Fix to “Init: Private key not found” whenever trying to configure Apache to run with a Trusted SSL Certificate issued from RapidSSL

Friday, 26th March 2010

Yesterday I had to fight for a while before I can properly install a Trusted SSL certificate issued by RapidSSL.
The problem persisted for a couple of hours before I can realize it was caused by myself.
So here is the error I encounted in my Apache error.log.


[Thu Mar 25 09:29:41 2010] [error] Init: Private key not found
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

It took me a couple of hours in futile attempts to fix the error.
Anyways I’ll try to explain in a few words some of the things I tried following mostly suggestions by web forums and other blogs by which it was claimed that was the corner stone that drove Apache out of the the track.

1. I checked if the .PEM certificate files are readable by all users including www-data (since I’m running Apache on Debian).

It’s best if your .pem file permissions are set like:

-rw-r–r– 1 www-data www-data 3158 2010-03-25 11:07 /etc/apache2/ssl/www.domain.com.pem

2. I tried to hand out the .CRT file and the .KEY file from Apache directives as shown below:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/www.domain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.domain.com.key

3. I tried modifying /etc/apache2/mods-enabled/ssl.conf

There I attempted to change:

SSLProtocol all -SSLv2
to
SSLProtocol all

This try wasn’t helpful as well.

4. I tried Removing the encryption from the RSA private key (while preserving the original file)

debian:~# cp -rpf /etc/apache2/ssl/www.domain.com.key /etc/apache2/ssl/www.domain.com.key.orig
debian:~# /usr/bin/openssl rsa -in /etc/apache2/ssl/www.domain.com.key.orig -out /etc/apache2/ssl/www.domain.com.key

So unecrypting the RSA private key from it’s DES3 encryption and passing it to the Apache Webserver didn’t changed anything,
Whenever I restarted Apache it refused to run once again, though I was not asked for a passphrase after trying the above code.

Since all of the above failed I also tried checking if the .csr, the crt and .key file aren’t broken or something.

debian:~# /usr/bin/openssl x509 -noout -modulus -in /etc/apache2/ssl/www.domain.com.crt
debian:~# /usr/bin/openssl rsa -noout -modulus -in /etc/apache2/ssl/www.domain.com.key
debian:~# /usr/bin/openssl req -noout -modulus -in /etc/apache2/ssl/www.domain.com.csr

I checked the output from the above commands and I compared the output for Modulus.
If everything is okay with your .key .csr and .crt files then the result for Modulus from the above commands should be equal.
This prooved there is no match in the modulus between the www.domain.com.crt and the www.domain.com.key.
This gave me the idea that probably something is wrong with the www.domain.com.key and it’s not the same file I used to generate the .csr (Certificate Signing Request) file later.
I checked and realized all the time I was using a .key file from my notebook Desktop and the file from my notebook Desktop is not the original file from the server.
So I immediately jumped to the server ssh-ing and deleted the inappropriate .key file I have stored in /etc/apache2/ssl/www.domain.com.pem with the correct one.

Now after restarting the webserver, all worked like a charm! Praise God 🙂
This experience is another good example that the simplest human mistakes creates the biggest, which are also the hardest to track.

Share this on:

Download PDFDownload PDF

Tags: , , , , ,

One Response to “Fix to “Init: Private key not found” whenever trying to configure Apache to run with a Trusted SSL Certificate issued from RapidSSL”

  1. Sergio says:
    Firefox 10.0.2 Firefox 10.0.2 Mac OS X 10.6 Mac OS X 10.6
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20100101 Firefox/10.0.2

    Thanx! Got me out of the doldrums!

    View CommentView Comment

Leave a Reply

CommentLuv badge