Apache won't start with new SSL certificate

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
1,114
Apache won't start with new SSL certificate

I don't install certs very often, but I have a documented procedure that I normally use that works. However, it didn't work this time, and the problem might be me.

Scenario:
I have one domain named userdomain.com. I logged into the CP for userdomain.com and generated a cert named: secure.userdomain.com, and installed the cert. It still saw the old server cert. Then I remembered I should have generated the cert request on the admin account, so I bought another secure.userdomain.com for that, and installed it at in the admin user level. (userdomain.com that I generated the first cert for, also uses the server's shared IP address.)

The procedure I used to install the server cert is as follows:
1. Login admin
2. Select the User Level
3. In the Advanced Features section on the bottom, Click on SSL Certificates.
4. Make a CSR. Save the CSR.
5. Request the certificate from the CA using the generated CSR
6. When you get the cert, delete everything below the Private Key, paste in the cert directly underneath the Private Key and press the Save button.
7. Return to same screen and down on the bottom where it says "Click Here to paste a CA Root Certificate", click on the "Click Here" and paste in the CA's cert.
8. Make sure you have a fresh login to the CP and go to the Service Monitor screen.
9. Login SSH and check that the SSL stuff is correct:
a. Open /etc/httpd/conf/ssl.key/server.key and make sure it matches the Private Key you copied off earlier. If not, exit and make a copy of the file. Then edit it and paste the Private Key into it and save it.
b. Open /etc/httpd/conf/ssl.crt/server.crt. Make sure it matches the Certificate that you received. If not, exit, and make a copy of the file. Then edit it, and paste the Cert you received from the CA into it. (THEY DID NOT MATCH. I PASTED IN THE NEW CERT)
10. Go back to the browser we left logged in on the Service Monitor and restart Apache. (APACHE FAILED TO START AND THERE WERE NO ERRORS IN THE ERROR LOG)
*When I replace the cert with the old cert, it starts fine.

*The remainder I normally do also, but didn't yet because Apache wouldn't start.
11. Open a different browser and go to https://secure1.userdomain.com and make sure you do not get a certificate warning.
12. Set up DirectAdmin to use the cert also
# cd /etc/httpd/conf/
# cp ssl.crt/server.crt /usr/local/directadmin/conf/cacert.pem
# cp ssl.key/server.key /usr/local/directadmin/conf/cakey.pem
# cd /usr/local/directadmin/conf
# chown root:wheel ./cacert.pem
# chmod 644 ./cacert.pem
# chown diradmin:diradmin ./cakey.pem
# chmod 400 ./cakey.pem

13. Set up Exim / SMTP
# cd /etc/httpd/conf/
# cp ssl.crt/server.crt /etc/exim.cert
# cp ssl.key/server.key /etc/exim.key
# cd /etc
# chown root:wheel ./exim.cert
# chmod 644 ./exim.cert
# chown mail:mail ./exim.key
# chmod 400 ./exim.key

14. Go back into the service monitor and restart DirectAdmin
15. Launch a different browser and go to secure1.userdomain.com:2222 and log in. You should not get a certificate error
16. Go back into the service monitor and restart DirectAdmin and restart Exim, Dovecot, and sshd
17. Open the mail client and set it up to use secure e-mail with secure1.userdomain.com as the pop or imap and smtp server;. It should not ask for a certificate.
 
PS: I made another interesting discovery. After I pasted the new CERT into the admin area of the CP and saved it, it reverts back to the old CERT, which is why they did not match in step 9 above. If I force it by copying into /etc/httpd/conf/ssl.crt/server.crt, then when I restart Apache from the CP, it spawns single instance of httpd in the CP, then silently crashes, and comes back with "not running". When I start httpd from the command prompt, it appears to hang.

PS: I learned something else.
Old Cert:
openssl rsa -noout -modulus -in server.key | openssl md5
fadc2f29efd9dfccafc2d7c629016991

openssl x509 -noout -modulus -in server.crt | openssl md5
fadc2f29efd9dfccafc2d7c629016991

*Cert matches key

New Cert:
openssl rsa -noout -modulus -in server.key | openssl md5
fadc2f29efd9dfccafc2d7c629016991

openssl x509 -noout -modulus -in server.csr | openssl md5
d41d8cd98f00b204e9800998ecf8427e

openssl x509 -noout -modulus -in server.crt | openssl md5
d41d8cd98f00b204e9800998ecf8427e

*New cert matches the csr, but csr does not match the key. How is it possible to generate the csr from that key?
 
Last edited:
If to use DA interface in order to create a CSR, it will use existing KEY if any installed. So you can go this way, or do it manually in ssh:

Code:
openssl req -new -sha256 -key server.key -out server.csr
 
I used the interface as mentioned in the procedure above. I got back a cert that matched the CSR, but not the key, thus the generated CSR was bad.
 
1. Login admin
2. Select the User Level

So you did it as admin on its user level, correct? In this case a CSR was generated based on a server-wide key. Or did I miss anything?

When you add a new CERT/KEY via Directadmin it checks and validates them, and if validation fails directadmin does not install them into apache/nginx, so to prevent issues with starting a web-server.
 
When you add a new CERT/KEY via Directadmin it checks and validates them, and if validation fails directadmin does not install them into apache/nginx, so to prevent issues with starting a web-server.
Which is apparently what is happening. I will do it a 3rd time, only before I request a CERT this time, I will check CSR MD5 before I submit, and if they don't match, I'll do it manually.

PS: For some reason I'm not getting my instant replies.
 
Last edited:
I will do it a 3rd time, only before I request a CERT this time, I will check CSR MD5 before I submit, and if they don't match, I'll do it manually.
I did a third submission from the environment. The MD5 for the CSR and KEY agreed, and when the CRT came back, it agreed. I pasted in the key and certificate and saved it. When I went back into the environment, it was again using the old stuff. I'll copy the files in manually into the directories under httpd/conf/* and see if httpd will run, but I would guess not since the environment returned to the old key and cert.
 
The Solution:
As I mentioned, I do not do this very often, and I need to amend my procedures steps 4 & 6 are wrong.

>4. Make a CSR. Save the CSR.<
This should read:
4. Make a CSR. Save the CSR and newly generated private key.

>6. When you get the cert, delete everything below the Private Key, paste in the cert directly underneath the Private<
This should read:
6. When you receive the cert, select the "Paste a pre-generated certificate and key" radio button, delete everything, and paste in the new private key that was made when you generated the CSR, paste in the cert directly underneath the private key, and press the Save button.

When users log into Webmail or the CP, they don't get errors anymore.

I still have problems when I run the RapidSSL verifier:
"The issuer of the following certificate is not supported by the certificate installation checker."
When I check it at https://www.ssllabs.com/ssltest/ , I get errors about the chain not being complete, which is wierd because I do have the CA bundle installed and active. I'm not getting any errors in http, exim, or da anymore.
 
Last edited:
Back
Top