# SSL Broken After Adding Web Cert

## dangerweasel

Our company web site needed a web cert.  I followed all of the directions from the company we got it from (www.geotrust.com).  There instructions seem a little... uhh... mis-written.  I copied the keyu they sent me into a .crt file.  I then added the lines in my apache.conf file like it told me to

```

SSLCertificateFile /path/to/file.crt

SSLCertificateKeyFile /path/to/file.key
```

Now when you try and get to the https site you get an error message, that varies depending on your browser.  You can see your own personal error message HERE!  I have poured over all of the appropriate config files and documantation I can find.  I am going to send an email to the support people at geotrust.com, but think I am going to get better help here.  Does anyone have any pointers I can try.  I would really appreciate a weekend free from this stress. 

THanks in Advance

weezie

----------

## big_pig

To me it looks like the SSL engine isn't running. I'm going to bit the bullet ask the stupid question: did mod_ssl work with the default apache certs before you put in the geotrust certs?

Assuming yes, do the ssl-error_log, ssl-access_log and  ssl_engine_log logs offer any clues?

----------

## kashani

Ah the old "data unexpected error". Seriously these are usually caused by not having a chain or intermediate file. You should be able to get this from the guys who gave you the cert or from Verisign. You'd want a config that looks something like this

```

SSLEngine on

SSLCertificateFile /etc/apache/conf/ssl/www.mydomain.com.crt

SSLCertificateKeyFile /etc/apache/conf/ssl/www.mydomain.com.key

SSLCertificateChainFile /etc/apache/conf/ssl/intermediate.crt

SSLCACertificateFile /etc/apache/conf/ssl/intermediate.crt

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

SSLProtocol all -SSLv3
```

To be honest I don't know exactly why the chain file fixes this, something to do with changing certs, root certs, etc. I'm sure Google can tell you if you really care.

kashani

----------

## paranode

Not sure if it will help, but when I'm creating and signing my own keys I always use this as a guide: http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#keyscerts

----------

## dangerweasel

I think I have found the problem.  The private key, for some reason, does not match the cert.  I wnet a little farther down on the link from paranode and found the section on how to see if the keys match.  There md5 sums are different.  Also, the ssl_error log has seom errors at the end saying roughly the same thing.  I am going to email support and see what they say.

Thanks guys, I will post the final outcome.

weezie

----------

## axa

Hello all, i got the same problem about this issue....

if i generate a certificate using /usr/lib/ssl/apache2-mod_ssl/gentestcrt.sh and set my CommonName as backup.idv.ca

then i restart apache2 , i found a port 443 are listening.

BUT!!! MY APACHE2 SSL CAN NOT WORKING   :Rolling Eyes:  

Strangely, if i set my CommonName as "localhost" , APACHE2 SSL WORKING FINE!!!! All clients can use browser to connect https...

However , when i restart my apache2 i got some error in /var/log/apache2/ssl_error_log

 *Quote:*   

> 
> 
> [Fri Jul 25 11:13:38 2003] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
> 
> 

 

i've checked 

/etc/hosts that i've defined my hostname as backup.idv.ca

/etc/apache2/conf/modules.d/41_mod_ssl.default-vhost.conf  

ServerName  backup.idv.ca:443

Second, i found other strange question about Verify server.crt (server.crt  was used by apache2 SSLCertificateKeyFile directive)

i'm using "openssl verify server.crt" i got error message as follow

 *Quote:*   

> 
> 
> backup ssl # openssl verify server.crt
> 
> server.crt: /C=TW/ST=Taiwan/L=Taipei/O=play/OU=SA/CN=backup.idv.ca/Email=root@backup.idv.ca
> ...

 

DOES ANYONE KNOWS WHY WHY WHY??? I AM CRAZY  :Mad: 

==================================

 *dangerweasel wrote:*   

> I think I have found the problem.  The private key, for some reason, does not match the cert.  I wnet a little farther down on the link from paranode and found the section on how to see if the keys match.  There md5 sums are different.  Also, the ssl_error log has seom errors at the end saying roughly the same thing.  I am going to email support and see what they say.
> 
> Thanks guys, I will post the final outcome.
> 
> weezie

 

----------

## karl420

It seems like I can connect to the site now, and it says "Signed by Equifax" so it take it you got it working? What was the problem? I'd like to hear about this as I am about to purchase from geotrust myself.

Karl

----------

## axa

Hello ALL :

i've studied apache doc in [url] http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#keysize[/]

this's very good doc to create own CA and server key!

i did NOT use CA.pl , CA.sh or gentestcrt.sh those script to generate my CA and key!

i'm use MANUAL skill to generate my CA and key

its pretty good doc to me.  :Very Happy: 

 *karl420 wrote:*   

> It seems like I can connect to the site now, and it says "Signed by Equifax" so it take it you got it working? What was the problem? I'd like to hear about this as I am about to purchase from geotrust myself.
> 
> Karl

 

----------

