DeveloperSide.NET Forums
July 19, 2019, 02:38:25 PM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News:
 
   Home   Help Search Login Register  
Pages: [1]
  Print  
Author Topic: SSL: The provided certificate does not match the private key  (Read 11787 times)
0 Members and 1 Guest are viewing this topic.
eirick
Member
*
Posts: 2


View Profile
« on: July 28, 2004, 10:21:54 PM »

Hi,

I keep getting an error message regarding an invalid certificate whenever I start apache... The thing is, it was working perfectly last week.
So here's roughly the chain of events that took place up until present time.

- Bought a valid certificate

- Installed the cert onto the server

- Had an encrypted and non-encrypted version of the key

- Used the encrypted version first, but then realized that apache wouldn't start without the password so I switched to the non-encrypted key.

- SSL worked perfectly for a time

- I upgraded our php

- Then I had to install curl for use with php

- Curl needed a newer version of openssl than the one we were using so I decided to take the opportunity to upgrade the openssl software too.

- It was around this time that I noticed our https site was now refusing connections

- I tried the password protected key now and found that I was suddenly getting a "encrypted keys are not allowed on cobalt servers" type error, where before when I was using the encrypted key it was working fine, but merely asked for the key password before apache would start.

- So then I tried using a number of backup copies of the key/certificate with similar "invalid certificate" results.

- I tried using self signed certificates, both manually generated and generated by the cobalt server management system. Both gave me the "4999 The provided certificate does not match the private key" error.

- I tried downgrading our openssl software, but to no avail.

- I tried downloading the sources to apache_1.3.20 and mod_ssl-2.8.4-1.3.20, patched the apache source tree with the mod_ssl, built the apache with mod_ssl as a DSO, grabbed the new libssl.so file and replaced the existing libssl.so being used by apache with this new one. This didn't work either.

Here's the error when I start apache (The apache error log gives the same error):

$ /etc/rc.d/init.d/httpd start
Setting up Web Service: Site site155 has invalid certificate: 4999 The provided certificate does not match the private key.
chiliasp: module started, version 3.5.2.31
/usr/sbin/httpd

Software Versions:
the machine is a cobalt raq4
Apache 1.3.20
Openssl 0.9.7d xor 0.9.6j
mod_ssl unsure. probably mod_ssl-2.8.4-1.3.20

The key and certificate are at
/home/sites/site155/certs/key
/home/sites/site155/certs/certificate

I double checked that these are being read by deleting them, restarting apache, noting the error, replacing them with backups, restarting apache, and noting the different error


Anybody know what's going on here? Did I screw up the mod_ssl by installing a new version of openssl?
Logged
admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« Reply #1 on: July 29, 2004, 12:53:50 AM »

Have you tried setting LogLevel to "debug" and looking at error_log?

Have you installed everything from RPMs or did you do your own builds?

Just from a quick glance, I would try to rule out that you have all the config files updated with all the new paths for certs, locations of binaries and libs, etc...

And you can 'ldd httpd' (under that dir) to see which openssl libs it is linking against.

You might also try running 'ldconfig' to update the run-time linker.
Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
eirick
Member
*
Posts: 2


View Profile
« Reply #2 on: July 29, 2004, 03:01:54 AM »

Quote
Have you tried setting LogLevel to "debug" and looking at error_log?

Tried that suggestion, and I only got this tantalizing tidbit in the error logs:

Invalid certificates for main site -- Not starting SSL
Site site155 has invalid certificate: 4999 The provided certificate does not match the private key.


Quote
Have you installed everything from RPMs or did you do your own builds?

Apache was already installed using RPMs when I came on but everything else I built from source.  Perhaps something broke when I uninstalled the openssl RPMs to do a custom build.

[]$ rpm -qa | grep apache
apache-admsrv-1.3.20-RaQ4_1C8stackguard
apache-icons-pacifica-1
apache-conf-shinkansen-4
apache-1.3.20-RaQ4_1C8stackguard
apache-devel-1.3.20-RaQ4_1C8stackguard
apache-mod_perl-1.3.20-RaQ4_1C8stackguard

Quote
Just from a quick glance, I would try to rule out that you have all the config files updated with all the new paths for certs, locations of binaries and libs, etc...

I've sifted through the config files pretty thoroughly and everything is as it should be.  I'll look again though... you can't go through config files too many times...

Quote
And you can 'ldd httpd' (under that dir) to see which openssl libs it is linking against.


Here's what I get when I ldd httpd.  I've never used it before but I assume I'm using it correctly?

[]$ ldd /usr/sbin/httpd
        libpam.so.0 => /lib/libpam.so.0 (0x40019000)
        libdl.so.2 => /lib/libdl.so.2 (0x40021000)
        libm.so.6 => /lib/libm.so.6 (0x40025000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x40042000)
        libdb.so.3 => /lib/libdb.so.3 (0x40071000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x400ab000)
        libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x400c1000)
        libc.so.6 => /lib/libc.so.6 (0x400c7000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)


Quote
You might also try running 'ldconfig' to update the run-time linker.

Did this, but there was no effect.

I'm starting to think that maybe I was a bit too hasty in taking out those openssl rpms to build my own.  I guess I could try to reinstall them that way...
Or how would I go about getting the same result without using rpms... I'd like to avoid them if at all possible, but it doesn't seem to be taking to the builds too well.
Thanks for your response!  I think I've made some headway..
Logged
admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« Reply #3 on: July 29, 2004, 03:52:27 PM »

You could always just shut down your Apache 1.3, and install from source OpenSSL 0.9.7d, Apache 2.0.50 and mod_ssl...  everything under /usrl/local/ so it does not interfere with what you already have installed natively.
http://www.devside.net

You might also want to 'ls -al' /lib to see what libcrypt.so.1 points to.
Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.9 | SMF © 2006-2009, Simple Machines LLC Valid XHTML 1.0! Valid CSS!