Error when I try to upload an owned SSL Certificate

NethServer Version: 7.7.1908

Hello everyone. After a long time, I’m back with you.

I have a problem. When I try to import an SSL Certificate, I get this error:

Validation failed: RSA or EC private key (PEM encoding)

nethserver_certificate_setup_fail

I took the private key from a server that I want to replace with a Nethserver. It could have a passphrase. The CRS is emitted from a trusted authority (bought online)

Can someone of you help me to understand better what could be the problem?

Thank you for your help.

1 Like

The .key file should look like

http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/sample-priv-key.htm

It must be not encrypted with a password.

You’re at home here! I’m happy to see you again :blush:

This would be a problem; the passphrase must be removed. If it has a password, it would look like this:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,


6AC307785DD187EF...
-----END RSA PRIVATE KEY-----

If that’s the case, it must be removed. You can do that by running openssl rsa -in [file1.key] -out [file2.key], where file1.key is the file containing the existing private key, and file2.key is where you want the unencrypted key to go.

But really, in 99.9% of situations, getting a cert from Let’s Encrypt is going to be the better answer.

4 Likes

Thank you @davidep and @danb35 for your support.

In the meantime, I’ve found a workaround installing the certificate via command line following these steps:

Via the command line, I had the opportunity to insert the passphrase of the key to install the certificate correctly.

It works for httpd service. :white_check_mark:

When I run

$ signal-event nethserver-httpd-update

The system asks me to use system-tty-ask-password-agent to input the passphrase, and the service starts correctly.

The same thing doesn’t happen for httpd-admin service :no_entry_sign:
I get this error:

[root@www ~]# systemctl status httpd-admin
● httpd-admin.service - Server Manager UI httpd instance
   Loaded: loaded (/usr/lib/systemd/system/httpd-admin.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since mer 2020-02-12 22:11:17 CET; 9h ago
     Docs: https://github.com/NethServer/nethserver-httpd-admin
 Main PID: 52939 (code=exited, status=1/FAILURE)

feb 12 22:11:17 nethserver systemd[1]: Started Server Manager UI httpd instance.
feb 12 22:11:17 nethserver httpd[52939]: Apache/2.4.6 mod_ssl (Pass Phrase Dialog)
feb 12 22:11:17 nethserver httpd[52939]: Some of your private key files are encrypted for security reasons.
feb 12 22:11:17 nethserver httpd[52939]: In order to read them you have to provide the pass phrases.
feb 12 22:11:17 nethserver httpd[52939]: Server www.domain.it:443 (RSA)
feb 12 22:11:17 nethserver httpd[52939]: Enter pass phrase:Apache:mod_ssl:Error: Private key not found.
feb 12 22:11:17 nethserver httpd[52939]: **Stopped
feb 12 22:11:17 nethserver systemd[1]: httpd-admin.service: main process exited, code=exited, status=1/FAILURE
feb 12 22:11:17 nethserver systemd[1]: Unit httpd-admin.service entered failed state.
feb 12 22:11:17 nethserver systemd[1]: httpd-admin.service failed.

Now, this is the situation:

  • Reverse proxy works correctly with the owned certificate (hurray) :raised_hands:
  • Standard Server Manager on port 980 si down (restart fails) :frowning_face:
  • Cockpit Server Manager on port 9090 works, but I don’t know why :thinking:

I could remove the passphrase from the key without any problem (thank you @danb35 :pray:).
But before, I would like to configure correctly the passphrase in the system as a case study.

Any help? :wink:

I’m sorry this is not a supported use case. No passphrase is expected.

1 Like