuration steps.. After creating the .key file you have to give proper permission so that it should readable and writable by root.
Follow the below link which may solve your problem.
https://www.howtoforge.com/how-to-set-up-an-ssl-vhost-under-apache2-on-ubuntu-9.10-debian-lenny
I generated server.key using openssl CLI and then generated server.csr from that. Then I submitted server.csr to my company (this is all internal) and they gave me a text file which I renamed to server.crt
I followed this guide to install SSL Cert for XAMPP's Apache
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR193
Basically I edited the httpd-ssl.conf file with below:
SSLCertificateFile "conf/ssl.crt/server.crt"
SSLCertificateKeyFile "conf/ssl.key/server.key"
SSLCACertificatePath "conf/ssl.crt/"
SSLCACertificateFile "conf/ssl.crt/server.crt"
When I restarted my Apache server, it failed and gave error:
[Thu May 08 14:14:48.014710 2014] [ssl:warn] [pid 1924:tid 272] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu May 08 14:14:48.016664 2014] [ssl:warn] [pid 1924:tid 272] AH01907: RSA server certificate is not a leaf certificate (BasicConstraints: pathlen == 2 > 0 !?)
[Thu May 08 14:14:48.016664 2014] [ssl:warn] [pid 1924:tid 272] AH01909: RSA certificate configured for www.myservername.com:443 does NOT include an ID which matches the server name
[Thu May 08 14:14:48.016664 2014] [ssl:emerg] [pid 1924:tid 272] AH02238: Unable to configure RSA server private key
[Thu May 08 14:14:48.016664 2014] [ssl:emerg] [pid 1924:tid 272] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Thu May 08 14:14:48.016664 2014] [ssl:emerg] [pid 1924:tid 272] AH02311: Fatal error initialising mod_ssl, exiting. See C:/xampp/apache/logs/error.log for more information
Anyone knows why? How to fix this?
Here are my system info
Windows NT LGLAC046 6.1 build 7600 (Windows Server 2008 R2 Enterprise Edition) i586
Apache/2.4.4 (Win32) OpenSSL/0.9.8y PHP/5.4.19
OPENSSL_CONF C:/xampp/apache/bin/openssl.cnf
SSL Version OpenSSL/0.9.8y
I generated server.csr using openssl CLI and then generated server.key from that
You're supposed to generate a private key first:
openssl genrsa -des3 -out server.key 1024
then generate a csr:
openssl req -new -key server.key -out server.csr
If you're requesting a new certificate, you then send the CSR to the CA.
It sounds like what you have is a CA certificate, not a server certificate.
I have a problem installing the SSL certificates. The problem i think the server name doesn't match the certificate's server name.
Here the exact Apache problem:
[Wed Oct 02 18:33:23 2013] [warn] RSA server certificate CommonName (CN) `name1.name2.fr' does NOT match server name!?
[Wed Oct 02 18:33:23 2013] [error] Unable to configure RSA server private key
[Wed Oct 02 18:33:23 2013] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Wed Oct 02 18:34:00 2013] [warn] RSA server certificate CommonName (CN) `name1.name2.fr' does NOT match server name!?
[Wed Oct 02 18:34:00 2013] [error] Unable to configure RSA server private key
[Wed Oct 02 18:34:00 2013] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
We use RHEL 6. How can i see the server name and how to change it ?
Thanks in advance.
You have to set the Server's DNS name first:
so perform the command
$ sudo gksu gedit /etc/hostname to edit the hostname file
add the line www.example.com
$ sudo /etc/hosts and add the line:
127.0.0.1 www.example.com localhost
After that make sure to use that domain name in creating or signing the certificate
I had this warning in ssl_error_log:
[Wed Dec 11 14:02:41 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Dec 11 14:02:41 2013] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?
It is because that mod_ssl in CentOS (5.10) came with a default virtualhost which will use the default cert in /etc/pki/tls/certs/localhost.crt....
I removed the virtualhost section in conf.d/ssl.conf and the warning disappeared after reloading apache.