Everyone, I have been working on a new installation of CentOS 5.0 on a x86_64 machine. The installation has gone well except for httpd. When I start httpd with LogLevel turned to debug all I get is an immediate failure with the following errors the logs: /var/log/httpd/error_log: [Sun Jul 22 13:00:31 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) /var/log/ssl_error.log: [Sun Jul 22 13:04:32 2007] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Sun Jul 22 13:04:32 2007] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Sun Jul 22 13:04:32 2007] [error] Unable to configure RSA server private key [Sun Jul 22 13:04:32 2007] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch The ssl errors were present on the old system so I was not too worried about those. I turned off selinux with out a change in symptoms. I get the same errors whether I start the service via "service httpd start" or "httpd". When I use "httpd -E /tmp/errors.txt" the errors.txt file is created, but is empty. "httpd -t" responds with "Syntax OK" I have done a yum remove of the web server module, and have done a re-install using yum without a change in symptoms. I have not been able to figure out how to get more data in the logs; httpd seems to be failing too soon to record much. Anyone's ideas would sure be appreciated !!! Greg Ennis
Gregory P. Ennis wrote:> [Sun Jul 22 13:04:32 2007] [warn] RSA server certificate CommonName (CN) > `localhost.localdomain' does NOT match server name!? > [Sun Jul 22 13:04:32 2007] [error] Unable to configure RSA server > private key > [Sun Jul 22 13:04:32 2007] [error] SSL Library Error: 185073780 > error:0B080074:x509 certificate routines:X509_check_private_key:key > values mismatch > > The ssl errors were present on the old system so I was not too worried > about those.Your ServerName isn't the same as the one which is present in the certificate. SSL does not really like that. And it is good to be stricter about that.> I turned off selinux with out a change in symptoms.Yes, as that error clearly hasn't anything to do with SELinux.> Anyone's ideas would sure be appreciated !!!As that seems to be a selfsigned certificate: Create a new one with the server's fqdn in the Common Name filed (www.example.com, for example). tinyca2 (which is available from the rpmforge repository) makes creation of new certificates really easy. Also the "HOWTO" section on <http://www.modssl.org/docs/2.8/ssl_howto.html> has some information. Cheers, Ralph -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20070722/360b0fcd/attachment.sig>
On Sun, 2007-07-22 at 22:21 +0200, Ralph Angenendt wrote:> Gregory P. Ennis wrote: > > [Sun Jul 22 13:04:32 2007] [warn] RSA server certificate CommonName (CN) > > `localhost.localdomain' does NOT match server name!? > > [Sun Jul 22 13:04:32 2007] [error] Unable to configure RSA server > > private key > > [Sun Jul 22 13:04:32 2007] [error] SSL Library Error: 185073780 > > error:0B080074:x509 certificate routines:X509_check_private_key:key > > values mismatch > > > > The ssl errors were present on the old system so I was not too worried > > about those. > > Your ServerName isn't the same as the one which is present in the > certificate. SSL does not really like that. And it is good to be > stricter about that. > > > I turned off selinux with out a change in symptoms. > > Yes, as that error clearly hasn't anything to do with SELinux. > > > Anyone's ideas would sure be appreciated !!! > > As that seems to be a selfsigned certificate: Create a new one with the > server's fqdn in the Common Name filed (www.example.com, for example). > > tinyca2 (which is available from the rpmforge repository) makes creation > of new certificates really easy. > > Also the "HOWTO" section on > <http://www.modssl.org/docs/2.8/ssl_howto.html> has some information. > > Cheers, > > RalphRalph, Thanks for the suggestion to use tinyca2.... great utility!!!!! The link was also excellent. Unfortunately, I am going to give up on a fix for the failure of httpd and do a repeat install. This is my 4th install of CentOS 5.0 and everything has worked perfectly before. I am sure it must be related to something I have done during my configuration setup, but I can not find the error for now. Back to the Salt mines!!! Greg