Apache SSL CentOS 7 issues

General support questions
Post Reply
johnjohnjoyride
Posts: 1
Joined: 2023/11/08 22:14:33

Apache SSL CentOS 7 issues

Post by johnjohnjoyride » 2023/11/08 22:20:45

I seem to be running round in circles with SSL issues within my apache config. I currently have a virtual host setup like so....

Code: Select all

<VirtualHost *:80>
        ServerName thealternativedrumschool.com
        ProxyPass / http://79.98.30.183:8050/
        ProxyPassReverse / http://79.98.30.183:8050/
    </VirtualHost>
    
    <VirtualHost *:443>
        ServerName drumschool.com
    
    
        SSLEngine on
        SSLCertificateFile /etc/httpd/ssl/drumschool.crt
        SSLCertificateKeyFile /etc/httpd/ssl/drumschool.pem
    
        ProxyPass / http://79.98.30.183:8050/
        ProxyPassReverse / http://79.98.30.183:8050/
    </VirtualHost>
these are where my ssls are stored

Code: Select all

  /etc/httpd/ssl/drumschool.pem
    /etc/httpd/ssl/drumschool.key
    /etc/httpd/ssl/drumschool.crt
    /etc/httpd/ssl/bundle_drumschool.crt
I keep on getting different information about using a .pem or a .key within my virtual host. So that is one thing that is confusing me. If i download the SSL from go daddy for apache it gives me 1 x .pem, 1 x .crt and 1 x bundle.

I have generated a .key also.

my conf file is located in `/etc/httpd/sites-available/drumschool.com.conf`
(the virtual host code above is located in this .conf file).

it is currently live at this IP right now. http://79.98.30.183:8050/ (its live and seems to be ok on the server.

I have created a symolic link in `

Code: Select all

/etc/httpd/sites-enable/drumschool.com.conf
`

I have a file called http.conf located in

Code: Select all

/etc/httpd/conf/httpd.conf.
I have included these below at the bottom of the file

Code: Select all

    IncludeOptional conf.d/*.conf
    IncludeOptional sites-enabled/*.conf
    IncludeOptional sites-available/*.conf

Code: Select all

    [root@3xv5 ~] systemctl status httpd.service
     httpd.service - The Apache HTTP Server
       Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
       Active: failed (Result: exit-code) since Wed 2023-11-08 22:45:57 EET; 24min ago
         Docs: man:httpd(8)
               man:apachectl(8)
      Process: 5536 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
      Process: 15514 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
     Main PID: 15514 (code=exited, status=1/FAILURE)
    
    Nov 08 22:45:57 3xv5.c.time4vps.cloud systemd[1]: Starting The Apache HTTP Server...
    Nov 08 22:45:57 3xv5.c.time4vps.cloud systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
    Nov 08 22:45:57 3xv5.c.time4vps.cloud systemd[1]: Failed to start The Apache HTTP Server.
    Nov 08 22:45:57 3xv5.c.time4vps.cloud systemd[1]: Unit httpd.service entered failed state.
    Nov 08 22:45:57 3xv5.c.time4vps.cloud systemd[1]: httpd.service failed.




Apologies for the list of all the errors. Here is the key one I believe.

Code: Select all

    [root@3xv5 ~]# sudo cat /var/log/httpd/error_log
    [Tue Nov 07 11:10:00.272863 2023] [suexec:notice] [pid 2831] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
    [Tue Nov 07 11:10:00.285995 2023] [ssl:error] [pid 2831] AH02203: Init: Private key not found
    [Tue Nov 07 11:10:00.286025 2023] [ssl:error] [pid 2831] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
    [Tue Nov 07 11:10:00.286037 2023] [ssl:error] [pid 2831] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
    [Tue Nov 07 11:10:00.286044 2023] [ssl:error] [pid 2831] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
    [Tue Nov 07 11:10:00.286052 2023] [ssl:error] [pid 2831] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
    [Tue Nov 07 11:10:00.286061 2023] [ssl:error] [pid 2831] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
    [Tue Nov 07 11:10:00.286068 2023] [ssl:error] [pid 2831] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
    [Tue Nov 07 11:10:00.286075 2023] [ssl:error] [pid 2831] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
    [Tue Nov 07 11:10:00.286079 2023] [ssl:emerg] [pid 2831] AH02312: Fatal error initialising mod_ssl, exiting.
    [Tue Nov 07 11:14:19.033965 2023] [suexec:notice] [pid 3187] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
    [Tue Nov 07 11:14:19.034368 2023] [ssl:error] [pid 3187] AH02203: Init: Private key not found
So it still appears to be an SSL error with the key but I am going round in circles. States a mismatch?

the only good thing I seem to get is when I use

sudo apachectl configtest I get a Syntax OK response.

I have been bashing my head with this problem. Its a managed SSL by godaddy that they said they couldnt do because its too hard...but they did go into my http.conf file. So part of me thinks maybe then did something there too?

Its huge but I can send on request.

Thanks for the help if any

I am very confused an lost.
Top
User avatar
TrevorH
Site Admin
Posts: 33224
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Apache SSL CentOS 7 issues

Post by TrevorH » 2023/11/09 10:43:29

The key file MUST match the certificate you are attempting to use. The cetificate is created using the key so you cannot just change the key unless you also regenerate the certificate. When you download from Godaddy they expect that you already have the key and it is not included in the zip file you download from them. If you have lost the key then there is a "rekey" option that you can use which creates a new key that you need to download and save and then re-download the certificates as they will have been re-issued using the new key.

The key and certificate MUST match.

What the file is called is arbitrary but it's easier if you call the certificate file a .pem and the key file a .key. They must be in a location that can be read by the process when it starts up - as root. The permissions must be secure or it will refuse to use the certificate/key.

The directory /etc/httpd/sites-enabled is a Debian thing, CentOS does not use this method. You would need an include line in either /etc/httpd/conf/httpd.conf or in one of the files it already includes in /etc/httpd/conf.d (which is probably where you should put your vhost files, not in sites-enabled which is not used).

As for why it is failing to start up, you need to read the logs, most likely /var/log/httpd/error_log, to find the cause.

Also, if you connect to http://79.98.30.183:8050/ direct then you are not hitting apache at all.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Top
Whoever
Posts: 1361
Joined: 2013/09/06 03:12:10

Re: Apache SSL CentOS 7 issues

Post by Whoever » 2023/11/09 21:23:23

Trevor has given you a lot of good information that you should take note of.

I would like to add that the error message:
ASN1_CHECK_TLEN:wrong tag
appears to be associated with a problem of the format of a PEM file. This suggests to me that either one or more of your files is corrupted, or you are using one of the SSL directives to read in the wrong file.
Top
Post Reply

Return to “CentOS 7 - General Support”