httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J.Lance Wilkinson" <jl...@psulias.psu.edu>
Subject [users@httpd] Apache HTTPD 2.2.6 + mod_ssl 2.2.6 -- odd error...
Date Wed, 01 Dec 2010 04:37:44 GMT
My organization recently switched its SSL Certificate vendor and the new
supplier (COMODO) insists (reasonably) that we use 2048-bit Private and Public 
keys.

So I take a running Apache installation, HTTPD v2.2.6, with mod_ssl v2.2.6 and
openssl v0.9.8g running on Solaris 10, currently using a Thawte certificate, 
and upgrade it for the new vendor's certificates.

I implement the new certificates. reboot httpd, and both aspects where the new 
certificate is used in the server (mod_ssl and an additional module, mod_cosign 
from http://weblogin.org) seem to be working properly.  That is, mod_cosign 
works as expected providing single signon features, and mod_ssl appears to be 
encrypting properly.  Short of sniffing the wire to verify the data between 
browser and server, the little padlock icons are proudly displayed by the 
browser and page info displays confirm security by the vendor expected, dates 
expected, etc.

But my httpd log files present an unexpected error each and every time a
browser visits an SSL encrypted page (2 examples cited):

User interface error
unable to load Private Key
22188:error:0906A068:PEM routines:PEM_do_header:bad password
  read:/on10/build-nd/G10U10B0B/usr/src/common/openssl/crypto/pem/pem_lib.c:401:

User interface error
unable to load Private Key
22439:error:0906A068:PEM routines:PEM_do_header:bad password
  read:/on10/build-nd/G10U10B0B/usr/src/common/openssl/crypto/pem/pem_lib.c:401:

Any idea what these might be?

I have already verified that the private key file is NOT password protected. 
I've also seen notations on both sites for Apache and mod_ssl:

         "Why does my 2048-bit private key not work?"
         http://www.modssl.org/docs/2.8/ssl_faq.html
         http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#keysize

both seem to say say that 2048-bit private keys are NOT ALLOWED because of 
incompatibility w/ certain web browsers.  Meanwhile it's not clear that I could 
even generate a 2048-bit public key without having a 2048-bit private key.  So 
how could these COMODO certs EVER work if this was the issue?


Count this with a layer of extreme urgency, as this new vendor is my only
source for certificates now, and I have two production webservers with current
certs expiring in about 30 hours that I need to replace w/ these new certs.

Another server in the organization running RHEL v2.2.3 has no such issues;
naturally the powers that be have no examples of v2.2.6 on Solaris to compare
against.


-- 
J.Lance Wilkinson ("Lance")		InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead	Phone: (814) 865-4870
Digital Library Technologies		FAX:   (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message