CentOS7 Apache: RSA certificate does NOT include an ID which matches the server name

  • 3,000
  • Tác giả: admin
  • Ngày đăng:
  • Lượt xem: 3
  • Tình trạng: Còn hàng

I know this issue has been raised before, and I have searched through all the answers and tried all of the suggestions, none of which solved my problem, ví I'll ask for assistance in a new thread.

I have installed and configured a new CentOS7 system, to lớn replace one that got too outdated. It primarily exists to lớn serve up a copy of ownCloud on my network. The previous system worked perfectly, and was configured with an SSL certificate. I have copied over the vhosts.conf tệp tin, the certificate files, the key tệp tin, and phối up ownCloud in the same configuration as I had on the previous system.

However, when I start up Apache, it fails and logs these errors:

[ssl:info] [pid 4787] AH02200: Loading certificate và private key of SSL-aware server 'owncloud.domain.com:443'
[ssl:debug] [pid 4787] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[ssl:info] [pid 4787] AH01914: Configuring server owncloud.domain.com:443 for SSL protocol
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
[ssl:debug] [pid 4787] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[ssl:debug] [pid 4787] ssl_engine_init.c(919): AH02232: Configuring RSA server certificate
[ssl:warn] [pid 4787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[ssl:debug] [pid 4787] ssl_util_ssl.c(489): AH02412: [owncloud.domain.com:443] Cert does not match for name 'owncloud.domain.com' [subject: [email protected],CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / issuer: [email protected],CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / serial: 7B1C / notbefore: Jul  4 10:13:52 năm trước GMT / notafter: Jul  4 10:13:52 năm ngoái GMT]
[ssl:warn] [pid 4787] AH01909: RSA certificate configured for owncloud.domain.com:443 does NOT include an ID which matches the server name
[ssl:debug] [pid 4787] ssl_engine_init.c(974): AH02236: Configuring RSA server private key
[ssl:emerg] [pid 4787] AH02238: Unable to lớn configure RSA server private key
[ssl:emerg] [pid 4787] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

The certificate in question is not self-generated -- it is a purchased commercial certificate and was working perfectly on the previous system. Both systems used the same server name, the same IP address and the same vhosts.conf.

The httpd.conf specifies that Apache should listen on both ports 80 and 443.

The vhosts.conf tệp tin is:


    DocumentRoot /var/www/html/owncloud
    ServerName owncloud.domain.com
    ServerAlias www.owncloud.domain.com
    Header always add Strict-Transport-Security "max-age=15768000"
    ErrorLog logs/owncloud.domain.com-ssl-error_log
    CustomLog logs/owncloud.domain.com-ssl-access_log common
    
        AllowOverride All
    

    SSLEngine On
    SSLProtocol -ALL -SSLv3 +TLSv1
    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
    SSLCertificateFile    /etc/pki/tls/certs/owncloud_domain_com.crt
    SSLCertificateKeyFile /etc/pki/tls/certs/owncloud.key
    SSLCACertificateFile  /etc/pki/tls/certs/owncloud_bundle.crt



    ServerName owncloud.domain.com
    Redirect permanent / https://owncloud.domain.com/

The relevant lines from httpd.conf are:

Listen 80
Listen 443
ServerName owncloud.domain.com:443

The rest of the httpd.conf tệp tin is pretty much as it was installed by CentOS.

I have used openSSL to lớn test the certificate and key files, using the -modulus argument, and the results from both are identical. I also tested for the text of the server name and it is correct in the certificate tệp tin, ví it does not appear as if anything has happened to lớn either the certificate or the key. Nothing should have -- I copied all the certificate files to lớn a backup before installing the new system, then put them back.

As I mentioned, I've tried everything I could find via on-line searching, but nothing has worked, ví any suggestions would be appreciated.

-- Norm

As requested, here is the output of "openssl x509 -in owncloud_domain_com.crt -text -noout":

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7c:a7:38:a8:1a:67:2d:e3:b4:13:fa:49:33:e8:27:e6
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
        Validity
            Not Before: Sep 12 00:00:00 2013 GMT
            Not After : Sep 11 23:59:59 2018 GMT
        Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=owncloud.domain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ca:c8:8d:41:91:c5:0e:ed:86:a4:6a:6f:fb:86:
                    6c:a5:4d:68:cb:80:51:f3:2e:7f:9c:97:8a:43:a0:
                    3e:45:7a:cd:83:ad:a6:72:03:98:20:e5:a0:04:a8:
                    0b:d0:45:e6:62:ec:1d:c0:d7:fa:04:13:30:b5:e8:
                    40:f7:00:ef:14:19:c2:37:f3:dd:af:87:cc:70:d5:
                    dd:51:7a:10:17:35:79:5b:0f:86:4e:d8:ce:73:11:
                    96:d4:00:c8:41:f9:7d:5c:2e:c5:06:6b:4d:04:d6:
                    11:6a:03:80:11:c5:06:d9:f5:d1:6d:60:2b:a8:3b:
                    ba:5d:38:0b:1d:dc:dc:48:3d:ae:ef:7b:48:c2:d9:
                    5c:c2:72:83:46:bc:d2:78:fd:02:cf:a8:b3:99:66:
                    36:05:9b:89:56:26:96:2c:1c:eb:54:6d:31:39:32:
                    4d:e9:f0:b9:b1:ca:e3:8d:40:85:03:9a:37:2d:94:
                    e8:a6:2c:c9:fd:ba:d2:8f:5c:95:63:e4:52:55:f8:
                    4a:5a:14:af:a1:ba:38:4d:b8:d9:92:28:98:3d:40:
                    89:e3:43:f1:bc:ea:14:29:3e:40:09:ad:f8:35:29:
                    80:1b:4d:a4:91:e2:9d:0b:0c:e5:0d:2b:13:a5:07:
                    82:9a:97:6b:6f:b1:69:c5:4d:c1:1b:11:cd:07:2c:
                    38:eb:e7:bb:93:2f:57:aa:a1:38:bb:b7:70:5c:89:
                    6d:47:d8:e0:6d:1b:9e:60:50:83:b6:93:49:36:7e:
                    57:c8:c8:2a:f7:30:cb:ee:a5:f5:e7:0c:f3:6f:1a:
                    82:54:a2:20:49:f5:68:c4:f1:c2:7b:0e:29:28:a8:
                    2c:9c:52:f4:5f:39:25:2f:fe:f4:ea:7e:92:cc:95:
                    c9:a5:92:2a:06:8e:9c:00:d0:c1:1c:52:e0:fb:42:
                    1b:fe:8c:ef:49:82:9a:55:74:5b:95:e1:ec:a6:6f:
                    96:e6:ae:0d:d9:be:24:db:4e:cc:e0:2d:a3:61:cb:
                    2a:e3:67:81:6f:5a:72:80:7c:0f:1b:e0:8b:ad:9e:
                    e2:6a:f7:32:0b:78:c1:ca:ac:38:97:7a:76:53:0f:
                    9d:12:49:5b:ab:d9:ea:b9:ca:cb:8d:e1:fa:bd:f8:
                    11:05:05:c7:90:f0:4e:f3:81:75:57:4a:3e:2a:3a:
                    10:65:34:ea:1c:c0:18:68:bb:f9:0a:6e:ee:fe:73:
                    16:6d:1f:e8:2c:bf:91:3d:df:26:98:93:8d:88:52:
                    04:7d:46:ab:eb:6f:e0:9f:1d:f9:ed:b2:75:dc:d8:
                    eb:61:69:14:83:12:82:09:75:c5:5a:51:a4:2d:17:
                    fa:ce:66:16:11:bd:5a:a8:ea:9e:af:b3:06:03:86:
                    5e:fb:6d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7

            X509v3 Subject Key Identifier: 
                8C:70:79:27:C0:EE:36:6F:23:58:2E:46:2B:A6:A7:DE:E3:39:99:B1
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
                  CPS: https://secure.comodo.net/CPS
                Policy: 2.23.140.1.2.1

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl

            Authority Information Access: 
                CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
                OCSP - URI:http://ocsp.comodoca.com

            X509v3 Subject Alternative Name: 
                DNS:owncloud.domain.com, DNS:www.owncloud.domain.com
    Signature Algorithm: sha256WithRSAEncryption
         3a:a6:56:b7:56:ce:f0:ed:e6:ba:d7:1c:31:9d:ff:3d:67:88:
         f3:6c:d8:c9:28:42:06:b7:66:2b:39:c6:0b:c4:0a:b2:1d:5e:
         f6:4f:4b:30:65:1c:71:4e:a8:89:03:2a:28:45:ca:10:f6:dd:
         34:7e:1a:e2:51:a5:c6:32:46:b5:7d:6d:da:2e:ef:51:73:0d:
         11:f4:eb:2d:82:4f:22:82:50:fc:ad:be:45:f3:32:96:eb:11:
         88:6b:a6:62:3d:3f:7b:a9:b5:d8:af:a4:40:03:00:05:cf:fa:
         6b:6a:41:d1:7c:26:6e:66:b0:5a:36:9c:d2:b5:c4:c7:a2:c2:
         ce:3a:27:6a:e9:35:18:54:0d:52:05:30:fc:57:74:68:43:ea:
         9b:bb:39:d8:b2:81:e8:8a:b6:f2:31:36:81:f4:b7:16:16:1c:
         ff:e5:e2:d5:23:78:e2:13:26:8e:31:1e:e1:9f:fd:d2:b7:20:
         d4:75:a4:74:32:c3:e9:25:b7:d5:1d:ab:e8:d6:ea:80:13:58:
         77:e1:f5:d7:dd:b0:3d:ca:bc:4c:24:40:ff:2d:d2:15:12:97:
         56:ed:04:87:aa:85:98:89:b4:f3:ce:32:67:de:43:80:36:fd:
         b5:32:2a:69:fb:4d:65:f8:fb:be:fa:08:d1:3b:a6:12:28:46:
         34:31:24:1a

Replacing SSLCACertificateFile with SSLCertificateChainFile in the vhosts tệp tin, and starting Apache gives these log messages:

[Thu May 03 17:39:52.296052 2018] [ssl:info] [pid 6048] AH02200: Loading certificate và private key of SSL-aware server 'owncloud.domain.com:443'
[Thu May 03 17:39:52.296536 2018] [ssl:debug] [pid 6048] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Thu May 03 17:39:52.296856 2018] [ssl:info] [pid 6048] AH01914: Configuring server owncloud.domain.com:443 for SSL protocol
[Thu May 03 17:39:52.297384 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(872): AH01904: Configuring server certificate chain (3 CA certificates)
[Thu May 03 17:39:52.297399 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Thu May 03 17:39:52.297413 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(919): AH02232: Configuring RSA server certificate
[Thu May 03 17:39:52.297509 2018] [ssl:warn] [pid 6048] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu May 03 17:39:52.297599 2018] [ssl:debug] [pid 6048] ssl_util_ssl.c(489): AH02412: [owncloud.domain.com:443] Cert does not match for name 'owncloud.domain.com' [subject: [email protected],CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / issuer: [email protected],CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / serial: 7B1C / notbefore: Jul  4 10:13:52 năm trước GMT / notafter: Jul  4 10:13:52 năm ngoái GMT]
[Thu May 03 17:39:52.297612 2018] [ssl:warn] [pid 6048] AH01909: RSA certificate configured for owncloud.domain.com:443 does NOT include an ID which matches the server name
[Thu May 03 17:39:52.297621 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(974): AH02236: Configuring RSA server private key
[Thu May 03 17:39:52.297649 2018] [ssl:emerg] [pid 6048] AH02238: Unable to lớn configure RSA server private key
[Thu May 03 17:39:52.297667 2018] [ssl:emerg] [pid 6048] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

In effect, not much has changed, as Apache still won't start.

As requested, the first few lines of the private key file:

-----BEGIN PRIVATE KEY-----
MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDCcib4fqnUYaGV
mzy6h6e6EUonHY+WeqkwygWV/zwZEcto9pKMyv5ZSYRPTsW4/e3glPMXBlbxIzhj
6f1W76AP8nYplcWJLuj/Qn+JHfaA7nlCHUehtA2Vcut9AuVnvutZZyA3fp+EySXv
Mu8/RhKjXx0C8Zm6vvGKJczw4MSP8JlUtYs+KoXXzVsTbrLCgLBYf0+JUoKBU9s4
Um37cMk8ziRKYZDjsYtKe1D7hA6A3sWZp7czidK7jGH2OoWVHrj46pTo/koxhJpV