I know this issue has been raised before, and I have searched through all the answers and tried all of the suggestions, none of which solved my problem, ví I'll ask for assistance in a new thread.
I have installed and configured a new CentOS7 system, to lớn replace one that got too outdated. It primarily exists to lớn serve up a copy of ownCloud on my network. The previous system worked perfectly, and was configured with an SSL certificate. I have copied over the vhosts.conf tệp tin, the certificate files, the key tệp tin, and phối up ownCloud in the same configuration as I had on the previous system.
However, when I start up Apache, it fails and logs these errors:
[ssl:info] [pid 4787] AH02200: Loading certificate và private key of SSL-aware server 'owncloud.domain.com:443'
[ssl:debug] [pid 4787] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[ssl:info] [pid 4787] AH01914: Configuring server owncloud.domain.com:443 for SSL protocol
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
[ssl:debug] [pid 4787] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[ssl:debug] [pid 4787] ssl_engine_init.c(919): AH02232: Configuring RSA server certificate
[ssl:warn] [pid 4787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[ssl:debug] [pid 4787] ssl_util_ssl.c(489): AH02412: [owncloud.domain.com:443] Cert does not match for name 'owncloud.domain.com' [subject: [email protected],CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / issuer: [email protected],CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / serial: 7B1C / notbefore: Jul 4 10:13:52 năm trước GMT / notafter: Jul 4 10:13:52 năm ngoái GMT]
[ssl:warn] [pid 4787] AH01909: RSA certificate configured for owncloud.domain.com:443 does NOT include an ID which matches the server name
[ssl:debug] [pid 4787] ssl_engine_init.c(974): AH02236: Configuring RSA server private key
[ssl:emerg] [pid 4787] AH02238: Unable to lớn configure RSA server private key
[ssl:emerg] [pid 4787] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
The certificate in question is not self-generated -- it is a purchased commercial certificate and was working perfectly on the previous system. Both systems used the same server name, the same IP address and the same vhosts.conf.
The httpd.conf specifies that Apache should listen on both ports 80 and 443.
The vhosts.conf tệp tin is:
DocumentRoot /var/www/html/owncloud
ServerName owncloud.domain.com
ServerAlias www.owncloud.domain.com
Header always add Strict-Transport-Security "max-age=15768000"
ErrorLog logs/owncloud.domain.com-ssl-error_log
CustomLog logs/owncloud.domain.com-ssl-access_log common
AllowOverride All
SSLEngine On
SSLProtocol -ALL -SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /etc/pki/tls/certs/owncloud_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/owncloud.key
SSLCACertificateFile /etc/pki/tls/certs/owncloud_bundle.crt
ServerName owncloud.domain.com
Redirect permanent / https://owncloud.domain.com/
The relevant lines from httpd.conf are:
Listen 80
Listen 443
ServerName owncloud.domain.com:443
The rest of the httpd.conf tệp tin is pretty much as it was installed by CentOS.
I have used openSSL to lớn test the certificate and key files, using the -modulus argument, and the results from both are identical. I also tested for the text of the server name and it is correct in the certificate tệp tin, ví it does not appear as if anything has happened to lớn either the certificate or the key. Nothing should have -- I copied all the certificate files to lớn a backup before installing the new system, then put them back.
As I mentioned, I've tried everything I could find via on-line searching, but nothing has worked, ví any suggestions would be appreciated.
-- Norm
As requested, here is the output of "openssl x509 -in owncloud_domain_com.crt -text -noout":
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7c:a7:38:a8:1a:67:2d:e3:b4:13:fa:49:33:e8:27:e6
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Validity
Not Before: Sep 12 00:00:00 2013 GMT
Not After : Sep 11 23:59:59 2018 GMT
Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=owncloud.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ca:c8:8d:41:91:c5:0e:ed:86:a4:6a:6f:fb:86:
6c:a5:4d:68:cb:80:51:f3:2e:7f:9c:97:8a:43:a0:
3e:45:7a:cd:83:ad:a6:72:03:98:20:e5:a0:04:a8:
0b:d0:45:e6:62:ec:1d:c0:d7:fa:04:13:30:b5:e8:
40:f7:00:ef:14:19:c2:37:f3:dd:af:87:cc:70:d5:
dd:51:7a:10:17:35:79:5b:0f:86:4e:d8:ce:73:11:
96:d4:00:c8:41:f9:7d:5c:2e:c5:06:6b:4d:04:d6:
11:6a:03:80:11:c5:06:d9:f5:d1:6d:60:2b:a8:3b:
ba:5d:38:0b:1d:dc:dc:48:3d:ae:ef:7b:48:c2:d9:
5c:c2:72:83:46:bc:d2:78:fd:02:cf:a8:b3:99:66:
36:05:9b:89:56:26:96:2c:1c:eb:54:6d:31:39:32:
4d:e9:f0:b9:b1:ca:e3:8d:40:85:03:9a:37:2d:94:
e8:a6:2c:c9:fd:ba:d2:8f:5c:95:63:e4:52:55:f8:
4a:5a:14:af:a1:ba:38:4d:b8:d9:92:28:98:3d:40:
89:e3:43:f1:bc:ea:14:29:3e:40:09:ad:f8:35:29:
80:1b:4d:a4:91:e2:9d:0b:0c:e5:0d:2b:13:a5:07:
82:9a:97:6b:6f:b1:69:c5:4d:c1:1b:11:cd:07:2c:
38:eb:e7:bb:93:2f:57:aa:a1:38:bb:b7:70:5c:89:
6d:47:d8:e0:6d:1b:9e:60:50:83:b6:93:49:36:7e:
57:c8:c8:2a:f7:30:cb:ee:a5:f5:e7:0c:f3:6f:1a:
82:54:a2:20:49:f5:68:c4:f1:c2:7b:0e:29:28:a8:
2c:9c:52:f4:5f:39:25:2f:fe:f4:ea:7e:92:cc:95:
c9:a5:92:2a:06:8e:9c:00:d0:c1:1c:52:e0:fb:42:
1b:fe:8c:ef:49:82:9a:55:74:5b:95:e1:ec:a6:6f:
96:e6:ae:0d:d9:be:24:db:4e:cc:e0:2d:a3:61:cb:
2a:e3:67:81:6f:5a:72:80:7c:0f:1b:e0:8b:ad:9e:
e2:6a:f7:32:0b:78:c1:ca:ac:38:97:7a:76:53:0f:
9d:12:49:5b:ab:d9:ea:b9:ca:cb:8d:e1:fa:bd:f8:
11:05:05:c7:90:f0:4e:f3:81:75:57:4a:3e:2a:3a:
10:65:34:ea:1c:c0:18:68:bb:f9:0a:6e:ee:fe:73:
16:6d:1f:e8:2c:bf:91:3d:df:26:98:93:8d:88:52:
04:7d:46:ab:eb:6f:e0:9f:1d:f9:ed:b2:75:dc:d8:
eb:61:69:14:83:12:82:09:75:c5:5a:51:a4:2d:17:
fa:ce:66:16:11:bd:5a:a8:ea:9e:af:b3:06:03:86:
5e:fb:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7
X509v3 Subject Key Identifier:
8C:70:79:27:C0:EE:36:6F:23:58:2E:46:2B:A6:A7:DE:E3:39:99:B1
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
CPS: https://secure.comodo.net/CPS
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com
X509v3 Subject Alternative Name:
DNS:owncloud.domain.com, DNS:www.owncloud.domain.com
Signature Algorithm: sha256WithRSAEncryption
3a:a6:56:b7:56:ce:f0:ed:e6:ba:d7:1c:31:9d:ff:3d:67:88:
f3:6c:d8:c9:28:42:06:b7:66:2b:39:c6:0b:c4:0a:b2:1d:5e:
f6:4f:4b:30:65:1c:71:4e:a8:89:03:2a:28:45:ca:10:f6:dd:
34:7e:1a:e2:51:a5:c6:32:46:b5:7d:6d:da:2e:ef:51:73:0d:
11:f4:eb:2d:82:4f:22:82:50:fc:ad:be:45:f3:32:96:eb:11:
88:6b:a6:62:3d:3f:7b:a9:b5:d8:af:a4:40:03:00:05:cf:fa:
6b:6a:41:d1:7c:26:6e:66:b0:5a:36:9c:d2:b5:c4:c7:a2:c2:
ce:3a:27:6a:e9:35:18:54:0d:52:05:30:fc:57:74:68:43:ea:
9b:bb:39:d8:b2:81:e8:8a:b6:f2:31:36:81:f4:b7:16:16:1c:
ff:e5:e2:d5:23:78:e2:13:26:8e:31:1e:e1:9f:fd:d2:b7:20:
d4:75:a4:74:32:c3:e9:25:b7:d5:1d:ab:e8:d6:ea:80:13:58:
77:e1:f5:d7:dd:b0:3d:ca:bc:4c:24:40:ff:2d:d2:15:12:97:
56:ed:04:87:aa:85:98:89:b4:f3:ce:32:67:de:43:80:36:fd:
b5:32:2a:69:fb:4d:65:f8:fb:be:fa:08:d1:3b:a6:12:28:46:
34:31:24:1a
Replacing SSLCACertificateFile
with SSLCertificateChainFile
in the vhosts tệp tin, and starting Apache gives these log messages:
[Thu May 03 17:39:52.296052 2018] [ssl:info] [pid 6048] AH02200: Loading certificate và private key of SSL-aware server 'owncloud.domain.com:443'
[Thu May 03 17:39:52.296536 2018] [ssl:debug] [pid 6048] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Thu May 03 17:39:52.296856 2018] [ssl:info] [pid 6048] AH01914: Configuring server owncloud.domain.com:443 for SSL protocol
[Thu May 03 17:39:52.297384 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(872): AH01904: Configuring server certificate chain (3 CA certificates)
[Thu May 03 17:39:52.297399 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Thu May 03 17:39:52.297413 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(919): AH02232: Configuring RSA server certificate
[Thu May 03 17:39:52.297509 2018] [ssl:warn] [pid 6048] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu May 03 17:39:52.297599 2018] [ssl:debug] [pid 6048] ssl_util_ssl.c(489): AH02412: [owncloud.domain.com:443] Cert does not match for name 'owncloud.domain.com' [subject: [email protected],CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / issuer: [email protected],CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / serial: 7B1C / notbefore: Jul 4 10:13:52 năm trước GMT / notafter: Jul 4 10:13:52 năm ngoái GMT]
[Thu May 03 17:39:52.297612 2018] [ssl:warn] [pid 6048] AH01909: RSA certificate configured for owncloud.domain.com:443 does NOT include an ID which matches the server name
[Thu May 03 17:39:52.297621 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(974): AH02236: Configuring RSA server private key
[Thu May 03 17:39:52.297649 2018] [ssl:emerg] [pid 6048] AH02238: Unable to lớn configure RSA server private key
[Thu May 03 17:39:52.297667 2018] [ssl:emerg] [pid 6048] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
In effect, not much has changed, as Apache still won't start.
As requested, the first few lines of the private key file:
-----BEGIN PRIVATE KEY-----
MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDCcib4fqnUYaGV
mzy6h6e6EUonHY+WeqkwygWV/zwZEcto9pKMyv5ZSYRPTsW4/e3glPMXBlbxIzhj
6f1W76AP8nYplcWJLuj/Qn+JHfaA7nlCHUehtA2Vcut9AuVnvutZZyA3fp+EySXv
Mu8/RhKjXx0C8Zm6vvGKJczw4MSP8JlUtYs+KoXXzVsTbrLCgLBYf0+JUoKBU9s4
Um37cMk8ziRKYZDjsYtKe1D7hA6A3sWZp7czidK7jGH2OoWVHrj46pTo/koxhJpV