7

I am trying to install an SSL certificate, and I get the following errors:

AH02241: Init: Unable to read server certificate from file /path/my.crt
SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=X509)
AH02312: Fatal error initialising mod_ssl, exiting.

Here's the process I followed:

I generated my private key with:

openssl genrsa -out my.key 2048

I created the CSR with:

openssl req -new -key my.key -out my.csr

I provided the CSR to our IT department, and they returned a crt - it starts with

-----BEGIN CERTIFICATE-----

My ssl.conf has (my.example.com matches the Common name used during the generation of the CSR):

 <VirtualHost my.example.com:443>
   SSLEngine On
   ServerName my.example.com 
   SSLCertificateFile /path/my.crt
   SSLCertificateKeyFile /path/my.key
 </VirtualHost>

I do not have SSLCertificateChainFile or SSLCACertificate file set.

The private key starts with 

----BEGIN RSA PRIVATE KEY-----

The csr starts with 

-----BEGIN CERTIFICATE REQUEST-----

I have verified that both:

openssl rsa -noout -modulus -in my.key
openssl req -noout -modulus -in my.csr

produce the same output. I cannot figure out how to verify the crt - trying both x509 and rsa produce an error.

Should this process have worked? Can I verify that my.crt matches the key somehow?

chris
  • 3,993
  • 6
  • 28
  • 37
  • Can you try putting a full path for the certificates? "SSLCertificateFile /path/to/my.crt" ? – mulaz Nov 01 '12 at 15:28
  • @mulaz: I actually have the paths specified, I just didn't put them there - I've updated the question. – chris Nov 01 '12 at 15:54
  • 2
    Can you verify that openssl can read the cert: `openssl x509 -in my.crt -text`. Also, what the file perms of my.crt? – Alastair McCormack Nov 01 '12 at 16:47
  • @Fuzzyfelt: Turns out the cert was bad. If you want to write up the cert testing as an answer, I'll remove my answer & accept yours. – chris Nov 02 '12 at 12:11
  • Hey @chris, that's very generous but I think you've made a much better answer than I could do and serves people with the same issue. I'm happy for you to just accept your answer is 27 hours time :) – Alastair McCormack Nov 02 '12 at 13:12
  • What did you do to fix this bad certificate? I have the same problem. – square_eyes Mar 25 '16 at 02:06
  • @square_eyes: the person who obtained the original had somehow messed it up when emailing it. They re-sent it properly. – chris Mar 25 '16 at 14:27

3 Answers3

8

It turns out that the cert I was provided was bad.

Running 

openssl x509 -in my.crt -text

should have worked, but since the cert was corrupt it produced errors:

unable to load certificate
140513785948000:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:142:
140513785948000:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1306:
140513785948000:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509
140513785948000:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

I guess I should have noticed that the lines in the block when viewing the bad cert weren't all the same length.

chris
  • 3,993
  • 6
  • 28
  • 37
3

For:

SSLCertificateFile my.crt
SSLCertificateKeyFile my.key

You should be using the full path to those files, ie: 

SSLCertificateFile /home/vhosts/domain.com/keys/my.crt
SSLCertificateKeyFile /home/vhosts/domain.com/keys/my.crt

Update the correct paths and restart Apache to apply the changes. Post back with an updated error/message if the issue remains.

-Brendan

bmurtagh
  • 773
  • 2
  • 6
  • 13
  • I guess I should have mentioned that the path is there - I just didn't include it in the question. – chris Nov 01 '12 at 15:33
0

Just for the record: I had the same kind of error report and the issue was not really in the certificate, but in the configuration.

By mistake I defined the key as the certificate and the certificate as the key. The result was the same error message.

The error resulted from the fact that my reference configuration presented these items in the opposite order.

Even the example by @Brendan has this error as it references two times the certificate - both for the certificate and for the key.

So be sure to check that you are referencing the correct files in the correct parameter.

le_top
  • 135
  • 6