0

I use self-signed certificates with no issue but today I have tried to create a SSL certificate for commercial use. But apache doesn't start and gives the following error:

Notice: I have confirmed that crt file is valid as CSR decoder loads the content as well.

AH02241: Init: Unable to read server certificate from file XXXX/XXXX/XXXX.csr SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=X509) AH02312: Fatal error initialising mod_ssl, exiting.

Softwares: OpenSSL 1.0.1e 11 Feb 2013 , Apache HTTP 2.4.6

1 Answers1

0

Looks like you are using CSR instead of the certificate file. Make sure you have created self-signed certificate with openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt and use the server.crt in the SSLCertificateFile setting in apache ssl config. If you are using a commercial signing authority you must use the certificate provided by the authority and not the signing request generated.

mindsurfer
  • 26
  • 4
  • yes, I have checked. Starts with -----BEGIN PRIVATE KEY----- , and ends with -----END PRIVATE KEY----- –  Oct 27 '13 at 17:19
  • checked that the apache user has permissions to access the csr files and key files? – mindsurfer Oct 27 '13 at 17:20
  • yes, it has.... –  Oct 27 '13 at 17:23
  • ok and anything in ssl_error_log? – mindsurfer Oct 27 '13 at 17:29
  • Nope, everything is just fine. "openssl req -text -noout -verify -in XXX.csr" AND "openssl rsa -in XXX.key -check" –  Oct 27 '13 at 17:50
  • openssl x509 -in XXX.crt -text works as well? – mindsurfer Oct 27 '13 at 17:55
  • As I wrote above, it is not Self-Signed Certificate but Certificate signing request (CSR) –  Oct 27 '13 at 18:10
  • wait a sec. you are trying to boot apache with a CSR? it is incorrect it needs a certificate not a CSR. – mindsurfer Oct 27 '13 at 18:11
  • I am new to certificates, until today I didn't install any certificates for commercial use. So, can you be a litte clear ? –  Oct 27 '13 at 18:13
  • https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=3&nav=0,33 I used to create that cert. –  Oct 27 '13 at 18:14
  • I see missing a crucial step of generating a self signed certificate openssl x509 -req -days 365 -in server.csr -signkey myserver.key -out server.crt server.crt you then add to the SSLCertificateFile option in Apache config – mindsurfer Oct 27 '13 at 18:16
  • SSLEngine on SSLCertificateFile "XXX.csr" SSLCertificateKeyFile "XXX.key" SSLCACertificateFile "ca-certificates.crt" –  Oct 27 '13 at 18:16
  • updated the answer. – mindsurfer Oct 27 '13 at 18:19
  • Thanks for your interest but as I repeated few times, I don't create Self - Signed Certificate, you only give me ss cert examples. –  Oct 27 '13 at 18:19
  • Apache will not boot without certificate. CSR is a request for certificate you send to signing authorities to get the certificate back that will be used to start Apache. – mindsurfer Oct 27 '13 at 18:24
  • I ran the command but this time the page displays: "This Connection is Untrusted" , but my cert is comodo –  Oct 27 '13 at 18:31
  • yes, this is how self-signed certificate works. You need a root authority to sign CSR to create a legit/trusted certificate. Examples of root authorities are VeriSign, GoDaddy etc. Pretty much any provider of SSL Certification services. – mindsurfer Oct 27 '13 at 18:33
  • apologies I didnt understand did Comodo provide you with a CRT file? – mindsurfer Oct 27 '13 at 18:33
  • OK, finally I understand what you're talking about. I now understand how commercial SSLs work. And yes, It works now. I have created the certificate that given by Comodo and restarted Apache. So, if you edit your answer as you tell CSR and CRT are different by pointing this comments, So I can accept your answer. –  Oct 27 '13 at 18:42