64308 – Wrong private key, but Apache started.

Bug 64308 - Wrong private key, but Apache started.

Summary: Wrong private key, but Apache started.

Status:	RESOLVED DUPLICATE of bug 64613

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_ssl (show other bugs)
Version:	2.4.41
Hardware:	PC Linux

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-04-05 12:53 UTC by yui
Modified:	2020-08-04 10:21 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description yui 2020-04-05 12:53:18 UTC

Hello everyone

why are the logs of Server 1 and Server 2 different?
Server 1 and Server 2 have the same certificate and certificate key.

Because of this difference, server1 does not generate an error when starting from Apache.
However, server2 gives an error.

Actually, the certificate and the key file do not match (wrong key file and certificate).
However, Apache on server1 was started
Apache on server2 is not started.
Do you know why?

I'm looking forward to hearing from you.
Hope everything is good.

server 1
version : centos6, openssl/1.0.1e , apache 2.4.41(built:Feb 24 2020) and
          centos7, openssl/1.1.1d,  apache 2.4.41(built: Mar 13 2020)

[Sun Apr 05 20:53:08.809610 2020] [ssl:info] [pid 6780] AH02200: Loading certificate & private key of SSL-aware server 'm.chunilmall.com:443'
[Sun Apr 05 20:53:08.809778 2020] [ssl:debug] [pid 6780] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Sun Apr 05 20:53:08.809843 2020] [ssl:info] [pid 6780] AH01914: Configuring server m.chunilmall.com:443 for SSL protocol
[Sun Apr 05 20:53:08.809847 2020] [ssl:trace3] [pid 6780] ssl_engine_init.c(495): Creating new SSL context (protocols: TLSv1, TLSv1.1, TLSv1.2)
[Sun Apr 05 20:53:08.809952 2020] [ssl:trace1] [pid 6780] ssl_engine_init.c(682): Configuring client authentication
[Sun Apr 05 20:53:08.810095 2020] [ssl:trace1] [pid 6780] ssl_engine_init.c(746): Configuring permitted SSL ciphers [HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA]
[Sun Apr 05 20:53:08.810206 2020] [ssl:debug] [pid 6780] ssl_engine_init.c(886): AH01904: Configuring server certificate chain (1 CA certificate)
[Sun Apr 05 20:53:08.810211 2020] [ssl:debug] [pid 6780] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Sun Apr 05 20:53:08.810214 2020] [ssl:debug] [pid 6780] ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
[Sun Apr 05 20:53:08.810283 2020] [ssl:trace3] [pid 6780] ssl_util_ssl.c(484): [m.chunilmall.com:443] SSL_X509_match_name: expecting name 'm.chunilmall.com', matched by ID 'm.chunilmall.com'
[Sun Apr 05 20:53:08.810322 2020] [ssl:debug] [pid 6780] ssl_util_ssl.c(495): AH02412: [m.chunilmall.com:443] Cert matches for name 'm.chunilmall.com' [subject: CN=m.chunilmall.com,OU=Domain Control Validated,C=KR / issuer: CN=AlphaSSL CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE / serial: 03618108EA17A071E1CCC36A / notbefore: Mar 19 08:30:09 2020 GMT / notafter: Mar 20 08:30:09 2022 GMT]
[Sun Apr 05 20:53:08.810326 2020] [ssl:debug] [pid 6780] ssl_engine_init.c(988): AH02236: Configuring RSA server private key

server 2
version : aws, centos7, openssl/1.1.1d, apache/2.4.41(Unix) (built:Mar 10 2020)

[Sun Apr 05 21:19:02.628142 2020] [ssl:info] [pid 6944:tid 140066288195392] AH01914: Configuring server m.chunilmall.com.crt:443 for SSL protocol
[Sun Apr 05 21:19:02.628164 2020] [ssl:trace3] [pid 6944:tid 140066288195392] ssl_engine_init.c(598): Creating new SSL context (protocols: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3)
[Sun Apr 05 21:19:02.628258 2020] [ssl:trace1] [pid 6944:tid 140066288195392] ssl_engine_init.c(864): Configuring client authentication
[Sun Apr 05 21:19:02.628452 2020] [ssl:debug] [pid 6944:tid 140066288195392] ssl_engine_init.c(2062): AH02209: CA certificate: CN=AlphaSSL CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
[Sun Apr 05 21:19:02.628460 2020] [ssl:trace1] [pid 6944:tid 140066288195392] ssl_engine_init.c(934): Configuring permitted SSL ciphers [HIGH:MEDIUM:!MD5:!RC4:!3DES:!aNULL:!eNULL:!EXP]
[Sun Apr 05 21:19:02.628591 2020] [ssl:debug] [pid 6944:tid 140066288195392] ssl_engine_init.c(1130): AH01904: Configuring server certificate chain (1 CA certificate)
[Sun Apr 05 21:19:02.628597 2020] [ssl:debug] [pid 6944:tid 140066288195392] ssl_engine_init.c(498): AH01893: Configuring TLS extension handling
[Sun Apr 05 21:19:02.628637 2020] [ssl:emerg] [pid 6944:tid 140066288195392] AH02561: Failed to configure certificate m.chunilmall.com.crt:443:0, check /test2/web/apache2.4.41/conf/ssl/test/a.key
[Sun Apr 05 21:19:02.628648 2020] [ssl:emerg] [pid 6944:tid 140066288195392] SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Sun Apr 05 21:19:02.628656 2020] [ssl:emerg] [pid 6944:tid 140066288195392] SSL Library Error: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib

Comment 1 yui 2020-04-24 02:50:56 UTC

(In reply to yui from comment #0)
> Hello everyone
> 
Server1 and Server2 have the same certificate and certificate key.
server1 does not generate an error when starting from Apache.
However, server2 gives an error.

Actually, the certificate and the key file do not match (wrong key file and certificate).
However, Apache on server1 was started
Apache on server2 is not started.
Do you know why?

I'm looking forward to hearing from you.
Hope everything is good.

> 
> I'm looking forward to hearing from you.
> Hope everything is good.
> 
> server 1
> version : centos6, openssl/1.0.1e , apache 2.4.41(built:Feb 24 2020) and
>           centos7, openssl/1.1.1d,  apache 2.4.41(built: Mar 13 2020)
> 
> [Sun Apr 05 20:53:08.809610 2020] [ssl:info] [pid 6780] AH02200: Loading
> certificate & private key of SSL-aware server 'm.chunilmall.com:443'
> [Sun Apr 05 20:53:08.809778 2020] [ssl:debug] [pid 6780]
> ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass
> phrase not required
> [Sun Apr 05 20:53:08.809843 2020] [ssl:info] [pid 6780] AH01914: Configuring
> server m.chunilmall.com:443 for SSL protocol
> [Sun Apr 05 20:53:08.809847 2020] [ssl:trace3] [pid 6780]
> ssl_engine_init.c(495): Creating new SSL context (protocols: TLSv1, TLSv1.1,
> TLSv1.2)
> [Sun Apr 05 20:53:08.809952 2020] [ssl:trace1] [pid 6780]
> ssl_engine_init.c(682): Configuring client authentication
> [Sun Apr 05 20:53:08.810095 2020] [ssl:trace1] [pid 6780]
> ssl_engine_init.c(746): Configuring permitted SSL ciphers
> [HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA]
> [Sun Apr 05 20:53:08.810206 2020] [ssl:debug] [pid 6780]
> ssl_engine_init.c(886): AH01904: Configuring server certificate chain (1 CA
> certificate)
> [Sun Apr 05 20:53:08.810211 2020] [ssl:debug] [pid 6780]
> ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
> [Sun Apr 05 20:53:08.810214 2020] [ssl:debug] [pid 6780]
> ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
> [Sun Apr 05 20:53:08.810283 2020] [ssl:trace3] [pid 6780]
> ssl_util_ssl.c(484): [m.chunilmall.com:443] SSL_X509_match_name: expecting
> name 'm.chunilmall.com', matched by ID 'm.chunilmall.com'
> [Sun Apr 05 20:53:08.810322 2020] [ssl:debug] [pid 6780]
> ssl_util_ssl.c(495): AH02412: [m.chunilmall.com:443] Cert matches for name
> 'm.chunilmall.com' [subject: CN=m.chunilmall.com,OU=Domain Control
> Validated,C=KR / issuer: CN=AlphaSSL CA - SHA256 - G2,O=GlobalSign
> nv-sa,C=BE / serial: 03618108EA17A071E1CCC36A / notbefore: Mar 19 08:30:09
> 2020 GMT / notafter: Mar 20 08:30:09 2022 GMT]
> [Sun Apr 05 20:53:08.810326 2020] [ssl:debug] [pid 6780]
> ssl_engine_init.c(988): AH02236: Configuring RSA server private key
> 
> server 2
> version : aws, centos7, openssl/1.1.1d, apache/2.4.41(Unix) (built:Mar 10
> 2020)
> 
> [Sun Apr 05 21:19:02.628142 2020] [ssl:info] [pid 6944:tid 140066288195392]
> AH01914: Configuring server m.chunilmall.com.crt:443 for SSL protocol
> [Sun Apr 05 21:19:02.628164 2020] [ssl:trace3] [pid 6944:tid
> 140066288195392] ssl_engine_init.c(598): Creating new SSL context
> (protocols: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3)
> [Sun Apr 05 21:19:02.628258 2020] [ssl:trace1] [pid 6944:tid
> 140066288195392] ssl_engine_init.c(864): Configuring client authentication
> [Sun Apr 05 21:19:02.628452 2020] [ssl:debug] [pid 6944:tid 140066288195392]
> ssl_engine_init.c(2062): AH02209: CA certificate: CN=AlphaSSL CA - SHA256 -
> G2,O=GlobalSign nv-sa,C=BE
> [Sun Apr 05 21:19:02.628460 2020] [ssl:trace1] [pid 6944:tid
> 140066288195392] ssl_engine_init.c(934): Configuring permitted SSL ciphers
> [HIGH:MEDIUM:!MD5:!RC4:!3DES:!aNULL:!eNULL:!EXP]
> [Sun Apr 05 21:19:02.628591 2020] [ssl:debug] [pid 6944:tid 140066288195392]
> ssl_engine_init.c(1130): AH01904: Configuring server certificate chain (1 CA
> certificate)
> [Sun Apr 05 21:19:02.628597 2020] [ssl:debug] [pid 6944:tid 140066288195392]
> ssl_engine_init.c(498): AH01893: Configuring TLS extension handling
> [Sun Apr 05 21:19:02.628637 2020] [ssl:emerg] [pid 6944:tid 140066288195392]
> AH02561: Failed to configure certificate m.chunilmall.com.crt:443:0, check
> /test2/web/apache2.4.41/conf/ssl/test/a.key
> [Sun Apr 05 21:19:02.628648 2020] [ssl:emerg] [pid 6944:tid 140066288195392]
> SSL Library Error: error:0909006C:PEM routines:get_name:no start line
> (Expecting: CERTIFICATE) -- Bad file contents or format - or even just a
> forgotten SSLCertificateKeyFile?
> [Sun Apr 05 21:19:02.628656 2020] [ssl:emerg] [pid 6944:tid 140066288195392]
> SSL Library Error: error:140AD009:SSL
> routines:SSL_CTX_use_certificate_file:PEM lib

Comment 2 Joe Orton 2020-04-24 09:08:07 UTC

You claim that version 2.4.41 of httpd produces this output:

[Sun Apr 05 20:53:08.810214 2020] [ssl:debug] [pid 6780] ssl_engine_init.c(933): AH02232: Configuring RSA server certificate

2.4.41 does not have that debug message on that line of ssl_engine_init.c.

https://svn.apache.org/viewvc/httpd/httpd/tags/2.4.41/modules/ssl/ssl_engine_init.c?revision=1864801&view=markup#l933

CentOS 7's native httpd 2.4.6 does have that log message on that line. So the behaviour is different because you are using different versions of httpd.

Comment 3 yui 2020-05-18 10:19:49 UTC

I have 2 questions

1)
I did all the tests in Apache 2.4.41 version.

-Same version-
AWS built Apache: 2.4.41
Source compiled Apache: 2.4.41

But the two versions have different logs.
Do you know why the same version of log is different?


2)
CentOS 7's native httpd 2.4.6 doen't have that log message on that line.
Eventually, Apache start with an invalid key file.

[Mon May 18 17:01:58.709825 2020] [ssl:info] [pid 1963] AH02200: Loading certificate & private key of SSL-aware server 'm.chunilmall.com:443'
[Mon May 18 17:01:58.720341 2020] [ssl:debug] [pid 1963] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Mon May 18 17:01:58.720378 2020] [ssl:info] [pid 1963] AH01914: Configuring server m.chunilmall.com:443 for SSL protocol
[Mon May 18 17:01:58.721528 2020] [ssl:debug] [pid 1963] ssl_engine_init.c(886): AH01904: Configuring server certificate chain (1 CA certificate)
[Mon May 18 17:01:58.721542 2020] [ssl:debug] [pid 1963] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Mon May 18 17:01:58.721548 2020] [ssl:debug] [pid 1963] ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
[Mon May 18 17:01:58.721620 2020] [ssl:debug] [pid 1963] ssl_util_ssl.c(495): AH02412: [m.chunilmall.com:443] Cert matches for name 'm.chunilmall.com' [subject: CN=m.chunilmall.com,OU=Domain Control Validated,C=KR / issuer: CN=AlphaSSL CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE / serial: 03618108EA17A071E1CCC36A / notbefore: Mar 19 08:30:09 2020 GMT / notafter: Mar 20 08:30:09 2022 GMT]
[Mon May 18 17:01:58.721623 2020] [ssl:debug] [pid 1963] ssl_engine_init.c(988): AH02236: Configuring RSA server private key

Comment 4 Joe Orton 2020-08-04 10:21:01 UTC


*** This bug has been marked as a duplicate of bug 64613 ***