New cert/key from letsencrypt not accepted by Apache

Support for security such as Firewalls and securing linux
Post Reply
Maturity
Posts: 6
Joined: 2019/01/10 01:53:40

New cert/key from letsencrypt not accepted by Apache

Post by Maturity » 2019/01/10 14:05:41

This is on a current Centos 6.10 machine. We have been using the certs from letsencrypt.org and the auto renewal using certbot and all was fine, the certificate and private key were working perfectly. Now due to some policy change we can't use certbot any longer and have switched to dehydrate. This retrieves a certificate and private key just fine but for some reason Apache is choking on them. Every test that we can find seems to show that the certificate and private key are matching and good. The only thing that I see is that the private key contains about 2x the encoded content as it did before. Any thoughts about why Apache may be rejecting the private key with:

Code: Select all

[Thu Jan 10 08:56:31 2019] [error] Init: Private key not found
[Thu Jan 10 08:56:31 2019] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Jan 10 08:56:31 2019] [error] SSL Library Error: 218640442 error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Thu Jan 10 08:56:31 2019] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Jan 10 08:56:31 2019] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Thu Jan 10 08:56:31 2019] [error] SSL Library Error: 67710980 error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Thu Jan 10 08:56:31 2019] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Jan 10 08:56:31 2019] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
And yes the configuration and permissions are correct for the certificate and private key. I am guessing that there is more content in the private key file and that Apache is just looking for something at the start of it and not finding what it wants.

Thank you for any advise.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: New cert/key from letsencrypt not accepted by Apache

Post by TrevorH » 2019/01/10 16:07:30

I think you may be misinterpreting that output. The first line says it cannot find the private key. The other lines are almost certainly as a result of not being able to decode the cert data due to the lack of the private key.

Check that the private key file really exists. Check it's ownership and linux permissions allow the httpd daemon to read it. Check the output from aureport -a to see if selinux is denying httpd access to the file due an incorrect label (restorecon would fix it).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Maturity
Posts: 6
Joined: 2019/01/10 01:53:40

Re: New cert/key from letsencrypt not accepted by Apache

Post by Maturity » 2019/01/10 22:43:21

Well I have to say that it is resolved but I don't 100% understand what the problem was. That is to say I removed and re-applied all the changes to move to the new cert/key set set the permission to 777 then back to 744 because I didn't want it being too open and then restarted httpd and it came up fine. So I can only imagine that it was a typo somewhere?

Thanks for looking at this issue, your help and comments were greatly appreciated
.

Post Reply