Friday, December 27, 2013

SSL Key and Certificate Matching

Symptoms:

  • Apache fails to start or restart
  • No errors on STDERR
  • No errors in logs
  • You've recently changed an SSL certificate or the SSL config for a Virtual Host

Diagnosis:

When this happens to me, 99% of the time my SSL key and certificate do not match for some reason (old key with new cert, copy error, vhost typo, etc).  Apache is really not helpful when this occurs. 

"Hey, $JUNIORADMIN!  I'm just not going to start.  Oh, you want error logs?  No, I think I'll skip that.  An error on STDERR?  Nope.  None of that either.  In fact, I think I'll just sit here doing nothing and silently mocking you."

Thanks Apache.

Check that your key and certificate match.  You can do this by comparing the modulus for each of them to see if it is a match.  To do this with openssl:

# Check the Key
$ openssl rsa -noout -modulus -in <your_ssl_key_file>


Modulus=B365389CC131D10073BE0F017C25F095EF0C4A79A8F8881943CB960F0C2AE4D7B4AAE199AB8CA6DC7735FD8919AEF9904C92196CF277ADBC7798AA7D7B479B2923ADA4A8E10B724F8227EFD431A1F9D6ED2799B1C68DA4974D8E6EF48DFC73BE9EBE79A2B51D94B97E5CF52CC8DAA2AF24749D4A33098B92DD1896A9306C2F883CBB17F1F148A57DC3525D453D4C65D93EA8F353737406106412D4A523D1A137BB9BBB5589B3B1737687F68185F856BC9A323B8E93A8BAB1755B47A8724D9CE5FB2CE323371DAF279A27867188C65EE1356F0C867189620A932726B2909D7777CD14C0EB8E3956BA43014EB2D94BC5FC2F64C69152354DFDBA3BB9AC9743894D


# Check the Cert
$ openssl x509 -noout -modulus -in <your_ssl_cert_file>

Modulus=B365389CC131D10073BE0F017C25F095EF0C4A79A8F8881943CB960F0C2AE4D7B4AAE199AB8CA6DC7735FD8919AEF9904C92196CF277ADBC7798AA7D7B479B2923ADA4A8E10B724F8227EFD431A1F9D6ED2799B1C68DA4974D8E6EF48DFC73BE9EBE79A2B51D94B97E5CF52CC8DAA2AF24749D4A33098B92DD1896A9306C2F883CBB17F1F148A57DC3525D453D4C65D93EA8F353737406106412D4A523D1A137BB9BBB5589B3B1737687F68185F856BC9A323B8E93A8BAB1755B47A8724D9CE5FB2CE323371DAF279A27867188C65EE1356F0C867189620A932726B2909D7777CD14C0EB8E3956BA43014EB2D94BC5FC2F64C69152354DFDBA3BB9AC9743894D

That's kind of tedious, and I've gotten into the habit of checking them every time I make a change to the key and certificate, so I found it easier to make a quick bash script to do this for me.

#!/bin/bash
KEY=$1
CRT=$2
KEY_MOD=$(openssl rsa -noout -modulus -in $KEY)
CRT_MOD=$(openssl x509 -noout -modulus -in $CRT)

if [ "$KEY_MOD" != "$CRT_MOD" ] ; then
  echo "No Match"
  exit 1
else
  echo "Key and Certificate match"
fi

Pass the script two arguments, first the key, then the certificate, and it'll compare the two strings for you.

No comments:

Post a Comment