Failed to install certificate

15 posts / 0 new
Last post
#1 Wed, 10/19/2011 - 09:07
webwzrd

Failed to install certificate

I have installed many SSL certificates without problems, however this time I'm getting the following error:

"Failed to install certificate : Certificate problem detected : Certificate and private key do not match"

Shy of starting the process over and requesting another certificate, is there anything I can check to try to correct this.

BTW - I have not generated another CSR - the key is the one that should match.

Brian

Wed, 10/19/2011 - 09:22
andreychek

Howdy,

Well, if that happens -- Virtualmin really does think that the private SSL key it sees there doesn't match the SSL cert that's been installed.

Why that would happen, I'm not sure... but SSL providers offer a way to handle that, called "re-keying". You should be able to generate a new private key, and be given a new SSL cert to match that key,

The only other alternative is to find where the correct matching SSL key is on your system, but re-keying your cert is likely simpler :-)

-Eric

Wed, 10/19/2011 - 09:39
webwzrd

I see... When I generated the CSR, I saved the CSR and Key in a text file. I can see that the key VM is using is the same as what I saved when generating the CSR.

Could it be that Globalsign issued a faulty cert?

Wed, 10/19/2011 - 09:50
andreychek

While it's possible that you were issued a faulty key, it seems more likely that there's some sort of mixup with the cert/key on your server.

What you could try doing is go into your homedir, and find the ssl.cert and ssl.key files -- and replace those with what you know to be the good copies of the SSL cert and private key.

Then, restart Apache and Virtualmin, and see if that works.

-Eric

Wed, 10/19/2011 - 10:25 (Reply to #4)
webwzrd

Eric,

When I did that, Apache failed to restart.

Brian

Wed, 10/19/2011 - 10:33
andreychek

You can review the Apache logs in /var/log/httpd/error_log or /var/log/apache2/error_log to see what error Apache is throwing when you attempt to restart it.

-Eric

Wed, 10/19/2011 - 18:33 (Reply to #6)
webwzrd

Here's the error:

[Wed Oct 19 18:14:43 2011] [warn] RSA server certificate CommonName (CN) `www.domain.com' does NOT match server name!?
[Wed Oct 19 18:14:43 2011] [error] Unable to configure RSA server private key
[Wed Oct 19 18:14:43 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Wed Oct 19 18:15:02 2011] [warn] RSA server certificate CommonName (CN) `www.domain.com' does NOT match server name!?
[Wed Oct 19 18:15:02 2011] [error] Unable to configure RSA server private key
[Wed Oct 19 18:15:02 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Wed Oct 19 18:15:17 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Oct 19 18:15:17 2011] [warn] RSA server certificate wildcard CommonName (CN) `*.domain.com' does NOT match server name!?
[Wed Oct 19 18:15:18 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Oct 19 18:15:18 2011] [warn] RSA server certificate wildcard CommonName (CN) `*.domain.com' does NOT match server name!?
Wed, 10/19/2011 - 18:42
andreychek

One of the places that error is documented is here:

http://www.linuxdoc.org/HOWTO/SSL-RedHat-HOWTO-5.html

That's saying that the SSL cert isn't matching the key, and it's preventing Apache from starting up.

So, what you'd likely need to do is perform the re-keying mentioned above... that should help you get a working cert and key.

-Eric

Wed, 10/19/2011 - 19:09 (Reply to #8)
webwzrd

Thanks Eric, I followed the instruction to compare the modulus and exponent and they both appear identical, however something is mismatched, so looks like re-keying is in order.

Is re-keying simply generating and submitting a new CSR to my CA?

Since this is a wildcard cert, should I be using *.domain.com for the server name?

Brian

Wed, 10/19/2011 - 19:26 (Reply to #9)
webwzrd

I take it back... I inadvertently just compared the self-signed crt and key, which of course matched. This is not the case with the new key and cert from the CA.

Not only does the modulus not match but the crt is 2048 bit and key is 1024 bit.

Wed, 10/19/2011 - 20:50
andreychek

If Apache still isn't starting -- you can always disable the SSL feature in Virtualmin just to get Apache started in the meantime while you work out all these details.

For a wildcard certificate, you would indeed set the "Server Name" field to *.domain.tld when generating your CSR.

-Eric

Wed, 10/19/2011 - 21:08
webwzrd

Thanks for the info. I had apache restarted right away as the server has a couple hundred sites on it, so being down unnecessarily is not an option. The CA has given me permission to resubmit.

Thu, 10/20/2011 - 10:23
webwzrd

I'm waiting for the new cert, but maybe now is a good time to mention that I have noticed that when generating a CSR, if I use the default 2048 bit, it comes out as 1024 bit. I have to use the second box and manually enter 2048.

Thu, 10/20/2011 - 10:30 (Reply to #13)
andreychek

Mmm, that sounds like a bug!

Is there any chance you could post this as a bug report using the Support link above?

Jamie could then take a look at that and get it fixed up. Thanks!

-Eric

Thu, 10/20/2011 - 14:27
webwzrd

The 2nd cert worked fine. Maybe my client monkeyed around in there and clicked the generate CSR button after I made the request.

I filed a bug report on the 2048Bit CSR.