Hi All I have don't a bad bad thing.
I set up a server october last year and it never got installed until 2 weeks ago. A number of package upgrades later and the system is singing. Except I was getting an email (to admin) every day regarding the SSL certificate not being matched to the apache. So I created a server cert with phpki (different to the one I created for the openvpn) of type SSL and put it in the /home/e-smith/ssl.* (one file for each of the crt, key, pem). I put these in the directories as I said but didn't remove the others (I don't ever do this until all is good) This worked well until this morning when I rebooted after the update of udev (not that I attribute this to the problem just purely coincidental)
Now on a reboot apache won't start. Error now is
[Tue Apr 28 09:33:25 2009] [warn] RSA server certificate CommonName (CN) `www.myserver.com.au' does NOT match server name!?
[Tue Apr 28 09:33:25 2009] [error] Unable to configure RSA server private key
[Tue Apr 28 09:33:25 2009] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
www.myserver.com.au above is just so I am not putting the real FQDN on the forum and not what is really in the error.
Now also of the three services that httpd start kicks off it is the httpd-e-smith that is causing this error, -admin and -pki both appear to start up and run AND httpd stop doesn't seem to stop these.
I changed in /etc/httpd/conf/httpd.conf the lines under SSL pointing to the certificate in an attempt to make it look at the new keys, this was this morning AFTER I started to have problems.
Events of this morning
In an attempt to get Open VPN to work (as it was asking for a TLS config cert) I added the extra shared key in to the cert config screen.
Yum Update -> udev
sig-event post -upg
sig-event reboot
couldn't get on to /server-manager
Then went looking as to why, went down the path of looking for a
[crit] (28)No space left on device: mod_rewrite: could not create rewrite_log_lock Configuration Failed
as this was what was appearing in /var/log/httpd/error_log BUT this was because httpd-e-smith was repeatedly trying to startup and of course that error (RSA server certificate CommonName......) was at the top of the error_log file. After some time then the mod_rewrite error appears.
Also did a sig-event post-upgrade -> sig-event reboot again to see if that would make a difference
I have now returned everything I changed back to the original and am writing in here for more inspiration.
Ok so having said all that is there a method of restoring/regenerating all of the confs and certs etc.
Incidentally the key/crt/pem files in /home/e-smith/ssl.* all seem to have regened this morning when I did a sig-event post-upgrade
I'm at more of a loss now. If I have to (really really really have to) I will reload but I think this is a simple fix.
Eventually I will have to purchase a signed cert for the eshop that is to be created on this machine but for the time being I need need to get basic services restored.
If there is more info that you require please ask and I will provide it, it is not provided as I don't know what is pertinent to finding the solution.
I meant to add the output of
db configuration show modSSL
modSSL=service
CipherSuite=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
TCPPort=443
access=public
status=enabled
and nothing about a reference to a certificate/key
This is on a 7.3 upgraded to 7.4 via yum update install
Regards,
Steve B
[edit by cactus: modified subject to add keyword solved]
6 Replies
8208 Views