/ Zope / Apsis / Pound Mailing List / Archive / 2007 / 2007-11 / SSL_CTX_use_PrivateKey_file Error

[ << ] [ >> ]

[ Chroot Jail lib in Pound, where? / "Terry ... ] [ Compiling pound / "Martin Schawalder" ... ]

SSL_CTX_use_PrivateKey_file Error
Fat Bear Incorporated - Pound Mailing List <pound(at)fatbear.com>
2007-11-22 02:01:06 [ FULL ]
I get:

SSL_CTX_use_PrivateKey_file "/path/to/certs/www.domain.com.pem" failed - 
aborted

Here's how I built the pem file (renewal certificate obtained via 
http://www.supersitename.com that
sells starfieldtech/godaddy certificates):

  1. openssl genrsa -out www.domain.com.key 1024
  2. openssl req -new -key www.domain.com.key -out www.domain.com.csr
  3. Submit www.domain.com.csr to starfieldtech
  4. Receive www.domain.com.crt and sf_intermediate_bundle.crt from 
starfieldtech
  5. cat www.domain.com.key www.domain.com.crt 
sf_intermediate_bundle.crt > www.domain.com.pem
  6. Add to pound.cfg:
          ListenHTTP
              Address         <ipAddressHere>
              Port            80
          End
          ListenHTTPS
              Address         <ipAddressHere>
              Port            443
              Cert            "/path/to/certs/www.domain.com.pem"
          End
          Service
              BackEnd
                  Address     <ipAddressHere>
                  Port        <port that apache listens to; e.g., 8181>
                  TimeOut     120
              End
          End
  7. service pound restart

This is a renewal of a certificate that worked last year.  With the new 
crt files (cert and intermediate cert), it produces the error above.  
I've read previous posts relating to this error and I've tried other 
orderings for step (5) above... but none seem to work.

Does anyone know what I'm doing wrong?

Thanks,
Steve
Fat Bear
Attachments:  
text.html text/html 3713 Bytes

Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Fat Bear Incorporated - Pound Mailing List <pound(at)fatbear.com>
2007-11-23 21:00:21 [ FULL ]
Just wondering if anyone can shed any light on this?

Thanks,
Steve[...]

Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Kenneth Burgener <kenneth(at)mail1.ttak.org>
2007-11-25 06:11:11 [ FULL ]
Fat Bear Incorporated - Pound Mailing List wrote:[...]


According to a past thread
(http://www.apsis.ch/pound/pound_list/archive/2005/2005-09/1125577591000)
it appears this error is caused either by (1) the keys and certificates
were included in the file or (2) The private key being encrypted.

Kenneth

Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Pete DeLaurentis <pete(at)nextengine.com>
2007-11-29 17:00:42 [ FULL ]
Hi Steve,

Did you ever find a solution to this problem?  I'm hitting the same  
thing, and have exhaustively searched the web (without success) for  
solutions.

I've checked that:

1) Private key is not encrypted
2) Key and certificate is in file + is in correct order

The self-signed test certificates I've created work OK, but the real  
ones do not.  I've simplified the .pem file down to

----BEGIN RSA PRIVATE KEY-----
...
----END RSA PRIVATE KEY-----
---BEGIN CERTIFICATE----
...
---END CERTIFICATE----

I've run openssl verify on this same .pem file and it passed.

Thanks,
Pete



On Nov 24, 2007, at 9:11 PM, Kenneth Burgener wrote:
[...][...][...]

Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Fat Bear Incorporated - Pound Mailing List <pound(at)fatbear.com>
2007-11-29 18:05:28 [ FULL ]
Pete DeLaurentis wrote:[...]
I'm still working on it... it's for a client of mine, so you know I'm 
going to get to the bottom of it.  I'll be sure to let you and the other 
Pound subscribers know asap.

Thanks,
Steve Amerige
Fat Bear Incorporated
866.629.0000 x805 toll free - US/Canada
408.776.0000 local & international

Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Robert Segall <roseg(at)apsis.ch>
2007-11-29 18:37:07 [ FULL ]
On Thu, 2007-11-29 at 09:05 -0800, Fat Bear Incorporated - Pound Mailing
List wrote:[...]

It could be that you use a key with the "old" MD5, which is no longer
allowed. Try converting to pkcs8:

openssl pkcs8 -in oldkey.pem -topk8 -nocrypt -out newkey.pem

and then concatenate the files as follows:

KEY (newkey)
YOUR CERTIFICATE
INTERMEDIATE CERTIFICATE
.
.
.
INTERMEDIATE CERTIFICATE
CA (Verisign) CERTIFICATE

into the full PEM file that is used by Pound.

Hope this helps...[...]

Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Pete DeLaurentis <pete(at)nextengine.com>
2007-11-29 18:57:46 [ FULL ]
Thanks Robert.  I just tried this out, and I get an error - which may  
be a clue that something is wrong with my key.

 > openssl pkcs8 -in oldkey.pem -topk8 -nocrypt -out newkey.pem
unable to load key

I've also started playing with stunnel to see if it returns a similar  
error to Pound.  It does, but with a little more information:

SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM  
routines:PEM_read_bio:no start line

Anyone seen anything like this before?

-Pete

On Nov 29, 2007, at 9:37 AM, Robert Segall wrote:
[...][...]
>>> Hi Steve,
>>>
>>> Did you ever find a solution to this problem?  I'm hitting the
same
>>> thing, and have exhaustively searched the web (without success)
for
>>> solutions.[...][...]

Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Fat Bear Incorporated - Pound Mailing List <pound(at)fatbear.com>
2007-11-29 19:05:57 [ FULL ]
Hi Robert,[...]
Just to clarify.  Here's what I did:

 1. openssl genrsa -out www.domain.com.key 1024
 2. openssl req -new -key www.domain.com.key -out www.domain.com.csr
 3. Submit www.domain.com.csr to starfieldtech
 4. Receive www.domain.com.crt and sf_intermediate_bundle.crt from 
starfieldtech
 5. cat www.domain.com.key www.domain.com.crt sf_intermediate_bundle.crt 
 > www.domain.com.pem

Does your above suggestion need any modification given that I generated 
my key as shown above?

Thanks,
Steve Amerige
Fat Bear Incorporated
866.629.0000 x805 toll free - US/Canada
408.776.0000 local & international

Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Pete DeLaurentis <pete(at)nextengine.com>
2007-11-29 20:22:52 [ FULL ]
Hi Robert,

Thanks for adding the extra SSL error messages to Pound 2.4e.

line 6: SSL_CTX_use_PrivateKey_file "/home/pete/pound/test3.pem"  
failed - aborted
error:0906D06C:PEM routines:PEM_read_bio:no start line

This is the same error message that comes back from stunnel.  The  
strange thing is that when I run "openssl verify" on this pem file,  
it passes with an "OK".

I'll keep hacking at this, and let you guys know what I find.  If  
anyone has any ideas to try, please let me know.

Thanks,
Pete

On Nov 29, 2007, at 10:05 AM, Fat Bear Incorporated - Pound Mailing  
List wrote:
[...][...][...]

Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Pete DeLaurentis <pete(at)nextengine.com>
2007-11-29 21:11:27 [ FULL ]
Hi all,

Problem solved!  Robert was right about it being an older MD5 key.  I  
retried the pkcs8 conversion on the original passphrase encrypted key:

openssl pkcs8 -in oldkey.pem -topk8 -nocrypt -out newkey.pem

And it worked.  It produced a key that Pound was able to load without  
error.  Previously I had been running this on a key where the  
passphrase had already been removed, resulting in a "unable to load  
key" error.

I ended up with this format (both verisign certificates were required):

-----BEGIN PRIVATE KEY-----
Server key (pasted in the new key here)
-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
Server certificate
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
Verisign Intermediate CA (for Extended Validation Certificates)
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
Verisign Root CA (Self signed)
-----END CERTIFICATE-----

The resulting SSL site loads in IE, Firefox, and Safari without  
error.  The only one remaining issue is that the green bar does not  
show up in IE7, which it should with an EV certificate.

Thanks for the help!

Pete DeLaurentis
NextEngine, Inc.









On Nov 29, 2007, at 9:37 AM, Robert Segall wrote:
[...][...]
>>> Hi Steve,
>>>
>>> Did you ever find a solution to this problem?  I'm hitting the
same
>>> thing, and have exhaustively searched the web (without success)
for
>>> solutions.[...][...]

MailBoxer