Yesterday I had to fight for a while before I can properly install a Trusted SSL certificate issued by RapidSSL.
The problem persisted for a couple of hours before I can realize it was caused by myself.
So here is the error I encounted in my Apache error.log.
[Thu Mar 25 09:29:41 2010] [error] Init: Private key not found
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
It took me a couple of hours in futile attempts to fix the error.
Anyways I’ll try to explain in a few words some of the things I tried following mostly suggestions by web forums and other blogs by which it was claimed that was the corner stone that drove Apache out of the the track.
1. I checked if the .PEM certificate files are readable by all users including www-data (since I’m running Apache on Debian).
It’s best if your .pem file permissions are set like:
-rw-r–r– 1 www-data www-data 3158 2010-03-25 11:07 /etc/apache2/ssl/www.domain.com.pem
2. I tried to hand out the .CRT file and the .KEY file from Apache directives as shown below:
3. I tried modifying /etc/apache2/mods-enabled/ssl.conf
There I attempted to change:
SSLProtocol all -SSLv2
This try wasn’t helpful as well.
4. I tried Removing the encryption from the RSA private key (while preserving the original file)
debian:~# cp -rpf /etc/apache2/ssl/www.domain.com.key /etc/apache2/ssl/www.domain.com.key.orig
debian:~# /usr/bin/openssl rsa -in /etc/apache2/ssl/www.domain.com.key.orig -out /etc/apache2/ssl/www.domain.com.key
So unecrypting the RSA private key from it’s DES3 encryption and passing it to the Apache Webserver didn’t changed anything,
Whenever I restarted Apache it refused to run once again, though I was not asked for a passphrase after trying the above code.
Since all of the above failed I also tried checking if the .csr, the crt and .key file aren’t broken or something.
debian:~# /usr/bin/openssl x509 -noout -modulus -in /etc/apache2/ssl/www.domain.com.crt
debian:~# /usr/bin/openssl rsa -noout -modulus -in /etc/apache2/ssl/www.domain.com.key
debian:~# /usr/bin/openssl req -noout -modulus -in /etc/apache2/ssl/www.domain.com.csr
I checked the output from the above commands and I compared the output for Modulus.
If everything is okay with your .key .csr and .crt files then the result for Modulus from the above commands should be equal.
This prooved there is no match in the modulus between the www.domain.com.crt and the www.domain.com.key.
This gave me the idea that probably something is wrong with the www.domain.com.key and it’s not the same file I used to generate the .csr (Certificate Signing Request) file later.
I checked and realized all the time I was using a .key file from my notebook Desktop and the file from my notebook Desktop is not the original file from the server.
So I immediately jumped to the server ssh-ing and deleted the inappropriate .key file I have stored in /etc/apache2/ssl/www.domain.com.pem with the correct one.
Now after restarting the webserver, all worked like a charm! Praise God 🙂
This experience is another good example that the simplest human mistakes creates the biggest, which are also the hardest to track.