Results 1 to 14 of 14

Thread: [bug] Certificate is Invalid && Key is Invalid

  1. #1
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023

    [bug] Certificate is Invalid && Key is Invalid

    Hello,

    I've got 100% valid and working pair of SSL key and SSL cert. But Directadmin does not accept them, and gives an error:

    Code:
    Cannot Execute Your Request
    
    
    
    Details
    
    Modulus=F10F37C...skipped...32CC
     Certificate is Invalid
     Key is Invalid

    My details:

    Code:
    # openssl version
    OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
    # rpm -qa | grep openssl
    openssl-devel-0.9.8e-22.el5_8.3
    openssl-0.9.8e-22.el5_8.3
    I do check the cert in shell

    Code:
    cat /usr/local/directadmin/data/users/username/domains/domain.com.conf.cert | /usr/bin/openssl x509 -modulus
    and it gives no error.

    I modify

    /usr/local/directadmin/data/users/username/domains/domain.com.conf
    /usr/local/directadmin/data/users/username/httpd.conf

    in order to make SSL work with specified CERT, but not a server's one. And when I visit https://domain.com/ no error occurs.

    I ran directadmin in debug mode, and it printed:

    Code:
    certValid(cert, 1) - begin
    Running /usr/bin/openssl x509 -modulus 2>&1
    
    singleCertValid():: '/usr/bin/openssl x509 -modulus' returned 256:*****
    Modulus=F10F37C2FDF19AEF4823288404B80785E5E547E3C7D21F81018B52613E861715BD55941DFE05ECBAD297D04FB5DC2AF9338692DAC0E5EC0D15D68201E1AD661EDAB534AE334E71F1BAE2FDF3C94E1395D94A9DD62797D47BF56D5BA40AA2CAE7E17004E27A0C0EA861DD7A37F7EA244732BCBF21969A7DA4F2DF0BE57FA85EE9E4743152056484698AD37D407923A69C6BE7659C7B20CD2B1AD24AFFCBE580B47DF4E44FB76E25F543329E4A5432AC6FBA93...skipped...2CC
    *****
    writing RSA key
    unable to write key
    31292:error:09072007:PEM routines:PEM_write_bio:BUF lib:pem_lib.c:595:
    MimeTypes::readFile(): Unable to open /usr/local/directadmin/data/users/username/domains/domain.com.handlers for reading
    Command::doCommand(/CMD_SSL) : finished
    Command::run: finished /CMD_SSL
    I don't know what might be wrong, but a year before I had the same issue with the domain, and now I want to update CERT before it expires, and the same error occurs.

    And it seems the other domain on this server has not this issue with SSL certs, and directadmin accept it without a problem.

    What else can I do with it?
    Attached Images Attached Images
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    The same "Modulus=" error occurs even on adding a CACert on a newly created account without added key and cert.

  3. #3
    Hello,

    1) Looking over the code, "openssl" for this call is run as diradmin. See if you get any errors when running as that User. If it's chmod 700, try setting it to 755.

    2) Check the actual return code of the command.. as it seems to be returning 256, eg:
    Code:
    /usr/bin/openssl x509 -modulus < /usr/local/directadmin/data/users/username/domains/domain.com.conf.cert && echo $?
    John

  4. #4
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    Hello John,

    1. That's OK, I've got only one openssl binary chmoded to 755
    2. Checked, it returns 0 both from root and diradmin.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  5. #5
    Join Date
    Apr 2008
    Posts
    267
    I do not know if mine is same issue, but I go crayz after spending 4 hours on this. When try to renew an existing ssl, after pasting Web Server CERTIFICATE in SSL setting page, I get;

    Code:
     Modulus=DC673991E369931F040D3F06A8AE0D6025CA71FEE4ED80EA3A58222CA9E5208B16905275345321C30D517741AAD8BC6B80C1236BD0680CBF4885E66D67693302AAB8C4D04EA4B50D014C8927DEB691A614886D7FBACB7B2F324C9E58A67B65DA55AAD308A83AB4871CF2CAA3AF16573593537735092911F46358A618C265119CC51FA77C078F7A593620BF409BBACB0CB139D5187B364E9C399DAEA20648CCAD33F0EEF9F74F2C3191906C6A136CD750A4B657AF0BA78CA6762293340B48840878A1E35647AB4596CE6AC36D884F29D6D701A8B79262FB3E1C0BCC05E8174F923877B055669386902BB5DD0D7E0FB6248D3BEA94BBEF41A9F48A04BD00616C67 -----BEGIN CERTIFICATE----- MIIFKzCCBBOgAwIBAgIDDLSdMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew HhcNMTMwNjIzMTA0MTQ2WhcNMTQwOTI3MjE0MjE5WjCBvDEpMCcGA1UEBRMgZ2ty RXAzNTVHNUVXUThuLzhWRHFJdjMtTktzWkh6N1MxEzARBgNVBAsTCkdUMTE0MjAx MTUxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk U1NMKFIpMRYwFAYDVQQDEw13d3cuM3VydW4uY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEA
    But pasting CA cert is ok. But when I check domian I get Certificate does not match name. Instead it shows admin's domain name in name section. Please check to see yourself domain is 3urun.com

  6. #6
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    Among the all DA powered servers and all domains which I maintenance, I still get the error only with one domain on one server, even repeated one month ago, when I replaced the CERT/KEY with a prolonged ones.

    The following bypass is used by me: I add CERT/KEY manually in SSH. And restart Apache. Directadmin still throws the same error,and I'm still not sure why that happens.

    @ozgurerdogan,

    Regarding your situation, this is what I see:

    Code:
    --2013-06-25 03:58:22--  https://3urun.com/
    Resolving 3urun.com... 93.186.113.5
    Caching 3urun.com => 93.186.113.5
    Connecting to 3urun.com|93.186.113.5|:443... connected.
    Created socket 4.
    Releasing 0x00000000019dba20 (new refcount 1).
    Initiating SSL handshake.
    Handshake successful; connected socket 4 to SSL handle 0x00000000019dcc10
    certificate:
      subject: /serialNumber=6rmbBzzL2v-/il0OsL2/7PchK91GCEmr/OU=GT14440398/OU=See www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=www.yesilbeyaz.com.tr
      issuer:  /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
    ERROR: certificate common name “www.yesilbeyaz.com.tr” doesn’t match requested host name “3urun.com”.
    To connect to 3urun.com insecurely, use ‘--no-check-certificate’.
    Closed 4/SSL 0x00000000019dcc10
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  7. #7
    Join Date
    Apr 2008
    Posts
    267
    Yes my friend. yesilbeyaz.com.tr there is some other domain also running on ssl finely. So why is this renewal show other domain there?

  8. #8
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    Sorry, but I can not answer your question remotely. You should either check httpd.conf for the virtual host yourself, or get somebody to do it for you.

    One guess though, if you get an error Modulus=DC6739[...] when trying to save a new cert, directadmin makes your domain to use the default server's SSL cert. So if it's your case, you might need to fix it manually, by creating all needed files in domain data directory and change other files. I wish I had time to write it in more details, sorry. Anyway if you want I could fix it for you and write down all steps (note in this case you might need to order my service). Or you could try to ask official support to fix it for you.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  9. #9
    Join Date
    Apr 2008
    Posts
    267
    thank you but I was able to fix it by manually creating crs and placing cert file. All now ok.

  10. #10
    Join Date
    Oct 2015
    Posts
    18
    Sorry to hijack this thread. I'm having the same exact problem after moving server (changing primary ip address). Does anyone know why?

  11. #11
    The IP is not related to a certificate.. if DA is complaining it's not valid, would either be an issue with the cert or key itself, or perhaps DA cannot read them.
    Try manually testing with post #3 above, with a file containing your certificate.

    Also try checking the contents of that certificate:
    http://help.directadmin.com/item.php?id=343

    John

  12. #12
    Join Date
    Oct 2015
    Posts
    18
    Quote Originally Posted by DirectAdmin Support View Post
    The IP is not related to a certificate.. if DA is complaining it's not valid, would either be an issue with the cert or key itself, or perhaps DA cannot read them.
    Try manually testing with post #3 above, with a file containing your certificate.

    Also try checking the contents of that certificate:
    http://help.directadmin.com/item.php?id=343

    John
    Hi John,

    Thanks for the suggestion. I've tried running openssl over the key and cert pair as diradmin:

    /usr/bin/openssl x509 -modulus < /usr/local/directadmin/data/users/username/domains/domain.com.conf.cert && echo $?
    /usr/bin/openssl rsa -modulus < /usr/local/directadmin/data/users/username/domains/domain.com.conf.key && echo $?

    They both match and there was no error complaining of any permission. If you see the debug error from directadmin, the error seems to be related to openssl not being able to write to a file, this is also reflected in the debug output of "strace -f" which I did on the directadmin processes. The directadmin process forks a child process which runs the openssl command above. Strace then detected that openssl was unable to write to some file in the openssl process. Why would openssl be writing anything to the disk or memory?

  13. #13
    Join Date
    Oct 2015
    Posts
    18
    Hi John, I've tried running the openssl commands as diradmin user and the modulus output came out matching. There's no problem with openssl as far as I can see. Directadmin debug mode shows that it's receiving the SSL certificate from the site and parsing it through openssl without a problem. By doing a strace, I can see where the error occurs. There was a bad file descriptor in the openssl process which kicked off a broken pipe. I guess directadmin is telling openssl to write to some file and there was a permission problem somewhere along the line. However, without knowing what files are bring written, there's no way I can check if the permissions are correct. Can you tell me which files are being written when a new SSL cert/key is uploaded via the user site?

  14. #14
    Join Date
    Oct 2015
    Posts
    18
    Also, I've posted tons of data in a another thread here: https://forum.directadmin.com/showthread.php?t=52114

    Grateful if you can help.

Similar Threads

  1. Invalid security certificate error after installing SSL how to fix?
    By Shaw in forum General Technical Discussion & Troubleshooting
    Replies: 22
    Last Post: 04-30-2011, 11:23 AM
  2. Invalid URL
    By litu2009 in forum CentOS
    Replies: 3
    Last Post: 12-11-2009, 11:00 PM
  3. FTP Invalid Path - But It's NOT!
    By Mitsurugi in forum User-Level Difficulties
    Replies: 6
    Last Post: 11-15-2007, 02:04 PM
  4. Invalid domain name .nu
    By scraf in forum Reseller-Level Difficulties
    Replies: 1
    Last Post: 06-21-2006, 05:21 PM
  5. ns1 & ns2 are invalid DNS...
    By alba in forum DNS
    Replies: 6
    Last Post: 11-24-2005, 05:28 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •