Everyone,
I have been working on a new installation of CentOS 5.0 on a x86_64 machine. The installation has gone well except for httpd.
When I start httpd with LogLevel turned to debug all I get is an immediate failure with the following errors the logs:
/var/log/httpd/error_log: [Sun Jul 22 13:00:31 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
/var/log/ssl_error.log: [Sun Jul 22 13:04:32 2007] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Sun Jul 22 13:04:32 2007] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Sun Jul 22 13:04:32 2007] [error] Unable to configure RSA server private key [Sun Jul 22 13:04:32 2007] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
The ssl errors were present on the old system so I was not too worried about those.
I turned off selinux with out a change in symptoms.
I get the same errors whether I start the service via "service httpd start" or "httpd". When I use "httpd -E /tmp/errors.txt" the errors.txt file is created, but is empty. "httpd -t" responds with "Syntax OK"
I have done a yum remove of the web server module, and have done a re-install using yum without a change in symptoms.
I have not been able to figure out how to get more data in the logs; httpd seems to be failing too soon to record much.
Anyone's ideas would sure be appreciated !!!
Greg Ennis
Gregory P. Ennis wrote:
[Sun Jul 22 13:04:32 2007] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Sun Jul 22 13:04:32 2007] [error] Unable to configure RSA server private key [Sun Jul 22 13:04:32 2007] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
The ssl errors were present on the old system so I was not too worried about those.
Your ServerName isn't the same as the one which is present in the certificate. SSL does not really like that. And it is good to be stricter about that.
I turned off selinux with out a change in symptoms.
Yes, as that error clearly hasn't anything to do with SELinux.
Anyone's ideas would sure be appreciated !!!
As that seems to be a selfsigned certificate: Create a new one with the server's fqdn in the Common Name filed (www.example.com, for example).
tinyca2 (which is available from the rpmforge repository) makes creation of new certificates really easy.
Also the "HOWTO" section on http://www.modssl.org/docs/2.8/ssl_howto.html has some information.
Cheers,
Ralph
On Sun, 2007-07-22 at 22:21 +0200, Ralph Angenendt wrote:
Gregory P. Ennis wrote:
[Sun Jul 22 13:04:32 2007] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Sun Jul 22 13:04:32 2007] [error] Unable to configure RSA server private key [Sun Jul 22 13:04:32 2007] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
The ssl errors were present on the old system so I was not too worried about those.
Your ServerName isn't the same as the one which is present in the certificate. SSL does not really like that. And it is good to be stricter about that.
I turned off selinux with out a change in symptoms.
Yes, as that error clearly hasn't anything to do with SELinux.
Anyone's ideas would sure be appreciated !!!
As that seems to be a selfsigned certificate: Create a new one with the server's fqdn in the Common Name filed (www.example.com, for example).
tinyca2 (which is available from the rpmforge repository) makes creation of new certificates really easy.
Also the "HOWTO" section on http://www.modssl.org/docs/2.8/ssl_howto.html has some information.
Cheers,
Ralph
Ralph,
Thanks for the suggestion to use tinyca2.... great utility!!!!! The link was also excellent.
Unfortunately, I am going to give up on a fix for the failure of httpd and do a repeat install. This is my 4th install of CentOS 5.0 and everything has worked perfectly before. I am sure it must be related to something I have done during my configuration setup, but I can not find the error for now.
Back to the Salt mines!!!
Greg
On Sun, 2007-07-22 at 16:12 -0500, Gregory P. Ennis wrote:
On Sun, 2007-07-22 at 22:21 +0200, Ralph Angenendt wrote:
Gregory P. Ennis wrote:
[Sun Jul 22 13:04:32 2007] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Sun Jul 22 13:04:32 2007] [error] Unable to configure RSA server private key [Sun Jul 22 13:04:32 2007] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
The ssl errors were present on the old system so I was not too worried about those.
Your ServerName isn't the same as the one which is present in the certificate. SSL does not really like that. And it is good to be stricter about that.
I turned off selinux with out a change in symptoms.
Yes, as that error clearly hasn't anything to do with SELinux.
Anyone's ideas would sure be appreciated !!!
As that seems to be a selfsigned certificate: Create a new one with the server's fqdn in the Common Name filed (www.example.com, for example).
tinyca2 (which is available from the rpmforge repository) makes creation of new certificates really easy.
Also the "HOWTO" section on http://www.modssl.org/docs/2.8/ssl_howto.html has some information.
Cheers,
Ralph
Ralph,
Thanks for the suggestion to use tinyca2.... great utility!!!!! The link was also excellent.
Unfortunately, I am going to give up on a fix for the failure of httpd and do a repeat install. This is my 4th install of CentOS 5.0 and everything has worked perfectly before. I am sure it must be related to something I have done during my configuration setup, but I can not find the error for now.
Back to the Salt mines!!!
Greg
I wanted to submit a follow up note to this thread. It turned out that Ralph's suggestion provided the solution. I did a repeat installation, checked httpd at the beginning of the installation it it worked fine. After the updates and after some setup changes I made httpd failed again in the same manner as before. I finally created my own certificates (httpd) with make-dummy-cert and modified /etc/httpd/conf.d/ssl.conf with the following additions
SSLCertificateFile /etc/pki/tls/certs/httpd.crt SSLCertificateKeyFile /etc/pki/tls/private/httpd.pem SSLCertificateChainFile /etc/pki/tls/certs/httpd-chain.crt SSLCACertificateFile /etc/pki/tls/certs/httpd-bundle.crt
The httpd-bundle had to be created with a script :
OUTPUT="$1.crt" echo "Creating : $OUTPUT" openssl x509 -in $1 -noout -text > $OUTPUT cat $1 >> $OUTPUT
httpd is working perfectly now. I am still not sure why httpd worked on other installations I have done without this, but as Ralph mentioned the certs really needed to be updated anyway.
Greg
On 25/07/07, Gregory P. Ennis PoMec@pomec.net wrote:
httpd is working perfectly now. I am still not sure why httpd worked on other installations I have done without this, but as Ralph mentioned the certs really needed to be updated anyway.
Probably because previously you don't have HTTPS enabled?
-
Alvin Chang -
Gregory P. Ennis -
Ralph Angenendt