0

I'm trying to update some expired SSL certificates internally on some Ubuntu and Redhat servers. I have an internal certificate authority for this (ADCS). These are the steps I'm taking:

  1. Generate CSR + private key using openssl

openssl req -out file.csr -newkey rsa:2048 -nodes -keyout file.key -config req.conf

  1. Submit CSR to Internal Active Directory Certificate Authority

  2. I'm given back a certificate in base64 format.

  3. I use this certificate and the private key on the web server. Everything works fine when I do this on an Ubuntu web server running lighttpd. I update the certificate/key and restart lighttpd, it works.

I replicate these exact steps but this time for a Redhat 7/8 server running Httpd and I get the following error: AH02565: Certificate and private key from and do not match

I've probably generated a new private key/csr five or six times now hoping the result would be different :D

What am I doing wrong here?

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  127.0.0.1 (/etc/httpd/conf.d/ssl.conf:39)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
PidFile: "/etc/httpd/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48
Improve this question
5
  • Dump the whole configuration with httpd -S maybe there are multiple directives for the cert
    – Turdie
    Nov 29 at 2:44
  • I added it to the original post. It was too long :D
    – poppopretn
    Nov 29 at 3:37
  • It looks like there is one VirtualHost in /etc/httpd/conf.d/ssl.conf (which is a bit nasty). Check if that config and if the ssl settings are correct there. Also reload apache after making the changes. Compare the certificate declared there with openssl x509 -in mycert.pem -text -noout and check if it's correct. Also check the logs in /etc/httpd/logs/error_log
    – Turdie
    Nov 29 at 4:13
  • What is the ssl config in apache? Pay attention to SSLCertificateFile and SSLCertificateKeyFile Did you install both the certificate AND the key in the right place? Also make sure that you append any intermediary certificate (but not the root CA) after the host certificate in the file mentioned in SSLCertificateFile
    – Mircea Vutcovici
    Nov 29 at 4:47
  • SSLCertificateFile and SSLCertificateKeyFile locations are correct. /etc/httpd/logs/error_log shows "AH00016: Configuration failed" which is interesting... I ran this and confirmed the Key and Certificate have the same modulus. openssl rsa -in homelabpriv.key -noout -modulus openssl x509 -in homelabcert.pem -noout -modulus
    – poppopretn
    Nov 29 at 20:32

1 Answer 1

Reset to default
0

For whatever reason, it works after I rename the cert and key and move them both to another directory up one level. I'm not sure why since the file contents, owner of the file, and file permissions were the same. Oh well.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .