1

I have received a new SSL certificate from GoDaddy and the old one was from Comodo.

Contents of /etc/ssl/private/pure-ftpd.pem are as follows:

 -----BEGIN PRIVATE KEY-----     
 PRIVATE KEY USED TO CREATE THE CSR
 -----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 CONTENTS OF CRT FILE RECEIVED BY GODADDY
 -----END CERTIFICATE-----

After updating the contents of the file I restarted pure-ftpd then checked the status:

 /etc/init.d/pure-ftpd restart
 /etc/init.d/pure-ftpd status

 [ ok ] pure-ftpd is running.

Everything seems good. Now I try to verify the new cert:

Edit: I added the "bundle" CRT file provided by GoDaddy into /etc/ssl/certs, and now I get this output (but am still unable to restart apache2 because of the errors shown below)

 openssl verify -CApath /etc/ssl/certs /etc/ssl/private/pure-ftpd.pem

 pure-ftpd.pem: OK

Then I tried to restart apache2 (supposing that this will tell the system to use the new certificate):

 apache2ctl graceful

 httpd not running, trying to start
 Action 'graceful' failed.
 The Apache error log may have more information.

Apache error log:

 [error] Unable to configure RSA server private key
 [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Seemingly relevant parts of /etc/apache2/sites-available/default-ssl: Does the PEM file declared as SSLCertificateFile need to be updated in some way if I have generated a new private key? (If so, what exactly needs to be in it, and how to accomplish this?)

 SSLCertificateFile    /etc/ssl/certs/my.server.net.pem
 SSLCertificateKeyFile /etc/ssl/private/my.server.net.key

I also tried using these commands to compare the modulus of each file and they are the same:

 openssl x509 -noout -modulus -in /etc/ssl/private/pure-ftpd.pem | openssl md5
 openssl rsa -noout -modulus -in /etc/ssl/private/my.server.net.key | openssl md5

Can anyone point me in the right direction?

Another Edit: When I access the FTP server through a client such as FileZilla, I am greeted with the credentials for the new GoDaddy Certificate. So that's great, but this issue is driving me bonkers!

Jeff Hines
  • 113
  • 6
  • Intermediate certificate? – Orphans Feb 15 '17 at 08:18
  • 1
    I added the intermediate `crt` file into `/etc/ssl/certs`. Now when I verify with `openssl` it says: `pure-ftpd.pem: OK`. I think the key issue here is that there is something wrong with my private key. – Jeff Hines Feb 15 '17 at 16:53
  • You are referencing a couple of different certs, namely `/etc/ssl/private/pure-ftpd.pem` and `/etc/ssl/certs/my.server.net.pem`, and mention both Apache and pure-ftp. Since you mention only receiving one certificate from your provider, could you maybe explain what files you received (and what files you already had), and where you put them? – iwaseatenbyagrue Mar 10 '17 at 08:15

1 Answers1

2

Does the PEM file declared as SSLCertificateFile need to be updated in some way if I have generated a new private key?

Yes, since it is the certificate which means the public part of the key (and other data such as validity dates), so this public part must match the private part in the .key file. You can not generate them separately.

If what you give at the beginning is your new certificate, you must create the 2 files my.server.net.pem and .key by putting the part inside BEGIN PRIVATE KEY/END PRIVATE KEY (including these lines) in the .key file, and the next part (with the headers) in the .pem file. However for Apache2 TLS to work at the end it also depends on the CN + SANs inside your certificate. If it has been made only for the name ftp.myserver.whatever and not also for www.myserver.whatever then the browsers will display an alert (because of the name mismatch).

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
  • Are you saying that the contents of the `crt` file from GoDaddy goes in `/etc/ssl/certs/my.server.net.pem`? Alternative names show as `my.server.net` and `www.my.server.net`. – Jeff Hines Feb 15 '17 at 22:39
  • 1
    In your Apache configuration you list 2 files, for your certificate and key. If you changed them and want to use the one from GoDaddy, you need to use information given by GoDaddy to update your 2 files, yes. Or change the path. – Patrick Mevzek Feb 15 '17 at 23:09