I'm usually pretty good with Apache and OpenSSL, but this one has me completely baffled. I'm running Apache 2.2.22 and OpenSSL 1.0.1 on a Ubuntu 12.04 LTS Server. I have an IP-based virtual host configured, which redirects all HTTP requests to HTTPS and uses strict transport security to help keep it that way.
I'm migrating the site from a certificate issued by an internal CA to a certificate signed by StartSSL. The current certificate has a 1024-bit RSA key, the new one has a 2048-bit RSA key. The server has one or two other SSL vhosts, all of which use 1024-bit keys. The current certificate works perfectly.
The keys for both certificates are in the same directory, root-owned, and with 600 permissions (the directory is 710). The certificates are both in a different directory, root-owned, and with 644 permissions (the directory has 755). (E.g. both keys are in /var/ssl/keys and both certs are in /var/ssl/certs.)
However, when I change the configuration to use the new certificate (this is the only change, I don't update the hostname or anything else) Apache refuses to start, giving a "unable to write 'random state'" error. I've checked, and I don't have any (root-owned or otherwise) .rnd files hanging around. If I change back to the 1024-bit certificate, Apache starts perfectly and everything is normal.
I came across this FAQ entry, stating that Apache doesn't support 2048-bit keys, but I also came across this blog post stating that the FAQ entry must be old (many of the entries do seem rather ancient) as it works perfectly on Apache 2.2.11.
Can anyone suggest why Apache may be failing with the new certificate?
