httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ferradal <dferra...@apache.org>
Subject Re: [users@httpd] SSL certificate update failed - httpd-2.4.6-90.el7
Date Mon, 06 Jan 2020 16:06:25 GMT
Who is reporting a 502 exactly?

Perhaps we are missing the entire chain of events to properly diagnose
the issue.

If the problem is a client reporting an issue while proxying to this
server try manually to access ther web server yourself to discard
issues:

curl -vI https://www.amnetgroup.com

also you can manually try:

openssl s_client connect www.amnetgroup.com:443

and see if those tools report an issue.

If the above works well, it may be client issue, some clients can not
distinguish wildcard certificates. I know you said it is the same
certificate name, etc but better recheck the whole chain of events,
httpd knows how to match CN to wildcard certificates and like
mentioned earlier, it usually is up to picky clients complaining about
mismatches because they don't know how to deal with wildcard
certificates (lots of java applications, for example).

Also consider, if server has an issue with the certificate name it
will mention it or fail silently unless debugging is enabled for ssl
module.

Briefly:

* If httpd sees a difference between CN and ServerName, then there
really is a difference, make sure the correct cert is installed.
* If the wrong certificate (wrong name) is installed it will do the
same as above.
* If key and crt installed mistmatched it won't even start and fail
silently. (so do make sure httpd is starting when you install the new
certificate).
* If the certificate is correct and client is complaining, it probably
is a client which can't distinguish wildcard names, but this is not an
issue, it is a client not prepared for wildcard certificates (java
apps just need to specify a correct hostname verifier or no hostname
verification at all).

There isn't much more to this than what I described, so pay careful
attention and make sure httpd starts.

El lun., 6 ene. 2020 a las 14:32, Sac Isilia
(<udaypratap.singh65@gmail.com>) escribió:
>
> Hi Martin,
>
> Below is the attribute of the existing working certificate. The only difference is that
the new certificate is of validity 2 years , but that should not be an issue.
> We performed below steps while updating -
>
> 1.openssl req -newkey rsa:2048 -nodes -keyout amnetgroup.com.key -out amnetgroup.com.csr
-- Generated the csr
> 2. Send it to the concerned organization and got the updated PKCS#7 certificate.(in the
form of .p7b file)
> 3. Extracted the certificate - openssl pkcs7 -inform der -print_certs -in Amnetgroup.p7b
-out amnetgroupnew.com.crt
> 4. Updated the certificate content and the private key and the bundle file was updated
too that came along with it.
> 5. Restarted the httpd service. And Alas!! website was throwing error that I mentioned
earlier.
>
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             0b:1a:d3:af:3f:7d:ab:ea:7d:0a:b9:23:99:b1:bf:27
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL RSA CA 2018
>         Validity
>             Not Before: Jan 23 00:00:00 2019 GMT
>             Not After : Jan 23 12:00:00 2020 GMT
>         Subject: CN=*.amnetgroup.com
>
> X509v3 Subject Alternative Name:
>                 DNS:*.amnetgroup.com, DNS:amnetgroup.com
>
> Below is the attribute of the new certificate of which update is failing.
>
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             0a:8f:61:f5:6f:8c:8b:ce:95:c2:d5:c5:79:8d:2b:d9
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL RSA CA 2018
>         Validity
>             Not Before: Jan  3 00:00:00 2020 GMT
>             Not After : Mar  3 12:00:00 2022 GMT
>         Subject: CN=*.amnetgroup.com
>
> X509v3 Subject Alternative Name:
>                 DNS:*.amnetgroup.com, DNS:amnetgroup.com
>
> Regards
> Sachin Kumar
>
>
> On Mon, Jan 6, 2020 at 6:34 PM Martin Drescher <drescher@inter.net> wrote:
>>
>> Hi Sachin,
>>
>> as long as I am doing this, a non matching CN and/or v3 SubjectAlternativeNames never
effected the HTTP server in a way, that it wpold stop working for me. Both messeges you quoted,
ah02292 and ah01909 are warning messages. They *may* effect your client's behavior. Hence,
if there is not a person in this list knowing better, this should not be of your concern.
>>
>> What about that 502? This looks like your real issue to me.
>>
>> However, I remember reading some stuff changed (or will change?) in regard of VirtualHost
clause. But even this would not make sense, if your old certificate is still working. Next
thing you could do is, look for changes int the certificate's attributes. May be there is
a change, that should not be there.
>>
>>
>> Am 04.01.20 um 18:02 schrieb Sac Isilia:
>> > Hi Team,
>> >
>>
>> [...]
>>
>> > *502 - Web server received an invalid response while acting as a gateway or
>> > proxy server.*
>> >
>> > *There is a problem with the page you are looking for, and it cannot be
>> > displayed.*
>> >
>> > *When the Web server (while acting as a gateway or proxy) contacted the
>> > upstream content server, it received an invalid response from the content
>> > server.”*
>> >
>> >   In the error logs I have found below messages .
>> >
>> > ah02292: init: name-based ssl virtual hosts only work for clients with tls
>> > server name indication support
>> >
>> > ah01909: rsa certificate configured for xxxxxxxxxxx:443 does not include an
>> > id which matches the server name
>> >
>> >   Please help me in resolving this issue.
>> >
>> >
>> > Regards
>> >
>> > Sachin Kumar
>> >
>>
>>
>>
>>  Martin
>>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message