IT_Architect
Verified User
- Joined
- Feb 27, 2006
- Messages
- 1,114
Apache won't start with new SSL certificate
I don't install certs very often, but I have a documented procedure that I normally use that works. However, it didn't work this time, and the problem might be me.
Scenario:
I have one domain named userdomain.com. I logged into the CP for userdomain.com and generated a cert named: secure.userdomain.com, and installed the cert. It still saw the old server cert. Then I remembered I should have generated the cert request on the admin account, so I bought another secure.userdomain.com for that, and installed it at in the admin user level. (userdomain.com that I generated the first cert for, also uses the server's shared IP address.)
The procedure I used to install the server cert is as follows:
1. Login admin
2. Select the User Level
3. In the Advanced Features section on the bottom, Click on SSL Certificates.
4. Make a CSR. Save the CSR.
5. Request the certificate from the CA using the generated CSR
6. When you get the cert, delete everything below the Private Key, paste in the cert directly underneath the Private Key and press the Save button.
7. Return to same screen and down on the bottom where it says "Click Here to paste a CA Root Certificate", click on the "Click Here" and paste in the CA's cert.
8. Make sure you have a fresh login to the CP and go to the Service Monitor screen.
9. Login SSH and check that the SSL stuff is correct:
a. Open /etc/httpd/conf/ssl.key/server.key and make sure it matches the Private Key you copied off earlier. If not, exit and make a copy of the file. Then edit it and paste the Private Key into it and save it.
b. Open /etc/httpd/conf/ssl.crt/server.crt. Make sure it matches the Certificate that you received. If not, exit, and make a copy of the file. Then edit it, and paste the Cert you received from the CA into it. (THEY DID NOT MATCH. I PASTED IN THE NEW CERT)
10. Go back to the browser we left logged in on the Service Monitor and restart Apache. (APACHE FAILED TO START AND THERE WERE NO ERRORS IN THE ERROR LOG)
*When I replace the cert with the old cert, it starts fine.
*The remainder I normally do also, but didn't yet because Apache wouldn't start.
11. Open a different browser and go to https://secure1.userdomain.com and make sure you do not get a certificate warning.
12. Set up DirectAdmin to use the cert also
# cd /etc/httpd/conf/
# cp ssl.crt/server.crt /usr/local/directadmin/conf/cacert.pem
# cp ssl.key/server.key /usr/local/directadmin/conf/cakey.pem
# cd /usr/local/directadmin/conf
# chown root:wheel ./cacert.pem
# chmod 644 ./cacert.pem
# chown diradmin:diradmin ./cakey.pem
# chmod 400 ./cakey.pem
13. Set up Exim / SMTP
# cd /etc/httpd/conf/
# cp ssl.crt/server.crt /etc/exim.cert
# cp ssl.key/server.key /etc/exim.key
# cd /etc
# chown root:wheel ./exim.cert
# chmod 644 ./exim.cert
# chown mail:mail ./exim.key
# chmod 400 ./exim.key
14. Go back into the service monitor and restart DirectAdmin
15. Launch a different browser and go to secure1.userdomain.com:2222 and log in. You should not get a certificate error
16. Go back into the service monitor and restart DirectAdmin and restart Exim, Dovecot, and sshd
17. Open the mail client and set it up to use secure e-mail with secure1.userdomain.com as the pop or imap and smtp server;. It should not ask for a certificate.
I don't install certs very often, but I have a documented procedure that I normally use that works. However, it didn't work this time, and the problem might be me.
Scenario:
I have one domain named userdomain.com. I logged into the CP for userdomain.com and generated a cert named: secure.userdomain.com, and installed the cert. It still saw the old server cert. Then I remembered I should have generated the cert request on the admin account, so I bought another secure.userdomain.com for that, and installed it at in the admin user level. (userdomain.com that I generated the first cert for, also uses the server's shared IP address.)
The procedure I used to install the server cert is as follows:
1. Login admin
2. Select the User Level
3. In the Advanced Features section on the bottom, Click on SSL Certificates.
4. Make a CSR. Save the CSR.
5. Request the certificate from the CA using the generated CSR
6. When you get the cert, delete everything below the Private Key, paste in the cert directly underneath the Private Key and press the Save button.
7. Return to same screen and down on the bottom where it says "Click Here to paste a CA Root Certificate", click on the "Click Here" and paste in the CA's cert.
8. Make sure you have a fresh login to the CP and go to the Service Monitor screen.
9. Login SSH and check that the SSL stuff is correct:
a. Open /etc/httpd/conf/ssl.key/server.key and make sure it matches the Private Key you copied off earlier. If not, exit and make a copy of the file. Then edit it and paste the Private Key into it and save it.
b. Open /etc/httpd/conf/ssl.crt/server.crt. Make sure it matches the Certificate that you received. If not, exit, and make a copy of the file. Then edit it, and paste the Cert you received from the CA into it. (THEY DID NOT MATCH. I PASTED IN THE NEW CERT)
10. Go back to the browser we left logged in on the Service Monitor and restart Apache. (APACHE FAILED TO START AND THERE WERE NO ERRORS IN THE ERROR LOG)
*When I replace the cert with the old cert, it starts fine.
*The remainder I normally do also, but didn't yet because Apache wouldn't start.
11. Open a different browser and go to https://secure1.userdomain.com and make sure you do not get a certificate warning.
12. Set up DirectAdmin to use the cert also
# cd /etc/httpd/conf/
# cp ssl.crt/server.crt /usr/local/directadmin/conf/cacert.pem
# cp ssl.key/server.key /usr/local/directadmin/conf/cakey.pem
# cd /usr/local/directadmin/conf
# chown root:wheel ./cacert.pem
# chmod 644 ./cacert.pem
# chown diradmin:diradmin ./cakey.pem
# chmod 400 ./cakey.pem
13. Set up Exim / SMTP
# cd /etc/httpd/conf/
# cp ssl.crt/server.crt /etc/exim.cert
# cp ssl.key/server.key /etc/exim.key
# cd /etc
# chown root:wheel ./exim.cert
# chmod 644 ./exim.cert
# chown mail:mail ./exim.key
# chmod 400 ./exim.key
14. Go back into the service monitor and restart DirectAdmin
15. Launch a different browser and go to secure1.userdomain.com:2222 and log in. You should not get a certificate error
16. Go back into the service monitor and restart DirectAdmin and restart Exim, Dovecot, and sshd
17. Open the mail client and set it up to use secure e-mail with secure1.userdomain.com as the pop or imap and smtp server;. It should not ask for a certificate.