Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » Web Servers and Web App Development
  Previous topic | Next topic 
Author Message
redhat19
PostPosted: Sun Jun 24, 2012 12:50 am 
Offline
Senior Member

Joined: Thu Apr 12, 2012 6:26 am
Posts: 62
Location: Earth
Hi Everyone,

In May (last month), we bought a Thawte SSL certificate for our domain (hosted on Linode), through our domain registrar.
I followed the instructions at: http://library.linode.com/security/ssl-certificates
titled "Securing Servers with SSL" to install the SSL certificate.

However, at some point in the configuration, we had to get some info from Thawte and the domain registrar to proceed further.
I did that, but there was confusing/conflicting instructions on the next steps to take from the domain registrar, Thawte and the write up on the Linode Library I was following

The result was that https wasn't working on the domain.
Now, I have to revisit the issue and solve it, hence I'm turning to the Linode community for help.

The files I have in /etc/ssl/certs/ (which really resolves to /etc/pki/tls/certs) are:
ca-bundle.crt
ca-bundle.trust.crt
makefile
make-dummy-cert

I would appreciate it greatly if someone could help spot what's wrong and how to fix it.
I will also readily provide any other info required to solve this problem/

Our Linode server runs CentOS 6.2 and Apache 2, with OpenSSL installed.

Thanks.
Top
   
Reply with quote  
Nuvini
PostPosted: Sun Jun 24, 2012 2:58 am 
Offline
Senior Member

Joined: Fri Feb 17, 2012 8:20 pm
Posts: 365
You normally need a certificate (public) and a private key (.pem/.key for example, can be other formats)

You have a couple of certificates now. You can read them with the following command to figure out which one is the one you need as public certificate:
Code:
openssl x509 -in filename.crt -noout -text


You do not have a private key however, at least.. None that I can see on the list... You should still have the private one somewhere. (Otherwise you need to request a new certificate all together :()

I'm not sure what's in the makefile, but you can see if it is related by just using cat on it to read it.
Top
   
Reply with quote  
redhat19
PostPosted: Mon Jun 25, 2012 4:15 am 
Offline
Senior Member

Joined: Thu Apr 12, 2012 6:26 am
Posts: 62
Location: Earth
Thanks @Nuvini for your response.

Here's the mail I got from the domain registrar concerning the SSL certificate.

Quote:
Fw: [#MAT-411-5111]: SSL for mydomain.com
________________________________________
From: Stacy F. <sslsupport@mydomainregistrar.com>
Date: Fri, 11 May 2012 19:29:32 +0300
To: me
ReplyTo: sslsupport@mydomainregistrar.com
Subject: [#MAT-463-55374]: SSL for mydomain.com

Hello,

Please find your SSL certificate listed below:

-----BEGIN CERTIFICATE-----
MIIEODCCAyCgAwIBAgIQTarxF4sM0igkYG5sBXJbCTANBgkqhkiG9w0BAQUFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE
[ deleted text]
3oq9endpvJuOLHXxNQutL7pYqrWMVa/5j32NqD6Vs9afky45BmDeEm6+bg9cWpTc
RMjSywaTYwZ7VIkTAxPMEvqFaIWAiNoXLNa8E7ZZiXum7GOUgErp5xFSGwJtVDM1
hAAPuxlKVGx4vxT3ZGlrfJvho8u1mK18NnB0pw==
-----END CERTIFICATE-----

CA Bundle is listed below:

-----BEGIN CERTIFICATE-----
MIIEjzCCA3egAwIBAgIQdhASihe2grs6H50amjXAkjANBgkqhkiG9w0BAQUFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf

[deleted text]
Le6/Wjv6iJx0bK8h3ZLswxXvlHUmRtamP79mSKod790n5rdRiTh9E4QMQPzQtfHg
2/lPL0ActI5HImG4TJbe8F8Rfk8R2exQRyIOxR3iZEnnaGNFOorZcfRe8W63FE0+
bxQe3FL+vN8MvSk/dvsRX2hoFQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIERTCCA66gAwIBAgIQM2VQCHmtc+IwueAdDX+skTANBgkqhkiG9w0BAQUFADCB
zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
[deleted text]
Cajd1FYVLnp5MV9jllMbNNkV6k9tcMq+9oKp7dqFd8x2HGqBCiHYQZl/Xi6Cweiq
95OBBaqStB+3msAHF/XLxrRMDtdW3HEgdDjWdMbWj2uvi42gbCkLYeA=
-----END CERTIFICATE-----

Please make sure to install certificate along with the CA Bundle to the server.

Please let us know if we may be of any further assistance.


------------------
Regards,
Stacy F.
Customer Support




and here are the contents of the Makefile

Quote:
[me@myserver certs]# cat Makefile
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
SERIAL=0

.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem

usage:
@echo "This makefile allows you to create:"
@echo " o public/private key pairs"
@echo " o SSL certificate signing requests (CSRs)"
@echo " o self-signed SSL test certificates"
@echo
@echo "To create a key pair, run \"make SOMETHING.key\"."
@echo "To create a CSR, run \"make SOMETHING.csr\"."
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
@echo
@echo "To create a key for use with Apache, run \"make genkey\"."
@echo "To create a CSR for use with Apache, run \"make certreq\"."
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
@echo
@echo "To create a test certificate with serial number other than zero, add SERIAL=num"
@echo
@echo Examples:
@echo " make server.key"
@echo " make server.csr"
@echo " make server.crt"
@echo " make stunnel.pem"
@echo " make genkey"
@echo " make certreq"
@echo " make testcert"
@echo " make server.crt SERIAL=1"
@echo " make stunnel.pem SERIAL=2"
@echo " make testcert SERIAL=3"

%.pem:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
cat $$PEM1 > $@ ; \
echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \
$(RM) $$PEM1 $$PEM2

%.key:
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > $@

%.csr: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -out $@

%.crt: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@ -set_serial $(SERIAL)

TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key
CSR=$(TLSROOT)/certs/localhost.csr
CRT=$(TLSROOT)/certs/localhost.crt

genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)

$(CSR): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)

$(CRT): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out $(CRT) -set_serial $(SERIAL)
[me@myserver certs]#



Do you think I still don't have a private key?

Thanks a lot.
Top
   
Reply with quote  
Nuvini
PostPosted: Mon Jun 25, 2012 5:56 am 
Offline
Senior Member

Joined: Fri Feb 17, 2012 8:20 pm
Posts: 365
Did Thawte also send you the makefile? It shouldn't be needed.

Basically when you created the CSR that you sent to Thawte for signing, you also used your private key. Using the guide you linked, it should be this step:
Code:
cd /etc/ssl/localcerts
openssl req -new -nodes -days 365 -keyout www.mydomain.com.key -out www.mydomain.com.csr


Where www.mydomain.com.key is the privatekey you need to include in the configuration, along with the certificates the e-mail contained. (The CA-Bundle and your own)
Top
   
Reply with quote  
redhat19
PostPosted: Mon Jun 25, 2012 12:57 pm 
Offline
Senior Member

Joined: Thu Apr 12, 2012 6:26 am
Posts: 62
Location: Earth
Thanks again @Nuvini

I remember typing that command...

Here's what I have:

Code:
[me@myserver ~]# cd /etc/httpd/ssl
[me@myserver ssl]# ls
mydomain_com.ca-bundle  www.mydomain.com.crt  www.mydomain.com.key
mydomain_com.crt        www.mydomain.com.csr


Are these files in the wrong place?

Thanks once again..
Top
   
Reply with quote  
Nuvini
PostPosted: Mon Jun 25, 2012 2:43 pm 
Offline
Senior Member

Joined: Fri Feb 17, 2012 8:20 pm
Posts: 365
To get it to recognize the certificate you need to use these directives in the apache configuration (/etc/apache2/apache2.conf or the httpd.conf file)

Code:
SSLCertificateFile /etc/httpd/ssl/<crt file>.crt # The one that contains "MIIEODCC" (from the e-mail you received)
SSLCertificateKeyFile /etc/httpd/ssl/www.mydomain.com.key
SSLCACertificateFile /etc/httpd/ssl/mydomain_com.ca-bundle


You might need to play around a bit with the exact file names since the ones in your latest post have slightly different names than the ones in your post earlier.
Top
   
Reply with quote  
redhat19
PostPosted: Mon Jun 25, 2012 7:18 pm 
Offline
Senior Member

Joined: Thu Apr 12, 2012 6:26 am
Posts: 62
Location: Earth
Hi @Nuvini

I'm stuck.

I included the lines in my virtual host declaration, but got:
Code:
Failed to start apache :
Starting httpd: Syntax error on line 1050 of /etc/httpd/conf/httpd.conf:
Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration
[FAILED]


...and

Code:
[me@myserver /]# apachectl configtest
Syntax error on line 1048 of /etc/httpd/conf/httpd.conf:
Invalid command 'SSLCertificateFile', perhaps misspelled or defined by a module not included in the server configuration
[me@myserver /]#


(when I commented out the SSLEngine directive)

Why are the SSL directives not being recognized?
I know I have mod_ssl installed as I had followed the instruction in the tutorial I had referenced earlier..

I had done..
Code:
yum install openssl
mkdir /etc/ssl/localcerts


Can you pls hep spot what's wrong here?
Top
   
Reply with quote  
redhat19
PostPosted: Mon Jun 25, 2012 8:02 pm 
Offline
Senior Member

Joined: Thu Apr 12, 2012 6:26 am
Posts: 62
Location: Earth
If it'll help, here's what my virtual host block looks like (and its similar to my other virtual host blocks- except for the SSL directives)

Quote:
#<VirtualHost *:443>
ServerAdmin webmaster@mydomain.com
DocumentRoot /var/www/vhosts/mydomain.com/httpdocs/
ServerName mydomain.com
ServerAlias www.mydomain.com
<Directory /var/www/vhosts/mydomain.com/httpdocs/>
AllowOverride all
</Directory>

SSLEngine on
SSLCertificateFile /etc/httpd/ssl/www.mydomain.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/www.mydomain.com.key
SSLCACertificateFile /etc/httpd/ssl/mydomain_com.ca-bundle
SSLLogLevel warn
</VirtualHost>


Very many thanks.
Top
   
Reply with quote  
Nuvini
PostPosted: Tue Jun 26, 2012 4:00 am 
Offline
Senior Member

Joined: Fri Feb 17, 2012 8:20 pm
Posts: 365
You need to uncomment:
"#<VirtualHost *:443>"

Have you loaded the SSL module? I believe you have to include "LoadModule ssl_module modules/mod_ssl.so" in the config.
Top
   
Reply with quote  
redhat19
PostPosted: Tue Jun 26, 2012 4:44 am 
Offline
Senior Member

Joined: Thu Apr 12, 2012 6:26 am
Posts: 62
Location: Earth
Thanks @Nuvini

I just tried that now..
Code:
[me@myserver /]# apachectl configtest
httpd: Syntax error on line 216 of /etc/httpd/conf/httpd.conf: Cannot load /etc/httpd/modules/mod_ssl.so into server: /etc/httpd/modules/mod_ssl.so: cannot open shared object file: No such file or directory


I'm getting a new set of errors

:(
Top
   
Reply with quote  
redhat19
PostPosted: Tue Jun 26, 2012 4:48 am 
Offline
Senior Member

Joined: Thu Apr 12, 2012 6:26 am
Posts: 62
Location: Earth
I just checked, there is no mod_ssl.so in the /etc/httpd/modules/ folder.
There are a whole lot of other mod_* files in there, but no mod_ssl

Code:
[me@myserver modules]# ls
libphp5.so              mod_cgid.so          mod_mime.so
mod_actions.so          mod_cgi.so           mod_negotiation.so
mod_alias.so            mod_dav_fs.so        mod_proxy_ajp.so
mod_asis.so             mod_dav.so           mod_proxy_balancer.so
mod_auth_basic.so       mod_dbd.so           mod_proxy_connect.so
mod_auth_digest.so      mod_deflate.so       mod_proxy_ftp.so
mod_authn_alias.so      mod_dir.so           mod_proxy_http.so
mod_authn_anon.so       mod_disk_cache.so    mod_proxy_scgi.so
mod_authn_dbd.so        mod_dumpio.so        mod_proxy.so
mod_authn_dbm.so        mod_env.so           mod_reqtimeout.so
mod_authn_default.so    mod_expires.so       mod_rewrite.so
mod_authn_file.so       mod_ext_filter.so    mod_setenvif.so
mod_authnz_ldap.so      mod_filter.so        mod_speling.so
mod_authz_dbm.so        mod_headers.so       mod_status.so
mod_authz_default.so    mod_ident.so         mod_substitute.so
mod_authz_groupfile.so  mod_include.so       mod_suexec.so
mod_authz_host.so       mod_info.so          mod_unique_id.so
mod_authz_owner.so      mod_ldap.so          mod_userdir.so
mod_authz_user.so       mod_log_config.so    mod_usertrack.so
mod_autoindex.so        mod_log_forensic.so  mod_version.so
mod_cache.so            mod_logio.so         mod_vhost_alias.so


How can I correct this?
Top
   
Reply with quote  
hawk7000
PostPosted: Tue Jun 26, 2012 4:53 am 
Offline
Senior Member

Joined: Fri Dec 10, 2010 6:21 am
Posts: 144
I feel like Cap'n Obvious, but did you install the actual mod_ssl package?
Top
   
Reply with quote  
redhat19
PostPosted: Tue Jun 26, 2012 4:58 am 
Offline
Senior Member

Joined: Thu Apr 12, 2012 6:26 am
Posts: 62
Location: Earth
Thanks @hawk7000

Yes, I did.

I just tried again, just to be sure and here's what I got:

Code:

[me@myserver modules]# yum install openssl
Loaded plugins: fastestmirror, priorities
Loading mirror speeds from cached hostfile
 * base: mirrors.coreix.net
 * epel: mirror01.th.ifl.net
 * extras: mirrors.coreix.net
 * updates: mirrors.coreix.net
66 packages excluded due to repository priority protections
Setting up Install Process
Package openssl-1.0.0-20.el6_2.5.i686 already installed and latest version
Nothing to do


or is there supposed to be another step I missed after installing openSSL?
Top
   
Reply with quote  
hawk7000
PostPosted: Tue Jun 26, 2012 5:03 am 
Offline
Senior Member

Joined: Fri Dec 10, 2010 6:21 am
Posts: 144
"openssl" != "mod_ssl"
Top
   
Reply with quote  
redhat19
PostPosted: Tue Jun 26, 2012 5:26 am 
Offline
Senior Member

Joined: Thu Apr 12, 2012 6:26 am
Posts: 62
Location: Earth
Thanks @hawk7000

I really didn't know that.

So, I had mod_ssl installed by doing : # yum install mod_ssl

It installed successfully.

Then I I did this:
[me@myserver ssl]# apachectl configtest
[Tue Jun 26 10:19:13 2012] [warn] module ssl_module is already loaded, skipping
Syntax OK
[root@kuiperserver1 ssl]#

So thinking everything was OK, I went on to restart Apache, but got

Code:
Failed to start apache :
Starting httpd: [Tue Jun 26 10:19:41 2012] [warn] module ssl_module is already loaded, skipping
Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server myserver:443 (RSA)
Enter pass phrase:Apache:mod_ssl:Error: Private key not found.
**Stopped
[FAILED]


Do you have an idea of what's wrong now?
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » Web Servers and Web App Development


Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group