[Bug 64308] New: Wrong private key, but Apache started.

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 64308] New: Wrong private key, but Apache started.

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64308

            Bug ID: 64308
           Summary: Wrong private key, but Apache started.
           Product: Apache httpd-2
           Version: 2.4.41
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Hello everyone

why are the logs of Server 1 and Server 2 different?
Server 1 and Server 2 have the same certificate and certificate key.

Because of this difference, server1 does not generate an error when starting
from Apache.
However, server2 gives an error.

Actually, the certificate and the key file do not match (wrong key file and
certificate).
However, Apache on server1 was started
Apache on server2 is not started.
Do you know why?

I'm looking forward to hearing from you.
Hope everything is good.

server 1
version : centos6, openssl/1.0.1e , apache 2.4.41(built:Feb 24 2020) and
          centos7, openssl/1.1.1d,  apache 2.4.41(built: Mar 13 2020)

[Sun Apr 05 20:53:08.809610 2020] [ssl:info] [pid 6780] AH02200: Loading
certificate & private key of SSL-aware server 'm.chunilmall.com:443'
[Sun Apr 05 20:53:08.809778 2020] [ssl:debug] [pid 6780]
ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase
not required
[Sun Apr 05 20:53:08.809843 2020] [ssl:info] [pid 6780] AH01914: Configuring
server m.chunilmall.com:443 for SSL protocol
[Sun Apr 05 20:53:08.809847 2020] [ssl:trace3] [pid 6780]
ssl_engine_init.c(495): Creating new SSL context (protocols: TLSv1, TLSv1.1,
TLSv1.2)
[Sun Apr 05 20:53:08.809952 2020] [ssl:trace1] [pid 6780]
ssl_engine_init.c(682): Configuring client authentication
[Sun Apr 05 20:53:08.810095 2020] [ssl:trace1] [pid 6780]
ssl_engine_init.c(746): Configuring permitted SSL ciphers
[HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA]
[Sun Apr 05 20:53:08.810206 2020] [ssl:debug] [pid 6780]
ssl_engine_init.c(886): AH01904: Configuring server certificate chain (1 CA
certificate)
[Sun Apr 05 20:53:08.810211 2020] [ssl:debug] [pid 6780]
ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Sun Apr 05 20:53:08.810214 2020] [ssl:debug] [pid 6780]
ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
[Sun Apr 05 20:53:08.810283 2020] [ssl:trace3] [pid 6780] ssl_util_ssl.c(484):
[m.chunilmall.com:443] SSL_X509_match_name: expecting name 'm.chunilmall.com',
matched by ID 'm.chunilmall.com'
[Sun Apr 05 20:53:08.810322 2020] [ssl:debug] [pid 6780] ssl_util_ssl.c(495):
AH02412: [m.chunilmall.com:443] Cert matches for name 'm.chunilmall.com'
[subject: CN=m.chunilmall.com,OU=Domain Control Validated,C=KR / issuer:
CN=AlphaSSL CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE / serial:
03618108EA17A071E1CCC36A / notbefore: Mar 19 08:30:09 2020 GMT / notafter: Mar
20 08:30:09 2022 GMT]
[Sun Apr 05 20:53:08.810326 2020] [ssl:debug] [pid 6780]
ssl_engine_init.c(988): AH02236: Configuring RSA server private key

server 2
version : aws, centos7, openssl/1.1.1d, apache/2.4.41(Unix) (built:Mar 10 2020)

[Sun Apr 05 21:19:02.628142 2020] [ssl:info] [pid 6944:tid 140066288195392]
AH01914: Configuring server m.chunilmall.com.crt:443 for SSL protocol
[Sun Apr 05 21:19:02.628164 2020] [ssl:trace3] [pid 6944:tid 140066288195392]
ssl_engine_init.c(598): Creating new SSL context (protocols: TLSv1, TLSv1.1,
TLSv1.2, TLSv1.3)
[Sun Apr 05 21:19:02.628258 2020] [ssl:trace1] [pid 6944:tid 140066288195392]
ssl_engine_init.c(864): Configuring client authentication
[Sun Apr 05 21:19:02.628452 2020] [ssl:debug] [pid 6944:tid 140066288195392]
ssl_engine_init.c(2062): AH02209: CA certificate: CN=AlphaSSL CA - SHA256 -
G2,O=GlobalSign nv-sa,C=BE
[Sun Apr 05 21:19:02.628460 2020] [ssl:trace1] [pid 6944:tid 140066288195392]
ssl_engine_init.c(934): Configuring permitted SSL ciphers
[HIGH:MEDIUM:!MD5:!RC4:!3DES:!aNULL:!eNULL:!EXP]
[Sun Apr 05 21:19:02.628591 2020] [ssl:debug] [pid 6944:tid 140066288195392]
ssl_engine_init.c(1130): AH01904: Configuring server certificate chain (1 CA
certificate)
[Sun Apr 05 21:19:02.628597 2020] [ssl:debug] [pid 6944:tid 140066288195392]
ssl_engine_init.c(498): AH01893: Configuring TLS extension handling
[Sun Apr 05 21:19:02.628637 2020] [ssl:emerg] [pid 6944:tid 140066288195392]
AH02561: Failed to configure certificate m.chunilmall.com.crt:443:0, check
/test2/web/apache2.4.41/conf/ssl/test/a.key
[Sun Apr 05 21:19:02.628648 2020] [ssl:emerg] [pid 6944:tid 140066288195392]
SSL Library Error: error:0909006C:PEM routines:get_name:no start line
(Expecting: CERTIFICATE) -- Bad file contents or format - or even just a
forgotten SSLCertificateKeyFile?
[Sun Apr 05 21:19:02.628656 2020] [ssl:emerg] [pid 6944:tid 140066288195392]
SSL Library Error: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM
lib

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64308] Wrong private key, but Apache started.

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64308

--- Comment #1 from yui <[hidden email]> ---
(In reply to yui from comment #0)
> Hello everyone
>
Server1 and Server2 have the same certificate and certificate key.
server1 does not generate an error when starting from Apache.
However, server2 gives an error.

Actually, the certificate and the key file do not match (wrong key file and
certificate).
However, Apache on server1 was started
Apache on server2 is not started.
Do you know why?

I'm looking forward to hearing from you.
Hope everything is good.

>
> I'm looking forward to hearing from you.
> Hope everything is good.
>
> server 1
> version : centos6, openssl/1.0.1e , apache 2.4.41(built:Feb 24 2020) and
>           centos7, openssl/1.1.1d,  apache 2.4.41(built: Mar 13 2020)
>
> [Sun Apr 05 20:53:08.809610 2020] [ssl:info] [pid 6780] AH02200: Loading
> certificate & private key of SSL-aware server 'm.chunilmall.com:443'
> [Sun Apr 05 20:53:08.809778 2020] [ssl:debug] [pid 6780]
> ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass
> phrase not required
> [Sun Apr 05 20:53:08.809843 2020] [ssl:info] [pid 6780] AH01914: Configuring
> server m.chunilmall.com:443 for SSL protocol
> [Sun Apr 05 20:53:08.809847 2020] [ssl:trace3] [pid 6780]
> ssl_engine_init.c(495): Creating new SSL context (protocols: TLSv1, TLSv1.1,
> TLSv1.2)
> [Sun Apr 05 20:53:08.809952 2020] [ssl:trace1] [pid 6780]
> ssl_engine_init.c(682): Configuring client authentication
> [Sun Apr 05 20:53:08.810095 2020] [ssl:trace1] [pid 6780]
> ssl_engine_init.c(746): Configuring permitted SSL ciphers
> [HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA]
> [Sun Apr 05 20:53:08.810206 2020] [ssl:debug] [pid 6780]
> ssl_engine_init.c(886): AH01904: Configuring server certificate chain (1 CA
> certificate)
> [Sun Apr 05 20:53:08.810211 2020] [ssl:debug] [pid 6780]
> ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
> [Sun Apr 05 20:53:08.810214 2020] [ssl:debug] [pid 6780]
> ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
> [Sun Apr 05 20:53:08.810283 2020] [ssl:trace3] [pid 6780]
> ssl_util_ssl.c(484): [m.chunilmall.com:443] SSL_X509_match_name: expecting
> name 'm.chunilmall.com', matched by ID 'm.chunilmall.com'
> [Sun Apr 05 20:53:08.810322 2020] [ssl:debug] [pid 6780]
> ssl_util_ssl.c(495): AH02412: [m.chunilmall.com:443] Cert matches for name
> 'm.chunilmall.com' [subject: CN=m.chunilmall.com,OU=Domain Control
> Validated,C=KR / issuer: CN=AlphaSSL CA - SHA256 - G2,O=GlobalSign
> nv-sa,C=BE / serial: 03618108EA17A071E1CCC36A / notbefore: Mar 19 08:30:09
> 2020 GMT / notafter: Mar 20 08:30:09 2022 GMT]
> [Sun Apr 05 20:53:08.810326 2020] [ssl:debug] [pid 6780]
> ssl_engine_init.c(988): AH02236: Configuring RSA server private key
>
> server 2
> version : aws, centos7, openssl/1.1.1d, apache/2.4.41(Unix) (built:Mar 10
> 2020)
>
> [Sun Apr 05 21:19:02.628142 2020] [ssl:info] [pid 6944:tid 140066288195392]
> AH01914: Configuring server m.chunilmall.com.crt:443 for SSL protocol
> [Sun Apr 05 21:19:02.628164 2020] [ssl:trace3] [pid 6944:tid
> 140066288195392] ssl_engine_init.c(598): Creating new SSL context
> (protocols: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3)
> [Sun Apr 05 21:19:02.628258 2020] [ssl:trace1] [pid 6944:tid
> 140066288195392] ssl_engine_init.c(864): Configuring client authentication
> [Sun Apr 05 21:19:02.628452 2020] [ssl:debug] [pid 6944:tid 140066288195392]
> ssl_engine_init.c(2062): AH02209: CA certificate: CN=AlphaSSL CA - SHA256 -
> G2,O=GlobalSign nv-sa,C=BE
> [Sun Apr 05 21:19:02.628460 2020] [ssl:trace1] [pid 6944:tid
> 140066288195392] ssl_engine_init.c(934): Configuring permitted SSL ciphers
> [HIGH:MEDIUM:!MD5:!RC4:!3DES:!aNULL:!eNULL:!EXP]
> [Sun Apr 05 21:19:02.628591 2020] [ssl:debug] [pid 6944:tid 140066288195392]
> ssl_engine_init.c(1130): AH01904: Configuring server certificate chain (1 CA
> certificate)
> [Sun Apr 05 21:19:02.628597 2020] [ssl:debug] [pid 6944:tid 140066288195392]
> ssl_engine_init.c(498): AH01893: Configuring TLS extension handling
> [Sun Apr 05 21:19:02.628637 2020] [ssl:emerg] [pid 6944:tid 140066288195392]
> AH02561: Failed to configure certificate m.chunilmall.com.crt:443:0, check
> /test2/web/apache2.4.41/conf/ssl/test/a.key
> [Sun Apr 05 21:19:02.628648 2020] [ssl:emerg] [pid 6944:tid 140066288195392]
> SSL Library Error: error:0909006C:PEM routines:get_name:no start line
> (Expecting: CERTIFICATE) -- Bad file contents or format - or even just a
> forgotten SSLCertificateKeyFile?
> [Sun Apr 05 21:19:02.628656 2020] [ssl:emerg] [pid 6944:tid 140066288195392]
> SSL Library Error: error:140AD009:SSL
> routines:SSL_CTX_use_certificate_file:PEM lib

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64308] Wrong private key, but Apache started.

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64308

Joe Orton <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

--- Comment #2 from Joe Orton <[hidden email]> ---
You claim that version 2.4.41 of httpd produces this output:

[Sun Apr 05 20:53:08.810214 2020] [ssl:debug] [pid 6780]
ssl_engine_init.c(933): AH02232: Configuring RSA server certificate

2.4.41 does not have that debug message on that line of ssl_engine_init.c.

https://svn.apache.org/viewvc/httpd/httpd/tags/2.4.41/modules/ssl/ssl_engine_init.c?revision=1864801&view=markup#l933

CentOS 7's native httpd 2.4.6 does have that log message on that line. So the
behaviour is different because you are using different versions of httpd.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64308] Wrong private key, but Apache started.

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64308

yui <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |VERIFIED

--- Comment #3 from yui <[hidden email]> ---
I have 2 questions

1)
I did all the tests in Apache 2.4.41 version.

-Same version-
AWS built Apache: 2.4.41
Source compiled Apache: 2.4.41

But the two versions have different logs.
Do you know why the same version of log is different?


2)
CentOS 7's native httpd 2.4.6 doen't have that log message on that line.
Eventually, Apache start with an invalid key file.

[Mon May 18 17:01:58.709825 2020] [ssl:info] [pid 1963] AH02200: Loading
certificate & private key of SSL-aware server 'm.chunilmall.com:443'
[Mon May 18 17:01:58.720341 2020] [ssl:debug] [pid 1963]
ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase
not required
[Mon May 18 17:01:58.720378 2020] [ssl:info] [pid 1963] AH01914: Configuring
server m.chunilmall.com:443 for SSL protocol
[Mon May 18 17:01:58.721528 2020] [ssl:debug] [pid 1963]
ssl_engine_init.c(886): AH01904: Configuring server certificate chain (1 CA
certificate)
[Mon May 18 17:01:58.721542 2020] [ssl:debug] [pid 1963]
ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Mon May 18 17:01:58.721548 2020] [ssl:debug] [pid 1963]
ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
[Mon May 18 17:01:58.721620 2020] [ssl:debug] [pid 1963] ssl_util_ssl.c(495):
AH02412: [m.chunilmall.com:443] Cert matches for name 'm.chunilmall.com'
[subject: CN=m.chunilmall.com,OU=Domain Control Validated,C=KR / issuer:
CN=AlphaSSL CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE / serial:
03618108EA17A071E1CCC36A / notbefore: Mar 19 08:30:09 2020 GMT / notafter: Mar
20 08:30:09 2022 GMT]
[Mon May 18 17:01:58.721623 2020] [ssl:debug] [pid 1963]
ssl_engine_init.c(988): AH02236: Configuring RSA server private key

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64308] Wrong private key, but Apache started.

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64308

yui <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|VERIFIED                    |UNCONFIRMED
         Resolution|INVALID                     |---
     Ever confirmed|1                           |0

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64308] Wrong private key, but Apache started.

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64308

Joe Orton <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |DUPLICATE

--- Comment #4 from Joe Orton <[hidden email]> ---


*** This bug has been marked as a duplicate of bug 64613 ***

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]