logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: OpenSSL issue upgrade 2.4.7 to 2.4.10
Author
ALEX1980



Joined: 24 Jan 2015
Posts: 6

PostPosted: Sun 25 Jan '15 23:18    Post subject: OpenSSL issue upgrade 2.4.7 to 2.4.10 Reply with quote

Hello,
I need to upgrade from 2.4.7 to 2.4.10 on my Windows 2008 servers. I have been looking in forums to find simple method to minor release upgrade without having to uninstall and common theme seems to be below.
1.) stop apache
2.) backup existing apache24 folder
3.) Download 2.4.10 zip
4.) from newly downloaded apache folder copy \bin, \modules, \include, \lib and \manual folders to existing apache24 folder overwriting existing.

Is this a recomended method to uprade minor release?

I tried this on one of my sandbox web servers and cant start the apache24 service afterwards. I can see in logs "Failed to Configure Cert" and "SSL Library Error". Nothing changed with the cert that failed or my existing httpd.conf file didnt change. Wondering if I'm going about the minor relase upgrade all wrong. Appreciate any advice whatsoever.
Thank You,
Alex
Back to top
gijs



Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands

PostPosted: Mon 26 Jan '15 1:06    Post subject: Reply with quote

I usually overwrite all files, except for htdocs and conf.

Try starting httpd.exe in the bin folder trough the command prompt, to get some more details on the error when starting up.
Back to top
ALEX1980



Joined: 24 Jan 2015
Posts: 6

PostPosted: Mon 26 Jan '15 5:39    Post subject: Reply with quote

Thank you for the reply. I do appreciate it.

When starting through admin cmd I get no message or anything. The only log entries I can see are in ssl_engine.log. Last several lines where errors seem to start I posted below. I didnt touch conf or htdocs folders but did copy over everything else. I put backed up 2.4.7 folder back and apache starts up fine so something is missing when I copy 2.4.10 folders into apache24 but I cant see what.

[Sun Jan 25 21:06:41.147481 2015] [ssl:debug] [pid 10120:tid 172] ssl_engine_init.c(389): AH01893: Configuring TLS extension handling

[Sun Jan 25 21:06:41.147481 2015] [ssl:emerg] [pid 10120:tid 172] AH02562: Failed to configure certificate myserver.mycompany.com:8143:0 (with chain), check D:/Apache24/bin/certnew_Sandbox_request.cer

[Sun Jan 25 21:06:41.147481 2015] [ssl:emerg] [pid 10120:tid 172] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?

[Sun Jan 25 21:06:41.147481 2015] [ssl:emerg] [pid 10120:tid 172] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
AH00016: Configuration Failed
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Mon 26 Jan '15 12:08    Post subject: Reply with quote

Changed the subject to more meaningful.

Looks like you are dealing with a change in 2.4.8 :

*) mod_ssl: Remove the hardcoded algorithm-type dependency for the
SSLCertificateFile and SSLCertificateKeyFile directives, to enable
future algorithm agility, and deprecate the SSLCertificateChainFile
directive (obsoleted by SSLCertificateFile). [Kaspar Brand]


Simply add the contents of your chain file into your certificate file. If you are only using an RSA certificate your configuration should look like this:

SSLCertificateFile conf/ssl/yourdomain.com.cer
SSLCertificateKeyFile conf/ssl/yourdomain.com.key
Back to top
ALEX1980



Joined: 24 Jan 2015
Posts: 6

PostPosted: Mon 26 Jan '15 16:55    Post subject: Reply with quote

Thanks Steffen. I really appreciate it. Please excuse my lack of knowledge as recently took this over and am learning. We dont use chain file but use the SSLCACertificate file. Below are my entries in httpd.conf. Am I to combine SSLCACertificateFile into SSLCertificateFile? Can I ask how this is done? Thank you very much for help.


SSLCertificateFile "D:\Apache24\bin\certnew_Sandbox_request.cer"

SSLCertificateKeyFile "D:\Apache24\bin\myserver.mycompany.com.key"

SSLCACertificateFile "D:\mycompanyRootCA.cert"
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Mon 26 Jan '15 17:31    Post subject: Reply with quote

So you do not have SSLCertificateChainFile.

To add the contents of SSLCACertificateFile into your SSLCertificateFile file ;

copy/paste the content of SSLCACertificateFile "D:\mycompanyRootCA.cert" at the end of SSLCertificateFile "D:\Apache24\bin\certnew_Sandbox_request.cer", so both are in the SSLCertificateFile.
Back to top
ALEX1980



Joined: 24 Jan 2015
Posts: 6

PostPosted: Mon 26 Jan '15 18:35    Post subject: Reply with quote

With my SSLCertificateFile being .cer I cant copy contents of .cert into .cer manually via opening in notepad. Is there a tool for this?

Thank You very much Steffen.
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 677

PostPosted: Mon 26 Jan '15 19:58    Post subject: Reply with quote

Do not know what you doing.

Post the steps.
Back to top
ALEX1980



Joined: 24 Jan 2015
Posts: 6

PostPosted: Mon 26 Jan '15 20:12    Post subject: Reply with quote

I am far from knowing exactly what I am doing... But I really appreciate the friendly help.

Due to 2.4.8 I apparently need to combine my SSLCACertificateFile into SSLCertificateFile. My SSLCACertificateFile is .cert file with --Begin Cert-- and --End Cert-- while my SSLCertificateFile is a .cert when opening up in notepad is encrypted. I'm not sure how to combine entries of .cert into .cer as recomended.

Thank You
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Mon 26 Jan '15 22:36    Post subject: Reply with quote

You do not ----- BEGIN and ---- END lines in it ?

When no, then looks like you have to convert it to the PEM format, search google with ; convert ssl certificate to pem .


Btw, you can also ask where you get your certificates from.
Back to top
ALEX1980



Joined: 24 Jan 2015
Posts: 6

PostPosted: Tue 27 Jan '15 2:17    Post subject: Reply with quote

Thanks Steffen. I'm good now. I really appreciate you taking the time on helping this beginner. I have much to learn.

Thanks!!!
Back to top
ronnielau



Joined: 04 Jun 2015
Posts: 1
Location: Hong Kong

PostPosted: Fri 05 Jun '15 4:02    Post subject: Reply with quote

I also experience happened in 2.4.12 and I try to merge the 2 certificates together and after that the error said our key not match with your certificates.


[Thu Jun 04 17:49:29.449722 2015] [ssl:emerg] [pid 1580:tid 400] AH02565: Certificate and private key C:/Apache24/conf/ssl/allinone.cer and C:/Apache24/conf/ssl/allinone.key do not match

For the SSLCertificateFile directive
I wanna know how the key was merge together here?
and
I don't have the key of ROOT CA

Thanks,
Ronnie
Back to top


Reply to topic   Topic: OpenSSL issue upgrade 2.4.7 to 2.4.10 View previous topic :: View next topic
Post new topic   Forum Index -> Apache