|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2007
/
2007-11
/
SSL_CTX_use_PrivateKey_file Error
[
Chroot Jail lib in Pound, where? / "Terry ... ]
[
Compiling pound / "Martin Schawalder" ... ]
SSL_CTX_use_PrivateKey_file Error
Fat Bear Incorporated - Pound Mailing List <pound(at)fatbear.com> |
2007-11-22 02:01:06 |
[ FULL ]
|
I get:
SSL_CTX_use_PrivateKey_file "/path/to/certs/www.domain.com.pem" failed -
aborted
Here's how I built the pem file (renewal certificate obtained via
http://www.supersitename.com that
sells starfieldtech/godaddy certificates):
1. openssl genrsa -out www.domain.com.key 1024
2. openssl req -new -key www.domain.com.key -out www.domain.com.csr
3. Submit www.domain.com.csr to starfieldtech
4. Receive www.domain.com.crt and sf_intermediate_bundle.crt from
starfieldtech
5. cat www.domain.com.key www.domain.com.crt
sf_intermediate_bundle.crt > www.domain.com.pem
6. Add to pound.cfg:
ListenHTTP
Address <ipAddressHere>
Port 80
End
ListenHTTPS
Address <ipAddressHere>
Port 443
Cert "/path/to/certs/www.domain.com.pem"
End
Service
BackEnd
Address <ipAddressHere>
Port <port that apache listens to; e.g., 8181>
TimeOut 120
End
End
7. service pound restart
This is a renewal of a certificate that worked last year. With the new
crt files (cert and intermediate cert), it produces the error above.
I've read previous posts relating to this error and I've tried other
orderings for step (5) above... but none seem to work.
Does anyone know what I'm doing wrong?
Thanks,
Steve
Fat Bear
|
|
|
|
|
Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Fat Bear Incorporated - Pound Mailing List <pound(at)fatbear.com> |
2007-11-23 21:00:21 |
[ FULL ]
|
Just wondering if anyone can shed any light on this?
Thanks,
Steve[...]
|
|
|
Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Kenneth Burgener <kenneth(at)mail1.ttak.org> |
2007-11-25 06:11:11 |
[ FULL ]
|
Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Pete DeLaurentis <pete(at)nextengine.com> |
2007-11-29 17:00:42 |
[ FULL ]
|
Hi Steve,
Did you ever find a solution to this problem? I'm hitting the same
thing, and have exhaustively searched the web (without success) for
solutions.
I've checked that:
1) Private key is not encrypted
2) Key and certificate is in file + is in correct order
The self-signed test certificates I've created work OK, but the real
ones do not. I've simplified the .pem file down to
----BEGIN RSA PRIVATE KEY-----
...
----END RSA PRIVATE KEY-----
---BEGIN CERTIFICATE----
...
---END CERTIFICATE----
I've run openssl verify on this same .pem file and it passed.
Thanks,
Pete
On Nov 24, 2007, at 9:11 PM, Kenneth Burgener wrote:
[...][...][...]
|
|
|
Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Fat Bear Incorporated - Pound Mailing List <pound(at)fatbear.com> |
2007-11-29 18:05:28 |
[ FULL ]
|
Pete DeLaurentis wrote:[...]
I'm still working on it... it's for a client of mine, so you know I'm
going to get to the bottom of it. I'll be sure to let you and the other
Pound subscribers know asap.
Thanks,
Steve Amerige
Fat Bear Incorporated
866.629.0000 x805 toll free - US/Canada
408.776.0000 local & international
|
|
|
Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Robert Segall <roseg(at)apsis.ch> |
2007-11-29 18:37:07 |
[ FULL ]
|
On Thu, 2007-11-29 at 09:05 -0800, Fat Bear Incorporated - Pound Mailing
List wrote:[...]
It could be that you use a key with the "old" MD5, which is no longer
allowed. Try converting to pkcs8:
openssl pkcs8 -in oldkey.pem -topk8 -nocrypt -out newkey.pem
and then concatenate the files as follows:
KEY (newkey)
YOUR CERTIFICATE
INTERMEDIATE CERTIFICATE
.
.
.
INTERMEDIATE CERTIFICATE
CA (Verisign) CERTIFICATE
into the full PEM file that is used by Pound.
Hope this helps...[...]
|
|
|
Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Pete DeLaurentis <pete(at)nextengine.com> |
2007-11-29 18:57:46 |
[ FULL ]
|
Thanks Robert. I just tried this out, and I get an error - which may
be a clue that something is wrong with my key.
> openssl pkcs8 -in oldkey.pem -topk8 -nocrypt -out newkey.pem
unable to load key
I've also started playing with stunnel to see if it returns a similar
error to Pound. It does, but with a little more information:
SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM
routines:PEM_read_bio:no start line
Anyone seen anything like this before?
-Pete
On Nov 29, 2007, at 9:37 AM, Robert Segall wrote:
[...][...]
>>> Hi Steve,
>>>
>>> Did you ever find a solution to this problem? I'm hitting the
same
>>> thing, and have exhaustively searched the web (without success)
for
>>> solutions.[...][...]
|
|
|
Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Fat Bear Incorporated - Pound Mailing List <pound(at)fatbear.com> |
2007-11-29 19:05:57 |
[ FULL ]
|
Hi Robert,[...]
Just to clarify. Here's what I did:
1. openssl genrsa -out www.domain.com.key 1024
2. openssl req -new -key www.domain.com.key -out www.domain.com.csr
3. Submit www.domain.com.csr to starfieldtech
4. Receive www.domain.com.crt and sf_intermediate_bundle.crt from
starfieldtech
5. cat www.domain.com.key www.domain.com.crt sf_intermediate_bundle.crt
> www.domain.com.pem
Does your above suggestion need any modification given that I generated
my key as shown above?
Thanks,
Steve Amerige
Fat Bear Incorporated
866.629.0000 x805 toll free - US/Canada
408.776.0000 local & international
|
|
|
Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Pete DeLaurentis <pete(at)nextengine.com> |
2007-11-29 20:22:52 |
[ FULL ]
|
Hi Robert,
Thanks for adding the extra SSL error messages to Pound 2.4e.
line 6: SSL_CTX_use_PrivateKey_file "/home/pete/pound/test3.pem"
failed - aborted
error:0906D06C:PEM routines:PEM_read_bio:no start line
This is the same error message that comes back from stunnel. The
strange thing is that when I run "openssl verify" on this pem file,
it passes with an "OK".
I'll keep hacking at this, and let you guys know what I find. If
anyone has any ideas to try, please let me know.
Thanks,
Pete
On Nov 29, 2007, at 10:05 AM, Fat Bear Incorporated - Pound Mailing
List wrote:
[...][...][...]
|
|
|
Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Error
Pete DeLaurentis <pete(at)nextengine.com> |
2007-11-29 21:11:27 |
[ FULL ]
|
Hi all,
Problem solved! Robert was right about it being an older MD5 key. I
retried the pkcs8 conversion on the original passphrase encrypted key:
openssl pkcs8 -in oldkey.pem -topk8 -nocrypt -out newkey.pem
And it worked. It produced a key that Pound was able to load without
error. Previously I had been running this on a key where the
passphrase had already been removed, resulting in a "unable to load
key" error.
I ended up with this format (both verisign certificates were required):
-----BEGIN PRIVATE KEY-----
Server key (pasted in the new key here)
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
Server certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Verisign Intermediate CA (for Extended Validation Certificates)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Verisign Root CA (Self signed)
-----END CERTIFICATE-----
The resulting SSL site loads in IE, Firefox, and Safari without
error. The only one remaining issue is that the green bar does not
show up in IE7, which it should with an EV certificate.
Thanks for the help!
Pete DeLaurentis
NextEngine, Inc.
On Nov 29, 2007, at 9:37 AM, Robert Segall wrote:
[...][...]
>>> Hi Steve,
>>>
>>> Did you ever find a solution to this problem? I'm hitting the
same
>>> thing, and have exhaustively searched the web (without success)
for
>>> solutions.[...][...]
|
|
|
|
