Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: mophilly on March 15, 2015, 01:31:59 AM
-
After installing a GoDaddy "wildcard" cert in a new SME 9 system, the httpd service is broken. I cannot connect to server-manager by server name or IP address from LAN or WAN. The browser says it cannot establish a connection. It could using the default self-signed cert.
We have three SME servers, each with unique internal and external IP addresses.
A. SME 8 is the primary gateway, with all services enabled as is the default.
B. SME 8 is a app server
C. SME 9 is also a app server
Server A host the DNS and Servers B and C point to it via the corporate DNS option.
Server A and B use a wild card certificate from GoDaddy. I am trying to configure Server C to use the same wild card certificate.
On Server C, the httpd appears to start, but logs errors,
[warn] RSA server certificate wildcard CommonName (CN) `*.mycompany.com' does NOT match server name!?
[error] Unable to configure RSA server private key
[error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
I have compared the .crt values on all three machines and they are the same.
I have tried to compare the .key content on all three machines, that is servername. A and B appear to have the same value using the openssl -modulus option. Not so with C, yet I believe I have entered precisely the same info for the openssl -newkey option.
Does SME 9 need a new cert of its own?
Is there a way to view or verify the content of the .key file?
To revert to the default, is deleting the .crt, .key and .pem files, then run console-save enough to regen a default cert?
-
Mophilly
Perhaps you should raise a bug as your problem appears to be unique to sme 9.
To go back to default see
http://wiki.contribs.org/Certificates_Concepts#Expiration_time_of_the_self_signed_certificate
Note to replace the filenames with the correct file/key names applicable to your server.
rm /home/e-smith/ssl.crt/servername.domain.com.crt
rm /home/e-smith/ssl.key/servername.domain.com.key
rm /home/e-smith/ssl.pem/servername.domain.com.pem
signal-event post-upgrade
signal-event reboot
or to more thoroughly remove all old & unwanted files do the following (make a backup of files in these folders first, if you have commercial certificates). You should answer y to accept each file removal one at a time.
rm /home/e-smith/ssl.crt/*
rm /home/e-smith/ssl.key/*
rm /home/e-smith/ssl.pem/*
signal-event post-upgrade
signal-event reboot
-
Thank you, Janet. I will follow your suggestions.
FOLLOW UP: This is issue was submitted to the bug tracker, see report 8873 (http://bugs.contribs.org/show_bug.cgi?id=8873).
-
Server A and B use a wild card certificate from GoDaddy. I am trying to configure Server C to use the same wild card certificate.
It needs to use the same key file. You can't create a new keyfile (using openssl -newkey) which will work.
-
Yes. That was it. I did not understand the .key file could/should used for each server.
Thank you for the help.
-
Yes. That was it. I did not understand the .key file could/should used for each server.
It's called a 'key' file because it is required to unlock the cert. You can't use the cert without having the key that was used to lock it when it was created.