I followed this tutorial by rapidssl.com how to set up their SSL certificate. I did everything according to the article, but when I try to restart nginx, I get following error:
Restarting nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/certs/website.co.private.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
I have in the /etc/nginx/certs/ directory 2 files - website.co.crt and website.co.private.key.
The content of the website.co.private.key file is the key that is generatet from the command
sudo openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
In the website.co.crt file is the certificate that I received by email by SSLRapid.com + Bundled CA Version (PEM) - so basically, there are 3 blocks of certificates.
What am I missing or what could be wrong? I've create the directory /etc/nginx/certs/ as sudo mkdir, I did it also in my previous project and it was working, but not in here.
It's causing me headache, I am fighting with this issue 2nd day already and no result so far. I'll be grateful for every help.
Thank you
Check the order that you add the parts to the bundle. Getting the wrong order will cause the error you are seeing.
This is the correct order:
cat yourdomain_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt >
yourdomain.com.pem
Related
I just started to learn programming and tried to install SSL on my site.
I used a 90-day free trial SSL from Comodo and it worked well.
I purchased a new SSL from Comodo and generated CSR on the server (on my putty terminal)
My site is a Wordpress run by Bitnami and AWS.
Error message is that my site name is mismatched.
https://www.ssllabs.com/ssltest/analyze.html?d=www.cheeselab.co.kr#whyNotTrusted
How could I solve this problem? I tried to re-install it from the scratch but I don't know what I have to do.
Below codes are what I did
sudo openssl genrsa -out /opt/bitnami/apache2/conf/server.key 204
sudo openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr
sudo nano /opt/bitnami/apache2/conf/cert.csr
sudo nano /opt/bitnami/apache2/conf/cert2.crt
sudo nano /opt/bitnami/apache2/conf/bitnami/bitnami.conf
renamed the file from server.crt to cert2.crt
(above codes worked well)
sudo /opt/bitnami/ctlscript.sh restart apache
but error message with above code as below
Invalid command 'sudo', perhaps misspelled or defined by a module not included in the server configuration apache config test fails, aborting Monitored apache
I have Installed SSL Certificate and When Trying to Restart Httpd It's Goes "Failed"
Here What and How I did
Followed http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-an-instance.html#ssl_enable
and Enable SSL/TLS .Allow Httpd port 443 in Security Groups ( But Page not Opening as HTTPS )
Then I Generate Private Key and CSR Using Command
"openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr "
Get from ( https://in.godaddy.com/help/generating-a-certificate-signing-request-csr-apache-2x-5269 )
Then I Type "Ls -l " and got the Key and CSR i created . Copy them to /etc/pki/tls/certs/ Directory .Then Input CSR ( typing vi filename.csr anc copy in .txt file) to Godaddy and Got Certificate and Intermediate Certificate Bundle. Also Upload Certificate file & Intermediate Certificate Bundle to /etc/pki/tls/certs/ Directory
Then i edite ssl.conf ( "cd /etc/httpd/conf.d/ then "sudo nanao ssl.conf ) Put # before sslCertificateKeyfile,sslCertificatefile and sslcertificatechainfile Then put my sslcertificateKey,sslCertificatefile and sslcertificatechainfile location and Save ssl.conf
Then Type " sudo service httpd restart" showed me httpd stop : OK and Httpd Start : Failed
Let me know what's Wrong i did . This is 2nd time i tried . First time i though i made mistake may be then re setup server and tried But Same Problem .
Wish someone will help me
Thank You
I got Solution . Check Log and got key and csr not matching . then i regenerate key and with new key to generate csr and boom.. it's Done :)
I have updated my certificate on Gandi like this :
sudo openssl genrsa -des3 -out mywebsite.com_encrypted.key 4096
sudo openssl req -new -key mywebsite.com_encrypted.key -out mywebsite.com.csr
cd /etc/nginx/ssl/
sudo nano mywebsite.com.crt # > pasted the Gandi certificate in this file
sudo wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
sudo cat GandiStandardSSLCA.pem >> mywebsite.com.crt
sudo openssl rsa -in mywebsite.com_encrypted.key -out mywebsite.com.key
sudo chown root:root mywebsite.com.key
sudo chmod 400 mywebsite.com.key
Everything was working good with older certificate but since I updated configuration with new certificate here is is my log on nginx. I can't restart :
Nginx logs :
2015/05/12 20:53:03 [emerg] 7515#0: SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/mywebsite.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
What's wrong with process ?
Configuration of nginx is ok.
Here is my nginx configuration :
ssl on;
ssl_certificate /etc/nginx/ssl/mywebsite.com.crt;
ssl_certificate_key /etc/nginx/ssl/mywebsite.com.key;
I have no idea what you are trying to achieve. It looks like you replaced the key in /etc/nginx/ssl/mywebsite.com.key, leaving the original certificate /etc/nginx/ssl/mywebsite.com.crt unchanged (the mywebsite.com.crt certificate is still bound to the original key - and you cannot change that - public key is an integral part of X509 certificate). This is exactly what openssl is trying to tell you - you are trying to use a certificate with different private key that was originaly created with.
BTW: I also have no idea why you created a certificate request (along with the new key) and then left it unused (without actually using it to create new certificate).
I'm going to install SSL using OpenSSL on WAMPServer. The processes which I've been through are as follows:
I have installed apache, configured it and activated ssl module,
Added a new system variable OPENSSL_CONF:
Variable name: OPENSSL_CONF
Variable value: A:\wamp\bin\apache\apache2.4.9\conf\openssl.cnf
Restarted windows and made sure I saw the following line among the environment variables using command-line set | more command:
OPENSSL_CONF=A:\wamp\bin\apache\apache2.4.9\conf\openssl.cnf
Installed openSSL1.01Light(x64) on A:\OpenSSL and in its bin folder I have generated a key using command line command:
openssl req -new > webserver.csr
(Note that openSSL installation directory by default ain't have webserver.csr and I had to copy it from A:\wamp\bin\apache\apache2.4.9\bin directory)
The command ran and prompted me to enter a PEM pass phrase and verify it. I entered a pass phrase and verified it.
I entered information that would be incorporated into my certificate request.
I ran the following command:
openssl rsa -in privkey.pem -out webserver.key
I was prompted for the pass phrase from the previous step. The RSA key was written and the file webserver.key was then available in the folder.
Now I was going to covert the certificate into a signed one using the following command:
openssl x509 -in webserver.csr -out webserver.cert -req -signkey webserver.key -days 365
I got stock in this level that error occured with the following message:
5336:error:0906D06C:PEM routiness:PEM read bin:no start line:.\crypto\pem\pem_lib.c:703:Expecting: CERTIFICATE REQUEST
error in x509
How do I overcome this issue? Any idea? Thanks...
I'm having the same issue as Jngai1297 here: SSL Configuration Unable to read server.crt file, only I think I've spelled everything correctly.
I am trying to update our ssl certificate. We purchased a cert from startssl.com. I downloaded the ssl.key file, and retrieved my ssl.crt file, I also downloaded sub.class2.server.ca.pem and ca.pem
I ran:
openssl rsa -in ssl.key -out sslnopas.key
cat ssl.crt sub.class2.server.ca.pem ca.pem > concatenated.crt
heroku certs:update concatenated.crt sslnopass.key --app <MYAPPNAME>
with as my actual application name, but I'm getting:
Resolving trust chain... failed
! Unable to read concatenated.crt file
Is there any way I could get a better error message? I'm on the latest version of heroku toolbelt 3.6.0
Figured it out - I misspelled the sslnopass.key file! The concatenated.crt file was fine, and the error message was wrong. Looks like this is Heroku's default error message for just about anything that goes wrong with this call.