httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kaplan, Andrew H." <AHKAP...@PARTNERS.ORG>
Subject RE: FW: [users@httpd] Problem Starting Apache with SSL -- URGENT
Date Mon, 09 Feb 2004 17:36:26 GMT
Hi David,

I tried the approach that I mentioned in the previous e-mail, and it didn't
work. I'll
try the unencrypted approach and let you know how it turns out. The problem that
still
perplexes me is that the server did work with the encrypted keys previously. Why
would
something as simple as changing the alias in the httpd.conf file and
subsequently re-
starting the server cause all this problem? 

-----Original Message-----
From: David Tonhofer, m-plify S.A. [mailto:d.tonhofer@m-plify.com]
Sent: Monday, February 09, 2004 12:11 PM
To: Kaplan, Andrew H.
Subject: RE: FW: [users@httpd] Problem Starting Apache with SSL --
URGENT




--On Monday, February 09, 2004 11:31 AM -0500 "Kaplan, Andrew H." 
<AHKAPLAN@PARTNERS.ORG> wrote:

> Hi David --
>
> I did run the openssl command with the modulus and md5 options and
> verified the x509 and
> rsa keys did match. One question: would setting up the server private key
> as non-encrypted
> be a serious sercurity hole?
>

Not if you make it root-readable only. Someone might still be able to snarf
your backup tapes of course... I personally don't like it to have the keys
lying around unencrypted but that was the only way to get things to work in
my case. Here are the permissions:

Toplevel directory:

drwxr-xr-x    2 root     root         4096 Jan 29 02:06 /etc/ssl.httpd/

And underneath:

-rw-r--r--    1 root     root        globalsign-chain.pem
-rw-r--r--    1 root     root        globalsign-pss-cert.pem
-rw-r--r--    1 root     root        globalsign-ss-cert.pem
-rw-r--r--    1 root     root        www.m-plify.com-cert.pem
-rw-------    1 root     root        www.m-plify.com.csr
-rw-------    1 root     root        www.m-plify.com.key     <-- unencypted
-rw-------    1 root     root        www.m-plify.com.key-enc <-- encrypted



> -----Original Message-----
> From: David Tonhofer, m-plify S.A. [mailto:d.tonhofer@m-plify.com]
> Sent: Monday, February 09, 2004 11:27 AM
> To: Kaplan, Andrew H.
> Subject: RE: FW: [users@httpd] Problem Starting Apache with SSL --
> URGENT
>
>
> Hmmm.....deleting/recreating sounds harsh. How do you know the error
> will be corrected? OTOH, as you can back up the existing keys, it's
> not going to hurt.
>
> Apparently you also have already tried to 'verify' the certificates.
>
> I would really try to set up the server private key as non-encrypted,
> and see whether things work then.
>
> Best,
>
> 	-- David
>
>
> --On Monday, February 09, 2004 10:53 AM -0500 "Kaplan, Andrew H."
> <AHKAPLAN@PARTNERS.ORG> wrote:
>
>> Hi David,
>>
>> I have only one SSL host on the server. Basically, the virtual host is
>> set up so
>>
>> that when a user logs onto the website, he/she is automatically connected
>> via SSL.
>>
>> While we're on the subject, I had an idea that I am posting to the user
>> group:
>>
>> What if I started from scratch by deleting the ssl .crt, .crl, .csr,
>> .key, and .prm
>> directories and  recreated the keys and made the machine its own
>> certificate authority
>> again? Do you recommend or not suggest I take that approach?
>>
>> -----Original Message-----
>> From: David Tonhofer, m-plify S.A. [mailto:d.tonhofer@m-plify.com]
>> Sent: Monday, February 09, 2004 10:07 AM
>> To: Kaplan, Andrew H.
>> Subject: Re: FW: [users@httpd] Problem Starting Apache with SSL --
>> URGENT
>>
>>
>> Hi Andrew,
>>
>> Do you have more than one SSL-ed virtual host and are your keys
>> encrypted? I know that I am totally unable to start my webserver if the
>> keys are encrypted due to to something very very mysterious, so
>> decrypting the keys just *might* help....
>>
>> Best,
>>
>> 	-- David
>>
>>
>> --On Monday, February 09, 2004 8:04 AM -0500 "Kaplan, Andrew H."
>> <AHKAPLAN@PARTNERS.ORG> wrote:
>>
>>> Sorry to have to be alarmist about this. The server in question is down,
>>> and I need to
>>> resolve this matter asap. I am unable to start the server either with or
>>> without ssl
>>> enabled. Here is the original e-mail I sent out. Again, my apologies to
>>> everyone...
>>
>>
>>
>
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message