0

I have created a .csr and .key file in /etc/apache2/ssl/domain/ like

openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

like GoDaddy said, then linked to those files with the apache directives:

<VirtualHost *:443>

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/domain/domain.com.csr
SSLCertificateKeyFile /etc/apache2/ssl/domain/domain.com.key
DocumentRoot /clients/domain.com/www/
ScriptAlias /cgi-bin/ /clients/domain.com/cgi/
ServerAlias domain.com www.domain.com *.domain.com
ServerName www.domain.com
ErrorLog /clients/domain.com/logs/error_log
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog "|/usr/bin/cronolog /clients/domain.com/logs/%Y/%m/%d/access_log" combined
AddType application/x-httpd-php .html
    <Directory />
            Options -Indexes FollowSymLinks MultiViews
            AllowOverride All
            Order deny,allow
            Allow from all
    </Directory>

and when I do

apachectl configtest

it says Syntax OK, but start fails with:

[error] Init: Unable to read server certificate from file /etc/apache2/ssl/domain/domain.csr
[error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

which seems to suggest either an invalid openssl cert command, or a mismatch in the apache2 directive I would guess, but I can't seem to find anything obvious. I have another SSL GoDaddy cert running on another virtual domain on this box, am I missing something obvious? My csr looks like:

-----BEGIN CERTIFICATE REQUEST-----
MIICiTCCAXECAQAwRDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMREwDwYDVQQH
EwhTYW5EaWVnbzEVMBMGA1UEChMMRmxpeXByb2R1Y3RzMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA0ZxcveaAefauZvSMiEAJZjhAKRqgym++IeIHEZ2D
PZ5vgp8vB4/UXUBtXQoEKrviCqJDkgzXUAviR3RLpbEMtS3RQdNjBnsVAe7GuAJ9
...
R5Bi9PaKwVOchbnKICZHWSiaDqIv3TOfT+KBcMDsnUzJbdhteUnIfk5VLdgJEuyS
IZiPnEHSh8aVhtfKzrnWYcY9ce3PEQZKfyF+o1lf7vEw80PTUfTD0PysOp20MmJK
5TaF8Zu0waKyilEhWyo7uKX8AsX/mjkl1QljPyHb+uGa7wIDAQABoAAwDQYJKoZI
hvcNAQEFBQADggEBAIVHReg+
-----END CERTIFICATE REQUEST-----
batflaps
  • 179
  • 1
  • 3
  • 10

1 Answers1

1

CSR != CER

You're mixing up certificate requests and certificates proper.

You need to submit your CSR to a certification authority (CA).

They will then turn your CSR (and your money) into a proper CER.

(You may want to look into https://letsencrypt.org if you want to skip the "money" step.)

Sidenote: OpenSSL error messages are generally terrible.

Community
  • 1
StackzOfZtuff
  • 1,842
  • 13
  • 21
  • GoDaddy says csr is invalid too. – batflaps Jan 16 '16 at 17:20
  • You didn't put in a "common name". Your DNS domain name needs to go there. Check for yourself: https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp – StackzOfZtuff Jan 16 '16 at 17:26
  • Fixed it, thanks @StackzOfZtuff, the issue was I was abbreviating the state name instead of spelling it out, and also the CN I changed to the FQDN, not just the org name. – batflaps Jan 16 '16 at 18:59