Fresh installation with offical SSL Cert

  • Hi...
    Today i'd installed a new server with Debian Squeeze...
    After this i used the nightly script to install imscp..
    Everything seems to be ok...
    At the step with the ssl for the panel i choosed the offical ssl cert, because i'd buyed a cert on http://www.psw.net/ssl-zertifikate.cfm (Positiv SSL).
    I'd created a key and a csr on my server.
    After this i put the key-file into the folder /etc/apache2/ssl/. As i received the cert i uploaded the intermediate and the cert file to the same folder (/etc/apache2/ssl/).


    While the installation of imscp the diaglog asked for the keyfile... OK -This works.
    After this the dialog asked for the certfile and there began my problem... I put the right path and the correct filename, but at the bottom of the dialog you can see an error that the certfile is not a certifacte.
    If i put there the intermediate file the dialog will go on... But the next mask ask me again for the intermediate file...
    Top complete the diaglog i put the same file for the intermediate..


    After all the setup completed correctly. But the ssl doesn't work.
    I should edit the 00_master_ssl.conf on my own to enable the correct ssl files.


    I hope you understand me Daniel..


    Greats
    Sascha

  • First test key:

    Quote

    openssl rsa -in /path/to/key.key -noout -passin pass:"yourpass"


    Next verify certificate:

    Quote

    openssl verify /path/to/cert.crt


    Please post output (I think your system language is set to German and regexp is English).

  • All regexp must be safe daniel :P

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • I retake that. I do not think is regexp. I want first see output from openssl verify /path/to/cert.crt. I think it lack intermediate certificate.

  • At first i do this

    Code
    1. openssl rsa -in /root/certs/srv04.key -noout -passin pass:""


    Then

    Code
    1. openssl verify /root/certs/srv04.crt


    This is the Error

    Code
    1. srv04.crt: /OU=Domain Control Validated/OU=PositiveSSL/CN=admin.srv04.mydomain.de
    2. error 20 at 0 depth lookup:unable to get local issuer certificate

    Edited once, last by TheCry ().

  • certificate is not valid without an intermediate certificate. Do you have one?
    if yes test like:

    Code
    1. openssl verify -CAfile /path/to/intermediate/cert.crt /path/to/cert.crt


    If no, ask your provider to provide one, since certificate is not valid without. Or host does not recognize your CA as a valid one, in case you have to add your CA to your server

  • I`ll try to get a test certificate from comodo (this is the original issuer for PositiveSSL certificates) to see if I get an intermediate certificate (and if is needed)

  • I have intermediate certificate

    Code
    1. openssl verify -CAfile srv04.ca-bundle srv04.crtadmin_srv04_meinedomain.crt: OK


    Thats not the problem. While installation is the problem.. The dialog asked 3 different files:
    1. My key-file
    2. the cert-file
    3. the intermediate certificate file


    On step 2 the dialog will not accept my cert file. Only the intermediate certificate file will be accepted. That's the hole problem...


    Now i'd looked inside the setup.log

    Code
    1. Modules::openssl::ssl_check_cert: /etc/apache2/ssl/srv04.crt: /OU=Domain Control Validated/OU=PositiveSSL/CN=admin.srv04.meineDomain.de
    2. error 20 at 0 depth lookup:unable to get local issuer certificate
    3. [ERROR] [Mon Jul 25 18:05:28 2011] Modules::openssl::ssl_check_cert: Certificate /etc/apache2/ssl/srv04.crt is not valid. Exiting...


    Maybe you have to change the dialog. At first you ask for the the intermediate certificate file and then fpr the cert file, or?

  • I found the error. I asked first key (was ok) next certificate (this get tested and fail if CAfile was not set) then intermediate (too late).
    Supposed to be:


    1 Ask key
    2 Ask intermediate certificate
    3 Ask certificate (also this check certificate and need intermediate if exists).


    Should be fixed in http://sourceforge.net/apps/trac/i-mscp/changeset/5045 .
    If you want test just remove yourhost.pem file in /etc/imscp and run setup again.


    Thank you for finding and helping me see the problem.

  • Well Daniel...
    The setup runs perfect!
    But after installation the apache hang up and i'm not able to connect through the webinterface.
    I need to kill the apache.
    If i start the apache again i got this error in the default-error.log

    Code
    1. [Tue Jul 26 08:41:56 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)[Tue Jul 26 08:41:56 2011] [warn] RSA server certificate is not a leaf certificate (BasicConstraints: pathlen == 1 > 0 !?)[Tue Jul 26 08:41:56 2011] [warn] RSA server certificate CommonName (CN) `PositiveSSL CA' does NOT match server name!?[Tue Jul 26 08:41:56 2011] [error] Unable to configure RSA server private key[Tue Jul 26 08:41:56 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch


    If i add the lines manually

    Code
    1. SSLCertificateFile /etc/apache2/ssl/admin_srv04_myDomain_de.crt
    2. SSLCertificateKeyFile /etc/apache2/ssl/admin_srv04_myDomain_de.key
    3. SSLCertificateChainFile /etc/apache2/ssl/admin_srv04_myDomain_de.ca-bundle


    everything is ok.


    Greatz
    Sascha

    Edited once, last by TheCry ().