After replacing ssl certificate, apache fails to start but gives no error

After replacing ssl certificate, apache fails to start but gives no error

am 17.12.2007 18:35:17 von Richard Onanian

I've updated my ssl public certificate and intermediate certificate
according to the instructions at
http://www.verisign.com/support/ssl-certificates-support/pag e_dev019509.html
I also made sure the file permissions match. Now apache won't start, and
doesn't indicate any error:

[root@EmpowerWeb root]# apachectl startssl
Apache/2.0.55 mod_ssl/2.0.55 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.

Server webamc.annamaria.edu:443 (RSA)
Enter pass phrase:
[root@EmpowerWeb root]# netstat -anp | grep 443
[root@EmpowerWeb root]#

Also, nothing shows up in /var/log/httpd/error_log,
/var/log/httpd/access_log (of course), or /var/log/messages.


If I put the old certificate back, it works:

[root@EmpowerWeb root]# apachectl startssl
Apache/2.0.55 mod_ssl/2.0.55 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.

Server webamc.annamaria.edu:443 (RSA)
Enter pass phrase:
[root@EmpowerWeb root]# netstat -anp | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:*
LISTEN 1197/httpd
[root@EmpowerWeb root]#


How can I troubleshoot this? I don't have any experience with modssl, I've
inherited responsibility for this system. Our certificate expires in two
days. :(

Thanks,
Rick Onanian
Network Administrator
Anna Maria College

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: After replacing ssl certificate, apache fails to start but gives no error

am 17.12.2007 21:21:54 von Richard Onanian

I wrote:
> I've updated my ssl public certificate and intermediate certificate
> according to the instructions [...]
> I also made sure the file permissions match. Now apache won't start, and
> doesn't indicate any error:
> Also, nothing shows up in /var/log/httpd/error_log,
> /var/log/httpd/access_log (of course), or /var/log/messages.

Okay, I figured it out. I tried breaking things until I found the same
symptom. I found that when I used the wrong private key, it had the same
symptom. Sure enough, that was the problem. The CSR I used to get the
certificate signed by Verisign was for a different key. I now have a
significantly better understanding of how the whole process works.

Why doesn't modssl provide any error message or log entry?

Is it insecure to use an old key pair? What's the appropriate thing to
do -- create a new key pair (and a new CSR) each time you renew your
signed certificate, or just re-use the old key pair and get a new signed
certificate?

Thanks,
Rick Onanian
Network Administrator
Anna Maria College

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org