I'm trying to update some expired SSL certificates internally on some Ubuntu and Redhat servers. I have an internal certificate authority for this (ADCS). These are the steps I'm taking:
- Generate CSR + private key using openssl
openssl req -out file.csr -newkey rsa:2048 -nodes -keyout file.key -config req.conf
Submit CSR to Internal Active Directory Certificate Authority
I'm given back a certificate in base64 format.
I use this certificate and the private key on the web server. Everything works fine when I do this on an Ubuntu web server running lighttpd. I update the certificate/key and restart lighttpd, it works.
I replicate these exact steps but this time for a Redhat 7/8 server running Httpd and I get the following error: AH02565: Certificate and private key from and do not match
I've probably generated a new private key/csr five or six times now hoping the result would be different :D
What am I doing wrong here?
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 127.0.0.1 (/etc/httpd/conf.d/ssl.conf:39)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
PidFile: "/etc/httpd/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48
httpd -S
maybe there are multiple directives for the cert/etc/httpd/conf.d/ssl.conf
(which is a bit nasty). Check if that config and if the ssl settings are correct there. Also reload apache after making the changes. Compare the certificate declared there withopenssl x509 -in mycert.pem -text -noout
and check if it's correct. Also check the logs in/etc/httpd/logs/error_log
SSLCertificateFile
andSSLCertificateKeyFile
Did you install both the certificate AND the key in the right place? Also make sure that you append any intermediary certificate (but not the root CA) after the host certificate in the file mentioned inSSLCertificateFile