125 lines
4.9 KiB
HTML
125 lines
4.9 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>Building a Secure RedHat Apache Server HOWTO: Troubleshooting</TITLE>
|
|
<LINK HREF="SSL-RedHat-HOWTO-6.html" REL=next>
|
|
<LINK HREF="SSL-RedHat-HOWTO-4.html" REL=previous>
|
|
<LINK HREF="SSL-RedHat-HOWTO.html#toc5" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="SSL-RedHat-HOWTO-6.html">Next</A>
|
|
<A HREF="SSL-RedHat-HOWTO-4.html">Previous</A>
|
|
<A HREF="SSL-RedHat-HOWTO.html#toc5">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="s5">5. Troubleshooting</A></H2>
|
|
|
|
<P>Here are some common problems that may arise.
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="ss5.1">5.1 Server Appears to start, but you cannot access the secure site</A>
|
|
</H2>
|
|
|
|
<P>Check the <CODE>error_log</CODE> file. If you did not set your virtual
|
|
host to write to an error log, you may want to reconsider. The
|
|
example SSL virtual host writes to an error log file. Most likely
|
|
you will have a few warnings and an error at the end of the log that
|
|
basically say that the private key does not match the certificate.
|
|
<P>
|
|
<P>Example:
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
[Tue Nov 21 09:09:02 2000] [notice] Apache/1.3.14 (Unix) mod_ssl/2.7.1
|
|
OpenSSL/0.9.6 configured -- resuming normal operations
|
|
[Tue Nov 21 09:09:16 2000] [notice] caught SIGTERM, shutting down
|
|
[Tue Nov 21 14:39:54 2000] [notice] Apache/1.3.14 (Unix) mod_ssl/2.7.1
|
|
OpenSSL/0.9.6 configured -- resuming normal operations
|
|
[Tue Nov 21 14:40:31 2000] [notice] caught SIGTERM, shutting down
|
|
[Tue Nov 21 14:43:53 2000] [error] mod_ssl: Init: (esi.fin.equifax.com:443)
|
|
Unable to configure RSA server private key (OpenSSL library error follows)
|
|
[Tue Nov 21 14:43:53 2000] [error] OpenSSL: error:0B080074:x509 certificate
|
|
routines:X509_check_private_key:key values mismatch
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
<P>If you get the error messages above, chances are the key and certificate do
|
|
not match. Make sure you aren't using the default <CODE>server.key</CODE> file. You
|
|
should also check the <CODE>httpd.conf</CODE> file to make sure that the directives are
|
|
pointing to the correct private key and certificate.
|
|
<P>
|
|
<P>You can check to make sure that you your private key and certificate are in
|
|
the correct format and match each other. To do this, give the commands
|
|
below to decrypt the private key in one terminal window and decrypt the
|
|
certificate in the other. What you will be comparing are the Modulus and
|
|
the Exponent of each key. If the modulus and exponent from the key matches
|
|
the set from the certificate, you have just confirmed that your certificate
|
|
and key are correctly paired.
|
|
<P>
|
|
<P>If all else fails, create a new private key, CSR or self-signed
|
|
certificate. Before you do this, check your CA's re-issue policy. You may
|
|
be charged for a re-issue.
|
|
<P>
|
|
<P>To view the contents of the certificate:
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
openssl x509 -noout -text -in filename.crt
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
<P>To view the contents of the private key:
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
openssl rsa -noout -text -in filename.key
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="ss5.2">5.2 Certificate Name Check Warning is issued by the client's browser</A>
|
|
</H2>
|
|
|
|
<P>The most common cause for this is omitting the "www" at the beginning of the
|
|
domain name when creating the CSR. The name defined by the "ServerName"
|
|
directive for that virtual host must match the domain name presented by the
|
|
certificate exactly or the browser will let the client know. The exception
|
|
is a wild card certificate. A wild card certificate's domain name field
|
|
would look like *.somedomain.com. This enables you to use one certificate
|
|
for any number of sub-domains of somedomain.com (e.g. host1.somedomain.com
|
|
and host2.somedomain.com).
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="ss5.3">5.3 Certificate was Signed by an Untrusted Certificate Authority Warning</A>
|
|
is issued by the client's browser</H2>
|
|
|
|
<P>If you are using a self-signed certificate, you will get this warning. Your
|
|
clients will be given the option to trust your certificate or not. If you
|
|
have a CA signed certificate and are getting the untrusted warning, you
|
|
probably need to install their intermediate (root) certificate.
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="ss5.4">5.4 SSLEngine on is an un-recognized command (when starting Apache)</A>
|
|
</H2>
|
|
|
|
<P>This error message is issued if you do not have ModSSL compiled with
|
|
Apache. Some SSL packages use a different directive to start SSL within a
|
|
virtual host. If you are using a package that does use a different
|
|
directive, you will also receive this error message.
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="ss5.5">5.5 You have forgotten your "PEM Passphrase" and you would like to know</A>
|
|
how to reset it</H2>
|
|
|
|
<P>There is no way to reset this passphrase. The only solution is to remember
|
|
the passphrase or create a new private key. You will then need to obtain a
|
|
new certificate or create a new self-signed certificate.
|
|
<P>
|
|
<P>
|
|
<HR>
|
|
<A HREF="SSL-RedHat-HOWTO-6.html">Next</A>
|
|
<A HREF="SSL-RedHat-HOWTO-4.html">Previous</A>
|
|
<A HREF="SSL-RedHat-HOWTO.html#toc5">Contents</A>
|
|
</BODY>
|
|
</HTML>
|