/ Zope / Apsis / Pound Mailing List / Archive / 2012 / 2012-09 / SSL_CTX_use_PrivateKey_file Driving me insane

[ << ] [ >> ]

[ RFC5789, support for HTTP PATCH method? / Paul ... ] [ How to deny attacker? / "Jaroslav ... ]

SSL_CTX_use_PrivateKey_file Driving me insane
Alan McGinlay <alanm(at)sics.se>
2012-09-27 11:16:21 [ FULL ]
Hi All,

I have been getting this error now no matter what I do when trying to 
setup and HTTPS listener with a self signed cert.

"/etc/pound/pound.cfg line 56: SSL_CTX_use_PrivateKey_file failed - aborted"

I have generated the ssl cert in myriad different ways, always with the 
same result. I have tried with pound 2.5 and 2.6 (from ubuntu precise 
and quantal respectively) but there is no change! The certificates test 
ok with the openssl command line so I am at a complete loss!

Most of the info I have found on the net is from a few years back, could 
this be a new bug?

pound.cfg listeners:

ListenHTTP
     Address 199.10.64.8
     Port    80
     #Cert    "/etc/ssl/certs/server.crt"
     Service
         HeadRequire "Host:.*redneck001-ext.example.se.*"
         BackEnd
             Address localhost
             Port    81
         End
     End

END

ListenHTTPS
     Address 193.10.64.8
     Port    443
     Cert    "/etc/ssl/certs/redneck001-ext.example.se.cert"
     Service
         HeadRequire "Host:.*redneck001-ext.example.se.*"
         BackEnd
             Address localhost
             Port    81
         End
     End
End

Please help!

/Alan

Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Driving me insane
Scott McKeown <scott(at)loadbalancer.org>
2012-09-27 11:57:42 [ FULL ]
Hi Alan,
I'm sure that you will need to include the Private Key Chain in your PEM
file to resolve this error.

Have a look at http://www.digicert.com/ssl-support/pem-ssl-creation.htmwhich
shows the different ways of creating the PEM file.

Although now that I think about it, I don't remember if I had to include
this in mine the last time I created a Self Signed certificate so I could
be wrong on the self signed front. However, I would recommend the full PEM
file when you go live.


~Scott


On 27 September 2012 10:16, Alan McGinlay <alanm(at)sics.se> wrote:
[...]

[...]
Attachments:  
text.html text/html 2726 Bytes

Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Driving me insane
Alan McGinlay <alanm(at)sics.se>
2012-09-27 12:14:46 [ FULL ]
Fixed! thanks for the link, it put me on the right track.

All that was required was to concatenate the key, the crt and output a 
.pem file which i put in the ssl store and referenced it from pound.cfg.

I also ran "update-ca-certificates --verbose --fresh"

And restarted pound, success! This is just a test, the live site will 
use a "real" ssl cert.

Thanks,

Alan

2012-09-27 11:57, Scott McKeown skrev:[...]

Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Driving me insane
Scott McKeown <scott(at)loadbalancer.org>
2012-09-27 12:25:27 [ FULL ]
Hi Alan,
Your more than welcome.
Some of the messages from Pound can be a little confusing until you've been
playing with it for a while.

Any further issues just drop us a line and I'm sure someone will be able to
help.


~Scott


On 27 September 2012 11:14, Alan McGinlay <alanm(at)sics.se> wrote:
[...][...][...]

[...]
Attachments:  
text.html text/html 4842 Bytes

MailBoxer