[users@httpd] Can a certificate error bring down a server?

[John McIntyre <jo...@gmail.com>]

Hi,
So I have an apache 2.2.15 box running on CentOS 6.4.   It took me a while
to get it fine-tuned the way I want, but I eventually got there.  So I buy
a certificate, redirect from http to https, and it seems to be working
perfectly.  That was about six weeks ago.

This morning, I head into the office, and as usual, login to my horde
instance for e-mail and calendar.  At the same time, trying to get mailman
running, I decide to remove the mailman instance with yum remove mailman.
 Five minutes later, as I'm typing an e-mail, I suddenly get kicked off the
server, and when I try to reconnect, I get 'certificate not approved' in my
browser (chrome).

I have a look via ssh, but can't see anything untoward.

This is when I _did_ do something silly.  I looked in
/etc/httpd/conf.d/ssl.conf and saw the following line:

SSLCertificateFile /etc/pki/tls/private/localhost.key

That's not right, I thought.  So I change that and the other SSL file lines
to point to my certificates, which are in /etc/httpd/ssl.  Like an idiot, I
didn't back that file up beforehand.

I restart apache and this appears in the logs ..

[Wed Oct 16 09:52:34 2013] [error] Init: Unable to read server certificate
from file /etc/pki/tls/private/localhost.key
[Wed Oct 16 09:52:34 2013] [error] SSL Library Error: 218529960
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Oct 16 09:52:34 2013] [error] SSL Library Error: 218595386
error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

And this is rather worrying, since at no time in the past fortnight, have I
fiddled with the httpd.conf file, so there's no reason why it should
suddenly stop pointing to the correct certificate.  And I don't think that
removing mailman would cause this - I only mentioned it to eliminate it as
a possible cause.

Any ideas?

Thanks.

Re: [users@httpd] Can a certificate error bring down a server?

[Yehuda Katz <ye...@ymkatz.net>]

On Wed, Oct 16, 2013 at 5:17 AM, John McIntyre <jo...@gmail.com> wrote:

> This morning, I head into the office, and as usual, login to my horde
> instance for e-mail and calendar.  At the same time, trying to get mailman
> running, I decide to remove the mailman instance with yum remove mailman.
>  Five minutes later, as I'm typing an e-mail, I suddenly get kicked off the
> server, and when I try to reconnect, I get 'certificate not approved' in my
> browser (chrome).
>

It does not look like the default CentOS mailman package touches apache
configuration except the file /etc/httpd/conf.d/mainman.conf which it
creates.

 That's not right, I thought.  So I change that and the other SSL file
> lines to point to my certificates, which are in /etc/httpd/ssl.  Like an
> idiot, I didn't back that file up beforehand.
>
> I restart apache and this appears in the logs ..
>
> [Wed Oct 16 09:52:34 2013] [error] Init: Unable to read server certificate
> from file /etc/pki/tls/private/localhost.key
> [Wed Oct 16 09:52:34 2013] [error] SSL Library Error: 218529960
> error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> [Wed Oct 16 09:52:34 2013] [error] SSL Library Error: 218595386
> error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
>
> And this is rather worrying, since at no time in the past fortnight, have
> I fiddled with the httpd.conf file, so there's no reason why it should
> suddenly stop pointing to the correct certificate.  And I don't think that
> removing mailman would cause this - I only mentioned it to eliminate it as
> a possible cause.
>
> Any ideas?
>

That should only appear in the logs if there is some other place in the the
httpd configuration that has that path (/etc/pki/tls/private/localhost.key).
That particular error indicates that you should open the file in question
and see if it looks right.


I have started using etckeeper to automatically version /etc . I don't know
if there is a package for CentOS, but it is not too hard to install and
would probably help you next time.
It hooks into YUM (and other package managers) to make sure there is a
commit before and after each action the package manager does.
It also has an option to make a nightly commit in case you made changes and
did not manually commit them.

- Y