Problems with SSL "certificate authority file is not valid" after updating

11 posts / 0 new
Last post
#1 Thu, 01/04/2018 - 16:05
stom
stom's picture

Problems with SSL "certificate authority file is not valid" after updating

Last night I installed the latest updates for webmin/virtualmin on my server and restarted. Webmin would not start, nor would httpd, postfix or dovecot. Trying to start the webmin service resulted in the following error: Failed to Open SSL Key /home/user/ssl.key at /usr/libexec/webmin/miniserv.pl

For some reason that file no longer existed. I restored a backup and that got webmin to start, but httpd and the other services wouldn't.

Both systemctl status httpd.service and journalctl -xn were pretty unhelpful here, but running apachectl configtestlisted errors with suexec.

I followed a tip about disabling SSL on all virtual sites and this got apache and the other services to start again. I re-enabled SSL on my default site and this worked but I am not able to re-enable SSL on any of my other sites. I get the following error: certificate authority file is not valid : Data does not start with line -----BEGIN CERTIFICATE-----

So now my default site loads, but doesn't work. It complains about permission errors which suggest apache is maybe being run as a different user? I notice that in Webmin -> Servers -> Apache Webserver -> Users and Groups both user and group are set to run as "apache". Tried switching this to default and apache fails to boot again.

I'm pretty stumped at this point. It appears something knocked out my ssl certificate with the initial update, and this has had some knock on effects with apache? Where do i go from here?

Thu, 01/04/2018 - 18:55
Joe
Joe's picture

Distribution and version?

Last night I installed the latest updates for webmin/virtualmin on my server and restarted. Webmin would not start, nor would httpd, postfix or dovecot.

These two events are unrelated, though they may have happened at the same time. The Webmin update wouldn't have touched any of your other services. Other updates to those packages that were perhaps applied at the same time may have, however.

Both systemctl status httpd.service and journalctl -xn were pretty unhelpful here, but running apachectl configtestlisted errors with suexec.

What error exactly?

Is it possible your system ran out of memory or disk space? When I hear about problems that affect many services, and nothing has changed (except maybe a minor thing like updating Webmin, or whatever), I assume a systemic problem rather than a specific configuration problem.

Each of these services use a different set of SSL keys and certificates, though they're all copied from the same place if you used Virtualmin to install them. So...for something to break all of them, it would mean a new broken set was generated and then copied to all of those services. If they're Let's Encrypt certs, just generate new ones using the form in Virtualmin.

So now my default site loads, but doesn't work. It complains about permission errors which suggest apache is maybe being run as a different user? I notice that in Webmin -> Servers -> Apache Webserver -> Users and Groups both user and group are set to run as "apache". Tried switching this to default and apache fails to boot again.

Don't change that. "default" means whatever is compiled in, but your distribution probably shipped with a configuration designed to suit the environment. You want whatever is in the config file in the package-provided config file.

I'll need to see specific errors to be able to provide any more advice, I think. Check the Apache error logs (both for the domain and the system-wide one).

--

Check out the forum guidelines!

Thu, 01/04/2018 - 20:16
stom
stom's picture

Thank you, Joe.

The system in question has 16gb of memory and plenty of free hdd space (2TB+) so I'm hoping it hasn't exhausted it's available resources. I'm currently on Webmin version 1.872, Usermin 1.732 and Virtualmin 6.02. I am not certain of the version I was running prior to the update, however this system was only built a couple of weeks ago.

The error reported by apachectl checkconfig was that SuexecUserGroup configured, but suEXEC is disable.

After disable SSL mode for each of the sites this error is no longer reported when running apachectl checkconfig.

I initially set up the certificates using the LetsEncrypt feature in Virtualmin. I have since requested a new certificate for the default site. This was successful and it was automatically copied to webmin, usermin, dovecot, postfix, and proftpd.

I am still unable to re-enable SSL for other virtual sites however. The output reports:

Adding new SSL virtual website .. .. certificate authority file is not valid : Data does not start with line -----BEGIN CERTIFICATE-----

The Apache error log at Webmin -> System -> System Logs shows the following:

Fri Jan 05 03:09:11.469750 2018] [mpm_prefork:notice] [pid 14121] AH00171: Graceful restart requested, doing restart
[Fri Jan 05 03:09:11.542266 2018] [auth_digest:notice] [pid 14121] AH01757: generating secret for digest authentication ...
[Fri Jan 05 03:09:11.542677 2018] [lbmethod_heartbeat:notice] [pid 14121] AH02282: No slotmem from mod_heartmonitor
[Fri Jan 05 03:09:11.543470 2018] [ssl:warn] [pid 14121] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Fri Jan 05 03:09:11.557134 2018] [mpm_prefork:notice] [pid 14121] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.33 configured -- resuming normal operations
[Fri Jan 05 03:09:11.557153 2018] [core:notice] [pid 14121] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

The error log for the site I'm trying to re-enable SSL on shows nothing at the time of the event, or anything that is related to this.

The error log for the default domain shows no errors at the time but there are these that I assume shed some light on the issue:

[Thu Jan 04 21:48:49.498611 2018] [ssl:warn] [pid 16288] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Jan 04 21:48:49.509535 2018] [ssl:warn] [pid 16288] AH01909: RSA certificate configured for mydomain.co.uk:443 does NOT include an ID which matches the server name
[Thu Jan 04 21:48:49.509547 2018] [ssl:emerg] [pid 16288] AH02238: Unable to configure RSA server private key
[Thu Jan 04 21:48:49.509561 2018] [ssl:emerg] [pid 16288] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Thu Jan 04 21:55:45.414224 2018] [ssl:warn] [pid 18844] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
Fri, 01/05/2018 - 13:25
stom
stom's picture

Is there any additional info I can provide to help? I've tried re-requesting another cert from LE for the default site and applying it to the whole site but I still get errors when trying to re-enable SSL on other sites. I'm also still getting permission errors when I view the default site.

Sat, 01/20/2018 - 09:50
j007w

I'm getting the same "certificate authority file is not valid" error on virtual servers that are not the default site. Does anyone have any suggestions? Thanks

Sat, 01/20/2018 - 10:20
Jfro

Did you try recheck configuration in virtualmin? Did you try the validition in virtualmin?

WICH OS and version.

While a lot of firmware and kernelupdates, micro and so on are because of spectre and meltdown bugs, and with that updates also a lot of extra new problems/bugs could be there.

DO you use / used only the LE cert script of Virtualmin or another. while also LE has a Security BUG Fixed but some scripts / ways of certs are not working or have problems after their changes, therefore look there and the web and forum certbot and so on had troubles.

For support from Joe and other virtualmin support i think also Virtualmin uses the domainnames / virtualservers wich have probs for testing

Also if using other Repos then Virtualmin defaults.

And not every update Apache SSL work with the prefork, but ok then default domain/virtualserver should not working to i gues..

Also if you changed some defaults / settings before a reboot with these newer settings/config, and then updated and firss time reboot after made changes, could be a messy things then, while not knowing if updates of config changes are responsible.

Before Updates i make a snapshot and do a reboot if that works i do updates. to be sure no other changes have influence because not rebooted with other config...

Sat, 01/20/2018 - 11:53
j007w

Actually, rechecking config in Virtualmin showed Apache configuration error. Apache would not start unless I comment out the lines "php_admin_value off" in httpd.conf.

This is a new server with new install of CentOS 6.9 and new Virtualmin. All the virtual servers were restored from backup done from another server running Virtualmin.

Now, the default website and other virtual servers can run SSL except one virtual server. I just tried to delete this particular virtual server and restored it again--same error regarding "certificate authority file is not valid. Not ---BEGIN CERTIFICATE".

Any hint on where I should investigate?

Thanks!

Sat, 01/20/2018 - 11:58
Jfro

hmm other server means other IP? So it could take a while to resolve new dns on new ip. ( you'r also sure this part is 100% ok? )

Also see other questions about wich LE script and so on.

Mon, 02/12/2018 - 16:14
riczik
riczik's picture

I had the same problem after restoring a backup, disabling ssl then re-enabling produced the error. Also the certificate files magically reappeared in the /home/website folder. I did a "Re-Check virtualmin configuration", to no avail. Out of desperation I grepped my disk for the website name, and found there were configuration options in the file: /etc/webmin/virtual-server/domains/13694005276497 including 4 lines pointing to the 4 certificate files: ssl.cert, ssl.combined ssl.everything ssl.key I simply deleted those lines, then I re-added ssl to the website, and it worked.

life's too short for bad wine.

Thu, 03/22/2018 - 16:49 (Reply to #9)
alnork
alnork's picture

thanks bro... it works!

Alnork

Wed, 02/21/2018 - 23:35
atleast
atleast's picture

What to do if a domain is moved to another server with another IP address? Will the SSL certificate work on new domain - copied with all files from previous server? Is there any one with experience of moving a domain or changing the IP?

PS: I searched for answers and Letsencrypt community forum had this question and there is this reply that shows that IP is not important but the domain name is. "schoenCertbot engineer / EFF Aug '17 A Let’s Encrypt certificate refers to the domain name, rather than the IP address. The browser accepts the certificate as valid if the domain name that was used to access the site matches a domain name listed in the certificate. So, you don’t have to get a new certificate when you change IP addresses; your existing certificate will remain valid."