1

Topic: SSL setup, I can't start apache when I change SSL certificate.

Hi everyone
We have an iRedMail over Centos, and we bought a SSL certificate because to access email link it has an alert, but I put new .crt and .key apache doesn't work.

In /etc/pki/tls/certs/ and /etc/pki/tls/private are .pem and .key files. How I do to start apache service if when I change files the service doesn't work? The path is on sssl.conf ( /etc/httpd/conf.d ).

So, why I have a .pem file? or other hand,what happen if I change port 443 to 80?
Thank you!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: SSL setup, I can't start apache when I change SSL certificate.

*) Port 443 is HTTPS (SSL), 80 is HTTP (no SSL). Do not change port.
*) File extension doesn't matter on Linux/Unix system.
*) About "apache doesn't work", what's the related error message in Apache log file?

3

Re: SSL setup, I can't start apache when I change SSL certificate.

Ok, error log says:

[Wed May 28 13:42:31 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed May 28 13:42:31 2014] [error] Init: Unable to read server certificate from file /etc/pki/tls/certs/iRedMail_CA.pem
[Wed May 28 13:42:31 2014] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed May 28 13:42:31 2014] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

Thank you for your help!

4

Re: SSL setup, I can't start apache when I change SSL certificate.

Mauricio wrote:

[Wed May 28 13:42:31 2014] [error] Init: Unable to read server certificate from file /etc/pki/tls/certs/iRedMail_CA.pem

What's the file permission of this file? And its parent directory? Does Apache daemon user has permission to read it?

5

Re: SSL setup, I can't start apache when I change SSL certificate.

Permission:

-rwxr--r-- 1 root root 1476 May 29 13:40 iRedMail_CA.pem

We can't to start httpd service

6

Re: SSL setup, I can't start apache when I change SSL certificate.

What's the permission of directory /etc/pki/tls/certs/?

7

Re: SSL setup, I can't start apache when I change SSL certificate.

Well permission are:

lrwxrwxrwx. 1 root root    19 May 10 08:26 cert.pem -> certs/ca-bundle.crt
drwxr-xr-x  2 root root  4096 May 29 16:00 certs
drwxr-xr-x. 2 root root  4096 May 10 08:26 misc
-rw-r--r--. 1 root root 10906 Apr  7 04:26 openssl.cnf
drwxr-xr-x. 2 root root  4096 May 29 14:13 private

thank you!

8

Re: SSL setup, I can't start apache when I change SSL certificate.

Could you please show us your SSL related settings in Apache?

9

Re: SSL setup, I can't start apache when I change SSL certificate.

Yes, ssl.conf is on /etc/httpd/conf.d

<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol all -SSLv2

#   SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/iRedMail_CA.pem

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/iRedMail.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

10

Re: SSL setup, I can't start apache when I change SSL certificate.

Mauricio wrote:

SSLCertificateFile /etc/pki/tls/certs/iRedMail_CA.pem
SSLCertificateKeyFile /etc/pki/tls/private/iRedMail.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

You're using default SSL certificate generated during iRedMail installation? And why comment out 'SSLCertificateChainFile'?