httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yehuda Katz <yeh...@ymkatz.net>
Subject Re: [users@httpd] Can a certificate error bring down a server?
Date Thu, 17 Oct 2013 00:10:25 GMT
On Wed, Oct 16, 2013 at 5:17 AM, John McIntyre <joh98.mac@gmail.com> wrote:

> This morning, I head into the office, and as usual, login to my horde
> instance for e-mail and calendar.  At the same time, trying to get mailman
> running, I decide to remove the mailman instance with yum remove mailman.
>  Five minutes later, as I'm typing an e-mail, I suddenly get kicked off the
> server, and when I try to reconnect, I get 'certificate not approved' in my
> browser (chrome).
>

It does not look like the default CentOS mailman package touches apache
configuration except the file /etc/httpd/conf.d/mainman.conf which it
creates.

 That's not right, I thought.  So I change that and the other SSL file
> lines to point to my certificates, which are in /etc/httpd/ssl.  Like an
> idiot, I didn't back that file up beforehand.
>
> I restart apache and this appears in the logs ..
>
> [Wed Oct 16 09:52:34 2013] [error] Init: Unable to read server certificate
> from file /etc/pki/tls/private/localhost.key
> [Wed Oct 16 09:52:34 2013] [error] SSL Library Error: 218529960
> error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> [Wed Oct 16 09:52:34 2013] [error] SSL Library Error: 218595386
> error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
>
> And this is rather worrying, since at no time in the past fortnight, have
> I fiddled with the httpd.conf file, so there's no reason why it should
> suddenly stop pointing to the correct certificate.  And I don't think that
> removing mailman would cause this - I only mentioned it to eliminate it as
> a possible cause.
>
> Any ideas?
>

That should only appear in the logs if there is some other place in the the
httpd configuration that has that path (/etc/pki/tls/private/localhost.key).
That particular error indicates that you should open the file in question
and see if it looks right.


I have started using etckeeper to automatically version /etc . I don't know
if there is a package for CentOS, but it is not too hard to install and
would probably help you next time.
It hooks into YUM (and other package managers) to make sure there is a
commit before and after each action the package manager does.
It also has an option to make a nightly commit in case you made changes and
did not manually commit them.

- Y

Mime
View raw message