[bug] Certificate is Invalid && Key is Invalid

[zEitEr]

Hello,

I've got 100% valid and working pair of SSL key and SSL cert. But Directadmin does not accept them, and gives an error:

Cannot Execute Your Request



Details

Modulus=F10F37C...skipped...32CC
 Certificate is Invalid
 Key is Invalid

My details:

# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
# rpm -qa | grep openssl
openssl-devel-0.9.8e-22.el5_8.3
openssl-0.9.8e-22.el5_8.3

I do check the cert in shell

cat /usr/local/directadmin/data/users/username/domains/domain.com.conf.cert | /usr/bin/openssl x509 -modulus

and it gives no error.

I modify

/usr/local/directadmin/data/users/username/domains/domain.com.conf
/usr/local/directadmin/data/users/username/httpd.conf

in order to make SSL work with specified CERT, but not a server's one. And when I visit https://domain.com/ no error occurs.

I ran directadmin in debug mode, and it printed:

certValid(cert, 1) - begin
Running /usr/bin/openssl x509 -modulus 2>&1

singleCertValid():: '/usr/bin/openssl x509 -modulus' returned 256:*****
Modulus=F10F37C2FDF19AEF4823288404B80785E5E547E3C7D21F81018B52613E861715BD55941DFE05ECBAD297D04FB5DC2AF9338692DAC0E5EC0D15D68201E1AD661EDAB534AE334E71F1BAE2FDF3C94E1395D94A9DD62797D47BF56D5BA40AA2CAE7E17004E27A0C0EA861DD7A37F7EA244732BCBF21969A7DA4F2DF0BE57FA85EE9E4743152056484698AD37D407923A69C6BE7659C7B20CD2B1AD24AFFCBE580B47DF4E44FB76E25F543329E4A5432AC6FBA93...skipped...2CC
*****
writing RSA key
unable to write key
31292:error:09072007:PEM routines:PEM_write_bio:BUF lib:pem_lib.c:595:
MimeTypes::readFile(): Unable to open /usr/local/directadmin/data/users/username/domains/domain.com.handlers for reading
Command::doCommand(/CMD_SSL) : finished
Command::run: finished /CMD_SSL

I don't know what might be wrong, but a year before I had the same issue with the domain, and now I want to update CERT before it expires, and the same error occurs.

And it seems the other domain on this server has not this issue with SSL certs, and directadmin accept it without a problem.

What else can I do with it?

 

[zEitEr]

The same "Modulus=" error occurs even on adding a CACert on a newly created account without added key and cert.

 

[DirectAdmin Support]

Hello,

1) Looking over the code, "openssl" for this call is run as diradmin. See if you get any errors when running as that User. If it's chmod 700, try setting it to 755.

2) Check the actual return code of the command.. as it seems to be returning 256, eg:

/usr/bin/openssl x509 -modulus < /usr/local/directadmin/data/users/username/domains/domain.com.conf.cert && echo $?

John

 

[zEitEr]

Hello John,

1. That's OK, I've got only one openssl binary chmoded to 755
2. Checked, it returns 0 both from root and diradmin.

 

[ozgurerdogan]

I do not know if mine is same issue, but I go crayz after spending 4 hours on this. When try to renew an existing ssl, after pasting Web Server CERTIFICATE in SSL setting page, I get;

 Modulus=DC673991E369931F040D3F06A8AE0D6025CA71FEE4ED80EA3A58222CA9E5208B16905275345321C30D517741AAD8BC6B80C1236BD0680CBF4885E66D67693302AAB8C4D04EA4B50D014C8927DEB691A614886D7FBACB7B2F324C9E58A67B65DA55AAD308A83AB4871CF2CAA3AF16573593537735092911F46358A618C265119CC51FA77C078F7A593620BF409BBACB0CB139D5187B364E9C399DAEA20648CCAD33F0EEF9F74F2C3191906C6A136CD750A4B657AF0BA78CA6762293340B48840878A1E35647AB4596CE6AC36D884F29D6D701A8B79262FB3E1C0BCC05E8174F923877B055669386902BB5DD0D7E0FB6248D3BEA94BBEF41A9F48A04BD00616C67 -----BEGIN CERTIFICATE----- MIIFKzCCBBOgAwIBAgIDDLSdMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew HhcNMTMwNjIzMTA0MTQ2WhcNMTQwOTI3MjE0MjE5WjCBvDEpMCcGA1UEBRMgZ2ty RXAzNTVHNUVXUThuLzhWRHFJdjMtTktzWkh6N1MxEzARBgNVBAsTCkdUMTE0MjAx MTUxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk U1NMKFIpMRYwFAYDVQQDEw13d3cuM3VydW4uY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEA

But pasting CA cert is ok. But when I check domian I get Certificate does not match name. Instead it shows admin's domain name in name section. Please check to see yourself domain is 3urun.com

 

[zEitEr]

Among the all DA powered servers and all domains which I maintenance, I still get the error only with one domain on one server, even repeated one month ago, when I replaced the CERT/KEY with a prolonged ones.

The following bypass is used by me: I add CERT/KEY manually in SSH. And restart Apache. Directadmin still throws the same error,and I'm still not sure why that happens.

@ozgurerdogan,

Regarding your situation, this is what I see:

--2013-06-25 03:58:22--  https://3urun.com/
Resolving 3urun.com... 93.186.113.5
Caching 3urun.com => 93.186.113.5
Connecting to 3urun.com|93.186.113.5|:443... connected.
Created socket 4.
Releasing 0x00000000019dba20 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 4 to SSL handle 0x00000000019dcc10
certificate:
  subject: /serialNumber=6rmbBzzL2v-/il0OsL2/7PchK91GCEmr/OU=GT14440398/OU=See www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=www.yesilbeyaz.com.tr
  issuer:  /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
ERROR: certificate common name “www.yesilbeyaz.com.tr” doesn’t match requested host name “3urun.com”.
To connect to 3urun.com insecurely, use ‘--no-check-certificate’.
Closed 4/SSL 0x00000000019dcc10

 

[ozgurerdogan]

Yes my friend. yesilbeyaz.com.tr there is some other domain also running on ssl finely. So why is this renewal show other domain there?

 

[zEitEr]

Sorry, but I can not answer your question remotely. You should either check httpd.conf for the virtual host yourself, or get somebody to do it for you.

One guess though, if you get an error Modulus=DC6739[...] when trying to save a new cert, directadmin makes your domain to use the default server's SSL cert. So if it's your case, you might need to fix it manually, by creating all needed files in domain data directory and change other files. I wish I had time to write it in more details, sorry. Anyway if you want I could fix it for you and write down all steps (note in this case you might need to order my service). Or you could try to ask official support to fix it for you.

 

[ozgurerdogan]

thank you but I was able to fix it by manually creating crs and placing cert file. All now ok.

 

[pmet]

Sorry to hijack this thread. I'm having the same exact problem after moving server (changing primary ip address). Does anyone know why?

 

[DirectAdmin Support]

The IP is not related to a certificate.. if DA is complaining it's not valid, would either be an issue with the cert or key itself, or perhaps DA cannot read them.
Try manually testing with post #3 above, with a file containing your certificate.

Also try checking the contents of that certificate:
http://help.directadmin.com/item.php?id=343

John

 

[pmet]

The IP is not related to a certificate.. if DA is complaining it's not valid, would either be an issue with the cert or key itself, or perhaps DA cannot read them.
Try manually testing with post #3 above, with a file containing your certificate.

Also try checking the contents of that certificate:
http://help.directadmin.com/item.php?id=343

John

Hi John,

Thanks for the suggestion. I've tried running openssl over the key and cert pair as diradmin:

/usr/bin/openssl x509 -modulus < /usr/local/directadmin/data/users/username/domains/domain.com.conf.cert && echo $?
/usr/bin/openssl rsa -modulus < /usr/local/directadmin/data/users/username/domains/domain.com.conf.key && echo $?

They both match and there was no error complaining of any permission. If you see the debug error from directadmin, the error seems to be related to openssl not being able to write to a file, this is also reflected in the debug output of "strace -f" which I did on the directadmin processes. The directadmin process forks a child process which runs the openssl command above. Strace then detected that openssl was unable to write to some file in the openssl process. Why would openssl be writing anything to the disk or memory?

 

[pmet]

Hi John, I've tried running the openssl commands as diradmin user and the modulus output came out matching. There's no problem with openssl as far as I can see. Directadmin debug mode shows that it's receiving the SSL certificate from the site and parsing it through openssl without a problem. By doing a strace, I can see where the error occurs. There was a bad file descriptor in the openssl process which kicked off a broken pipe. I guess directadmin is telling openssl to write to some file and there was a permission problem somewhere along the line. However, without knowing what files are bring written, there's no way I can check if the permissions are correct. Can you tell me which files are being written when a new SSL cert/key is uploaded via the user site?

 

[pmet]

Also, I've posted tons of data in a another thread here: https://forum.directadmin.com/showthread.php?t=52114

Grateful if you can help.