Topic: purchased SSL cert, installed it, now web is down

[rshiras]

I followed instructions at:
http://wiki.contribs.org/Certificates_Concepts
and I have also tried the methods at:
http://forums.contribs.org/index.php?topic=45081.0
My web pages do not come up.  It looks like httpd is not running:
# ps -A |grep http
 4505 ?        00:00:00 httpd-admin
 4625 ?        00:00:00 httpd-admin
# /etc/rc.d/init.d/httpd start
Starting httpd:                                            [FAILED]
#
Here's some info on my server:
# cat /etc/e-smith-release
SME Server release 7.4
# httpd -v
Server version: Apache/2.0.52
Server built:   Nov 12 2009 06:54:45
# ps -A
  PID TTY          TIME CMD
    1 ?        00:00:00 init
    2 ?        00:00:00 migration/0
    3 ?        00:00:00 ksoftirqd/0
    4 ?        00:00:00 migration/1
    5 ?        00:00:00 ksoftirqd/1
    6 ?        00:00:00 events/0
    7 ?        00:00:00 events/1
    8 ?        00:00:00 khelper
    9 ?        00:00:00 kthread
   10 ?        00:00:00 kacpid
   31 ?        00:00:00 kblockd/0
   32 ?        00:00:00 kblockd/1
   33 ?        00:00:00 khubd
   50 ?        00:00:00 pdflush
   51 ?        00:00:00 pdflush
   52 ?        00:00:00 kswapd0
   53 ?        00:00:00 aio/0
   54 ?        00:00:00 aio/1
  200 ?        00:00:00 kseriod
  454 ?        00:00:00 md1_raid1
  456 ?        00:00:00 md2_raid1
  461 ?        00:00:01 kjournald
 1045 ?        00:00:00 kauditd
 1150 ?        00:00:00 udevd
 2046 ?        00:00:00 ata/0
 2047 ?        00:00:00 ata/1
 2048 ?        00:00:00 ata_aux
 2051 ?        00:00:00 scsi_eh_0
 2052 ?        00:00:00 scsi_eh_1
 2411 ?        00:00:00 scsi_eh_2
 2412 ?        00:00:00 usb-storage
 2602 ?        00:00:00 kjournald
 2881 tty2     00:00:00 mingetty
 2887 tty3     00:00:00 mingetty
 2894 ?        00:00:00 runsvdir
 3201 ?        00:00:00 runsv
 3202 ?        00:00:00 runsv
 3215 ?        00:00:00 runsv
 3229 ?        00:00:00 runsv
 3230 ?        00:00:00 runsv
 3231 ?        00:00:00 runsv
 3232 ?        00:00:00 runsv
 3233 ?        00:00:00 runsv
 3234 ?        00:00:00 runsv
 3235 ?        00:00:00 runsv
 3236 ?        00:00:00 runsv
 3237 ?        00:00:00 runsv
 3238 ?        00:00:00 runsv
 3239 ?        00:00:00 runsv
 3240 ?        00:00:00 runsv
 3241 ?        00:00:00 runsv
 3242 ?        00:00:00 runsv
 3243 ?        00:00:00 runsv
 3244 ?        00:00:00 runsv
 3245 ?        00:00:00 runsv
 3246 ?        00:00:00 runsv
 3247 ?        00:00:00 runsv
 3248 ?        00:00:00 runsv
 3249 ?        00:00:00 runsv
 3250 ?        00:00:00 runsv
 3251 ?        00:00:00 runsv
 3252 ?        00:00:00 runsv
 3253 ?        00:00:00 runsv
 3254 ?        00:00:00 runsv
 3255 ?        00:00:00 runsv
 3256 ?        00:00:00 runsv
 3257 ?        00:00:00 runsv
 3258 ?        00:00:00 runsv
 3259 ?        00:00:00 runsv
 3260 ?        00:00:00 runsv
 3261 ?        00:00:00 multilog
 3262 ?        00:00:00 multilog
 3263 ?        00:00:00 multilog
 3264 ?        00:00:00 multilog
 3265 ?        00:00:00 multilog
 3266 ?        00:00:00 multilog
 3267 ?        00:00:00 multilog
 3268 ?        00:00:00 multilog
 3269 ?        00:00:00 multilog
 3270 ?        00:00:00 multilog
 3271 ?        00:00:00 multilog
 3272 ?        00:00:00 multilog
 3273 ?        00:00:00 multilog
 3274 ?        00:00:00 multilog
 3276 ?        00:00:00 multilog
 3277 ?        00:00:00 ulogd
 3278 ?        00:00:00 multilog
 3279 ?        00:00:00 multilog
 3280 ?        00:00:00 smtp-auth-proxy
 3281 ?        00:00:00 multilog
 3282 ?        00:00:00 multilog
 3283 ?        00:00:00 multilog
 3284 ?        00:00:00 multilog
 3285 ?        00:00:00 multilog
 3286 ?        00:00:00 multilog
 3287 ?        00:00:00 multilog
 3288 ?        00:00:00 multilog
 3289 ?        00:00:00 multilog
 3290 ?        00:00:00 cvm-unix
 3291 ?        00:00:00 multilog
 3292 ?        00:00:00 multilog
 3293 ?        00:00:00 multilog
 3294 ?        00:00:00 multilog
 3295 ?        00:00:00 multilog
 3296 ?        00:00:00 multilog
 3374 ?        00:00:00 syslogd
 3378 ?        00:00:00 klogd
 3424 ?        00:00:00 mdadm
 3455 ?        00:00:00 oidentd
 4016 ?        00:00:00 run.static
 4046 ?        00:00:00 irqbalance
 4078 ?        00:00:00 crond
 4101 ?        00:00:00 acpid
 4129 ?        00:00:00 mysqld
 4138 ?        00:00:00 dnscache
 4165 ?        00:00:00 tcpsvd
 4173 ?        00:00:00 tcpsvd
 4205 ?        00:00:00 tcpsvd
 4217 ?        00:00:00 tcpsvd
 4226 ?        00:00:00 dnscache
 4245 ?        00:00:00 tinydns
 4255 ?        00:00:00 lpd
 4275 ?        00:00:00 dhcpd
 4302 ?        00:00:14 clamd
 4321 ?        00:00:00 freshclam
 4347 ?        00:00:00 slapd
 4360 ?        00:00:00 ntpd
 4412 ?        00:00:00 qmail-send
 4419 ?        00:00:00 lpd
 4463 ?        00:00:00 tcpsvd
 4474 ?        00:00:00 qmail-lspawn
 4475 ?        00:00:00 qmail-rspawn
 4476 ?        00:00:00 qmail-clean
 4477 ?        00:00:00 tcpsvd
 4487 ?        00:00:00 sshd
 4505 ?        00:00:00 httpd-admin
 4516 ?        00:00:00 qpsmtpd-forkser
 4584 ?        00:00:05 spamd
 4603 ?        00:00:01 squid
 4625 ?        00:00:00 httpd-admin
 4644 ?        00:00:00 nmbd
 4646 ?        00:00:00 atalkd
 4664 ?        00:00:00 smbd
 4735 ?        00:00:00 dbus-daemon-1
 4753 ?        00:00:00 unlinkd
 4760 ?        00:00:00 smbd
 4761 ?        00:00:00 sme7admind
 4790 ?        00:00:01 hald
 4856 ?        00:00:05 java
 5303 ?        00:00:04 spamd
 5304 ?        00:00:00 spamd
 5435 ?        00:00:00 papd
 5442 ?        00:00:00 cnid_metad
 5446 ?        00:00:00 afpd
 5753 tty1     00:00:00 mingetty
 7327 ?        00:00:00 sshd
 7348 pts/0    00:00:00 bash
12153 ?        00:00:00 smbd
13545 pts/0    00:00:00 ps
#
What am I missing? 

[Curly]

Check the logs:
/var/log/httpd/error_log, it should contain an error message indicating what;s going wrong.

[rshiras]

# less /var/log/httpd/error_log
[Sun Dec 13 12:24:32 2009] [crit] (28)No space left on device: mod_rewrite: could not create rewrite_log_lock
Configuration Failed

Does this mean that I am getting so many errors that it has filled up my drive with logs?

[rshiras]

# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/vg_primary-lv_root
                      182G  134G   39G  78% /
/dev/md1               99M   40M   54M  43% /boot
none                 1013M     0 1013M   0% /dev/shm

[rshiras]

Do I need something to be in /home/e-smith/ssl.pem for httpd to work?
How do I generate the pem?
I'm just stabbing in the dark as to how to fix this problem at this point.
I'm about to go back to a self-signed key because I am down and this means trouble for me.

[rshiras]

Also found this to be of interest:
http://bugs.contribs.org/show_bug.cgi?id=154

But I am still floundering here and desperate for a solution.
I'm thinking I must have done something wrong to generate my cert.
Here are the steps I took:
# openssl genrsa -des3 -out bastion.key 2048
# openssl req -new -key bastion.key -out bastion.csr
Copied contents of bastion.csr to the re-key dialog at godaddy to re-key the cert
Downloaded the resulting crt key from godaddy to my PC
Copied the crt from my PC to /home/e-smith/ssl.crt using WinSCP
# config setprop modSSL crt /home/e-smith/ssl.crt/mydomain.net.crt
where mydomain.net is my domain
# config setprop modSSL key /home/e-smith/ssl.key/mydomain.net.key
where mydomain.net is my domain
# signal-event console-save
# signal-event reboot

There are virtual domains on this SME, and godaddy generated a gd_bundle.crt as well, which I don't know what to do with so I ignored it.

Do I need to edit the httpd.conf file or something?

[Stefano]

# less /var/log/httpd/error_log
[Sun Dec 13 12:24:32 2009] [crit] (28)No space left on device: mod_rewrite: could not create rewrite_log_lock
Configuration Failed

please seach the forums and bugzilla, I'm sure you'll find the solution

[janet]

rshiras

Do I need something to be in /home/e-smith/ssl.pem for httpd to work?
How do I generate the pem ?

As it says in the Certificates Concepts Howto:
After you have deleted the .pem file do:
signal-event post-upgrade
signal-event reboot

[janet]

rshiras

No space left on device: mod_rewrite: could not create rewrite_log_lock
Configuration Failed

Does this mean that I am getting so many errors that it has filled up my drive with logs?

No, it more likely means you have a mismatch between your .crt and .key files.
An advanced forum search on that exact error message should steer you in the right direction. There was also a post some time ago re the correct way to add a  Godaddy certificate so search on Godaddy too.

[perelandra]

The problem could arise from a password protected certificate!

To avoid this, generate (re-key) a certificate @ godaddy.com without(!) the "-des"3" option. Some might remark that this is a security risk; though, it should work fine, if you are aware of including the gd_bundle they sent you:

See this thread for a working installation http://forums.contribs.org/index.php/topic,39310.msg179993.html#msg179993 and do not forget to

signal-event post-upgrade
signal-event reboot

once your through.

[rshiras]

I know I'm not supposed to edit /etc/httpd/conf/httpd.conf.
What file should I edit to set
SSLCertificateChainFile /home/e-smith/sslgen/gd_bundle.crt
SSLCertificateFile /home/e-smith/sslgen/bastion.mydomain.net.crt
SSLCertificateKeyFile /home/e-smith/sslgen/bastion.mydomain.net.key
Apparently, there is a cron job that overwrites this from a template somewhere and I can't find it.

[rshiras]

E-mail is down too.  I can get it locally by turning off SSL, but remote users can't get it via POP and they can't log into webmail.

[janet]

rshiras

You MUST copy your certificates files to the server and then issue the required db commands to tell sme about the location and name of your custom certificates or else the system will regenerate self signed certificates from the defaults. See the link that perelandra referred you to in the previous post.

[rshiras]

From a conversation between Charlie and Gordon,
http://bugs.contribs.org/show_bug.cgi?id=154
<<
I deleted key/crt/pem and regenerated all three, and
all is now fine. I also had to kick the imap service to
copy over the new key, but that's reasonable.

I think we should probably generate all three from the
same template expansion. My guess is we have a timing
issue between the expansions in the code which decides
when the files are out of date.
>>
Has this been done yet?  Does this apply to purchased SSL certs or just self signed certs?
I'm having trouble figuring out where to put things so they are expanded from the templates and so that expanding templates will not wipe out my certs and httpd settings.

[rshiras]

Mary,
Oh, do you mean these commands?  I want to be sure.

config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
config setprop modSSL CertificateChainFile /usr/share/ssl/certs/gd_intermediate_bundle.crt
signal-event console-save
httpd -k graceful
service httpd-admin restart

[CharlieBrady]

Has this been done yet?

Yes (the bug has been resolved, verified, then closed, as you can see)

Does this apply to purchased SSL certs or just self signed certs?

Just to self-signed certs.

[janet]

rshiras

Code: [Select]

config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
config setprop modSSL CertificateChainFile /usr/share/ssl/certs/gd_intermediate_bundle.crt
Yes they are the db commands in the link referred to, but follow them with
signal-event post-upgrade
signal-event reboot

You would copy the Godaddy issued certificate files to the locations specified first, replacing {domain} with the name of your domain that matches the certificate file.

[rshiras]

Here is a rough draft of a how-to on entering a UCC SSL certificate into SME 7.4.  I am quite sure I have too many steps here so I implore the experts to help me to turn this into a slimmed down how-to.


Run these commands (do not use the des3 parameter suggested by GoDaddy):
openssl genrsa -out yourdomain.key 2048
openssl req -new -key yourdomain.key -out yourdomain.csr

copy contents of yourdomain.csr to the re-key dialog at godaddy to re-key the cert
Download the ssl zip file from godaddy to your PC
Make a folder /home/e-smith/signedssl
copy the zip file from your pc to /home/e-smith/signedssl
unzip it with these commands:
cd /home/e-smith/signedssl
unzip yourdomain.zip

make a backup copy of these files:
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf/httpd.conf
Un-comment and edit these lines:
SSLCertificateFile      /etc/httpd/conf/signedssl/yourdomain.crt
SSLCertificateKeyFile   /etc/httpd/conf/signedssl/yourdomain.key
SSLCertificateChainFile /etc/httpd/conf/signedssl/gd_bundle.crt

Run these commands:
config setprop modSSL CommonName yourdomain
config setprop modSSL crt /home/e-smith/signedssl/yourdomain.crt
config setprop modSSL key /home/e-smith/signedssl/yourdomain.key
config setprop modSSL CertificateChainFile /home/e-smith/signedssl/gd_bundle.crt
expand-template /etc/httpd/conf/httpd.conf
signal-event console-save
httpd -k graceful
service httpd-admin restart
signal-event post-upgrade
signal-event reboot

Run these checks:
db configuration show modSSL
grep Certificate /etc/httpd/conf.d/ssl.conf  /etc/httpd/conf/httpd.conf |grep -v \#
/etc/init.d/httpd status

Generate a PEM:
cd /home/e-smith/signedssl
openssl x509 -in yourdomain.crt -out input.der -outform DER
openssl x509 -in input.der -inform DER -out yourdomain.pem -outform PEM
rm input.der

Copy your crt and pem files to your primary ibay html folder to make them available to users.

[CharlieBrady]

Here is a rough draft of a how-to on entering a UCC SSL certificate into SME 7.4.  I am quite sure I have too many steps here so I implore the experts to help me to turn this into a slimmed down how-to.

If you want to play that game, the wiki is the place to do it.

make a backup copy of these files:
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf/httpd.conf
Un-comment and edit these lines:
SSLCertificateFile      /etc/httpd/conf/signedssl/yourdomain.crt
SSLCertificateKeyFile   /etc/httpd/conf/signedssl/yourdomain.key
SSLCertificateChainFile /etc/httpd/conf/signedssl/gd_bundle.crt

Above is definitely wrong advice. I'd advise you to read the developers guide and other documentation, and understand the templating system.

Was this not clear enough for you?

Code: [Select]

#              !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/


[rshiras]

Sorry Charlie.
I knew that would get your attention.
I put these lines in because they are suggested on the GoDaddy help page for installing certs.  I wanted to make a point of this. 
So obviously we want to take out the line to edit httpd.conf.
What about /etc/httpd/conf.d/ssl.conf?  Is that also not needed?  The DO NOT MODIFY warning is not at the top of this file, and I wanted to be sure to include everything that might be needed.
I'm glad you jumped in here, because I have seen by your many great posts that you really know SME.
Is there anything else that should be added or deleted to make this how-to valuable to others?
I would like to handle this without a lot of back and forth, and avoid flaming and RTFM.
I will place my final draft in the wiki as you suggest.

[CharlieBrady]

I will place my final draft in the wiki as you suggest.

Wiki is the place for the first draft.

Over and out.