Ssl library error encoding routines

Как настроить https в апаче имея свой сертификат для домена?

Купил SSL сертификат для домена и не получается настроить https в апаче. Выдает ошибку:

[Wed Jan 23 01:56:42 2013] [error] Init: Private key not found
[Wed Jan 23 01:56:42 2013] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Jan 23 01:56:42 2013] [error] SSL Library Error: 218640442 error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Wed Jan 23 01:56:42 2013] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Jan 23 01:56:42 2013] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Wed Jan 23 01:56:42 2013] [error] SSL Library Error: 67710980 error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Wed Jan 23 01:56:42 2013] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Jan 23 01:56:42 2013] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

Есть 4 файла с сертификатами:

AddTrustExternalCARoot.crt
key.txt
domaine_com.crt
PositiveSSLCA2.crt

Все они текстовые файлы в формате:

——BEGIN CERTIFICATE——

——END CERTIFICATE——

Как только не пробовал уже настраивать, всегда выдает одну и ту же ошибку. Ума не приложу, как его настраивать, помогите пожалуйста.

Источник

SSL Error — unable to read server certificate from file

I’ve been setting up SSL for my domain today, and have struck another issue — I was hoping someone could shed some light on..

I keep receiving the following error messages:

I’m running Apache 2.2.16 and Ubuntu 10.10. My .crt file has the Begin and End tags, and has been copied exactly from the confirmation email I received, very frustrating!

Edit >> When trying to verify the .crt It doesn’t seem to work:

Edit>> (Cheers for the help by the way)

Just emailed the company providing the Certificate, they responded>

I have checked the CSR file that you have provided and I can assure that this was correctly generated. The error that you are currently encountering is caused because you are using a wrong command line for installing the CSR. You will need to modify this domain.com.crt from your command line with the according name of your domain.

  • currently the crt is set up to mysite.com.crt — I’ve used domain.com.crt as an example

16 Answers 16

Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi in «show me the binary» mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt .

If each line ends with a control-M, like this

you’ve got a file in Windows line-terminated format, and apache doesn’t love those.

Читайте также:  Sorry there was an error перевод

Your options include moving the file over again, taking more care; or using the dos2unix command to strip those out; you can also remove them inside vi, if you’re careful.

Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don’t cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.

Источник

SSL not working with Apache on Windows

I are using a product from a vendor that has to use Apache on Windows.

We have our own CA.

For naming purposes:

AppServer — Server2012r2 — Apache 2.4

I created the CSR on the AppServer using the two commands below.

Thats all goes fine

Then on the CA server

Request a certificate

advanced certificate request.

Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Open the CSR on the AppServer and paste the CSR info in the box

Template Web Server (10 Years)

Here I get two Choices

DER encoded or Base 64 encoded

No matter which one I select It downloads a .cer and a .p7b file

I did the same steps on the OldCertsha1 server and I get the same results

When i Edit the httpd-ssl.conf file add the following and restart the Apache2.4 service

I get the following errors, different errors for different types from the choices above (DER encoded or Base 64 encoded):

Base 64 encoded:

I read a couple articles saying CER and CRT files are interchangeable just rename them.

If I rename the cer to crt and update httpd-ssl.conf then I get a lot of errors in the logs about 100 of these:

Now the vendor put server.crt, server.cre, server.csr and server.key file that they loaded when the box was delivered, if i change the two lines in the httpd-ssl.conf back to what they had it will restart fine and everything works but I get the SSL warning

Can someone tell me what I might be doing wrong, if you need to see the configs just ask I will put them up.

Update:

I took their server.csr opened the CertSrv page on both OldCertsha1 and NewCertsha2, when i used the Web Server Web Server (10 year) template i got an error:

So then i tried the Web Server (5 year) same error then i tired the (Web Server) didnt get an error and download both the DER encoded or Base 64 encoded cer and p7b files.

Changed the Base 64 encoded server.cer to server.crt, renamed the old server.crt to server1.crt and restarted apache,

No error worked perfectly,

Why? What did I do wrong from the beginning?

Читайте также:  Dvbapi error in oscam dvbapi

This was my first time working with SSL and apache and using my own CA, what did I do wrong? The only think i can think of i used the Web Server (10 year) template but that really doesnt make sense to me.

If i view both crt files the both have same info

The certificate is intended for the following purposes

  • Ensure the identity of a remote computer

Issued to: name.sub.domain.com

Issued by: OldCertsha1

The only real difference from the General tab is how long that are valid, the cst from my csr is valid for 10 years, the crt from their csr is valid for 2 years.

I will take a deeper looking into the other parts of the SSL and see if I can find differences tomorrow.

Источник

SSL not working with Apache on Windows

I are using a product from a vendor that has to use Apache on Windows.

We have our own CA.

For naming purposes:

AppServer — Server2012r2 — Apache 2.4

I created the CSR on the AppServer using the two commands below.

Thats all goes fine

Then on the CA server

Request a certificate

advanced certificate request.

Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Open the CSR on the AppServer and paste the CSR info in the box

Template Web Server (10 Years)

Here I get two Choices

DER encoded or Base 64 encoded

No matter which one I select It downloads a .cer and a .p7b file

I did the same steps on the OldCertsha1 server and I get the same results

When i Edit the httpd-ssl.conf file add the following and restart the Apache2.4 service

I get the following errors, different errors for different types from the choices above (DER encoded or Base 64 encoded):

Base 64 encoded:

I read a couple articles saying CER and CRT files are interchangeable just rename them.

If I rename the cer to crt and update httpd-ssl.conf then I get a lot of errors in the logs about 100 of these:

Now the vendor put server.crt, server.cre, server.csr and server.key file that they loaded when the box was delivered, if i change the two lines in the httpd-ssl.conf back to what they had it will restart fine and everything works but I get the SSL warning

Can someone tell me what I might be doing wrong, if you need to see the configs just ask I will put them up.

Update:

I took their server.csr opened the CertSrv page on both OldCertsha1 and NewCertsha2, when i used the Web Server Web Server (10 year) template i got an error:

So then i tried the Web Server (5 year) same error then i tired the (Web Server) didnt get an error and download both the DER encoded or Base 64 encoded cer and p7b files.

Changed the Base 64 encoded server.cer to server.crt, renamed the old server.crt to server1.crt and restarted apache,

Читайте также:  Ssl error sslv3 alert bad certificate

No error worked perfectly,

Why? What did I do wrong from the beginning?

This was my first time working with SSL and apache and using my own CA, what did I do wrong? The only think i can think of i used the Web Server (10 year) template but that really doesnt make sense to me.

If i view both crt files the both have same info

The certificate is intended for the following purposes

  • Ensure the identity of a remote computer

Issued to: name.sub.domain.com

Issued by: OldCertsha1

The only real difference from the General tab is how long that are valid, the cst from my csr is valid for 10 years, the crt from their csr is valid for 2 years.

I will take a deeper looking into the other parts of the SSL and see if I can find differences tomorrow.

Источник

Error when trying to start Apache after installing SSL cert

I am trying to install an SSL certificate, and I get the following errors:

Here’s the process I followed:

I generated my private key with:

I created the CSR with:

I provided the CSR to our IT department, and they returned a crt — it starts with

My ssl.conf has (my.example.com matches the Common name used during the generation of the CSR):

I do not have SSLCertificateChainFile or SSLCACertificate file set.

The private key starts with

The csr starts with

I have verified that both:

produce the same output. I cannot figure out how to verify the crt — trying both x509 and rsa produce an error.

Should this process have worked? Can I verify that my.crt matches the key somehow?

3 Answers 3

It turns out that the cert I was provided was bad.

should have worked, but since the cert was corrupt it produced errors:

I guess I should have noticed that the lines in the block when viewing the bad cert weren’t all the same length.

You should be using the full path to those files, ie:

Update the correct paths and restart Apache to apply the changes. Post back with an updated error/message if the issue remains.

Just for the record: I had the same kind of error report and the issue was not really in the certificate, but in the configuration.

By mistake I defined the key as the certificate and the certificate as the key. The result was the same error message.

The error resulted from the fact that my reference configuration presented these items in the opposite order.

Even the example by @Brendan has this error as it references two times the certificate — both for the certificate and for the key.

So be sure to check that you are referencing the correct files in the correct parameter.

Источник

Smartadm.ru
Adblock
detector