Fix to "Init: Private key not found" whenever
trying to configure Apache to run with a Trusted SSL Certificate
issued from RapidSSL
Yesterday I had to fight for a while before I can properly install
a Trusted SSL certificate issued by RapidSSL.
The problem persisted for a couple of hours before I can realize it
was caused by myself.
So here is the error I encounted in my Apache error.log.
[Thu Mar 25 09:29:41 2010] [error] Init: Private key not
found
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218710120
error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218529960
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218595386
error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218734605
error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
lib
It took me a couple of hours in futile attempts to fix the
error.
Anyways I'll try to explain in a few words some of the things I
tried following mostly suggestions by web forums and other blogs by
which it was claimed that was the corner stone that drove Apache
out of the the track.
1. I checked if the .PEM certificate files are readable by all
users including www-data (since I'm running Apache on
Debian).
It's best if your .pem file permissions are set like:
-rw-r--r-- 1 www-data www-data 3158 2010-03-25 11:07
/etc/apache2/ssl/www.domain.com.pem
2. I tried to hand out the .CRT file and the .KEY file from
Apache directives as shown below:
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/www.domain.com.crt
SSLCertificateKeyFile
/etc/apache2/ssl/www.domain.com.key
3. I tried modifying
/etc/apache2/mods-enabled/ssl.conf
There I attempted to change:
SSLProtocol all -SSLv2
to
SSLProtocol all
This try wasn't helpful as well.
4. I tried Removing the encryption from the RSA private key
(while preserving the original file)
debian:~# cp -rpf /etc/apache2/ssl/www.domain.com.key
/etc/apache2/ssl/www.domain.com.key.orig
debian:~# /usr/bin/openssl rsa -in
/etc/apache2/ssl/www.domain.com.key.orig -out
/etc/apache2/ssl/www.domain.com.key
So unecrypting the RSA private key from it's DES3 encryption and
passing it to the Apache Webserver didn't changed anything,
Whenever I restarted Apache it refused to run once again, though I
was not asked for a passphrase after trying the above code.
Since all of the above failed I also tried checking if the .csr,
the crt and .key file aren't broken or something.
debian:~# /usr/bin/openssl x509 -noout -modulus -in
/etc/apache2/ssl/www.domain.com.crt
debian:~# /usr/bin/openssl rsa -noout -modulus -in
/etc/apache2/ssl/www.domain.com.key
debian:~# /usr/bin/openssl req -noout -modulus -in
/etc/apache2/ssl/www.domain.com.csr
I checked the output from the above commands and I compared the
output for Modulus.
If everything is okay with your .key .csr and .crt files then the
result for Modulus from the above commands should be equal.
This prooved there is no match in the modulus between the
www.domain.com.crt and the www.domain.com.key.
This gave me the idea that probably something is wrong with the
www.domain.com.key and it's not the same file I used to generate
the .csr (Certificate Signing Request) file later.
I checked and realized all the time I was using a .key file from my
notebook Desktop and the file from my notebook Desktop is not the
original file from the server.
So I immediately jumped to the server ssh-ing and deleted the
inappropriate .key file I have stored in
/etc/apache2/ssl/www.domain.com.pem with the correct
one.
Now after restarting the webserver, all worked like a charm! Praise
God :)
This experience is another good example that the simplest human
mistakes creates the biggest, which are also the hardest to
track.