SSL Question

[bgrantham]

I hope I am in the correct place. I am a server administrator but in Windows with limited knowledge on linux but can move around pretty good. I received a server with FreeBSD and Apache web server. All is working well but the ssl certificate has expired.

We renewed the certificate from Thawte and got a .crt and a bundle.crt. My question is installing our new cert do I need to recreate .key files and .csr files?

In the httpd-ssl.conf I have a setting for our cert (.crt) and for our key (.key). I do not see it using a CSR file anywhere or a bundle file.

I installed just the cert and restarted Apache but it still holds the old certificate expiration.

I appreciate if you can provide me any information or links. Most of the links I see is for configuring a new server and adding ssl for the very first time.

Thanks Brian

 

[Zhwazi]

Did you replace both the key and the cert or just the cert?

As far as I know the CSR is a certificate signing request and is only used to create the certificate. It isn't used directly by the webserver, only by the SSL signing procedure.

 

[pbd]

Thawte has an HOWTO for installing certificates:

https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO14822

 

[anomie]

You should read the Thawte howto, as mentioned. But a couple other points for posterity's sake:

We renewed the certificate from Thawte and got a .crt and a bundle.crt. My question is installing our new cert do I need to recreate .key files and .csr files?

Absolutely not. If you recreate your private key, you'll have a useless cert. And you only recreate a CSR when it's time to request a new cert.

In the httpd-ssl.conf I have a setting for our cert (.crt) and for our key (.key). I do not see it using a CSR file anywhere or a bundle file.

You will need to add a directive for the "bundle file" (which is really a CA cert, AKA intermediate cert, AKA cert chain). You don't configure your CSR file anywhere in Apache web server's consciousness. You generate it one time and submit it to the CA for a new cert. That's its purpose.

I installed just the cert and restarted Apache but it still holds the old certificate expiration.

Read the howto and try again. If it's not working, carefully check the SSL error details. If you still can't figure it out, post the exact directives you're using, along with your Apache web server version.

 

[bgrantham]

Thanks everyone for your feedback. We are were making progress but now after a server reboot all instances (4) will not start up. Therefore all are sites are down. If we try to run apachectl with the httpd.conf of the instance no matter which instance the following error shows up.

API module structure "authn_file_module" in file /usr/apache2/modules/mod_authn_file.so is garbled -
 expected signature 41503230 but saw 41503232

Comment that line out and the next module in the list of modules in the httpd.conf gives the same error.

I am trying to determine is this is somehow related to the ssl certificate or not. However, I don't suspect that it is, but at the same time it is becoming a huge issue as we attempt to get apache back up.

Searches on google don't offer as much either on this error. So we are looking for all the error logs to see if we can find more information.

Thanks again for all the assistance you have provided.

Brian

 

[kpa]

/usr/apache2/modules is not a standard directory on FreeBSD for apache modules, the directory should be /usr/local/libexec/apache22, how was the apache2 server installed in the first place?

 

[bgrantham]

Thanks kpa for getting back to me. As for the setup on this server I can't really answer your question as this box has been running for a long time and the people that set it up have long been gone. I have inherited this box and while things may not be in the correct place it is what I have unfortunately.

We did get Apache back up on another server reboot. But the 20 or so reboots prior to this did not get it back up. Not sure what happened, but we will begin the process to find out. We will also be planning to move the applications off this box and onto a newer cleaner install.

Thanks again for your quick responses.

Best regards,

Brian