Difficulties importing SSL certificate

**Big D** · 03-21-2012, 01:03 PM

Seem to be having some issues in the 9.2.0 related to certificate renewals/imports. It likes to hang the apache2 process after I click import for my GoDaddy Cert.

Shrug, it might just be me. I have to whack apache2 process run the 9.2 patch for CSR to generate a generic apache.pem to replace the FUBAR one. I can then bring up the web page again.

Don't really have an issue generating the certificate or CSR just when it comes to importing. Get some error during the import about the Private key not being found. Below is a snippet of /var/log/apache2/error.log during the import step.

Code:

[Wed Mar 21 15:52:48 2012] [error] [client 192.168.2.123] ValueError: Failed to acquire global mutex lock, referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:53:12 2012] [error] [client 192.168.2.123] File does not exist: /var/www/skins/default/images/default, referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:58:09 2012] [notice] [client 192.168.2.123] DbmSession: registered database cleanup., referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [notice] SIGUSR1 received.  Doing graceful restart
[Wed Mar 21 15:59:47 2012] [warn] (22)Invalid argument: Failed to acquire global mutex lock at index 0
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] mod_python (pid=2498, interpreter='localhost', phase='PythonHeaderParserHandler', handler='uvmlogin'): Application error, referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] ServerName: 'localhost', referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] DocumentRoot: '/var/www/', referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] URI: '/webui/JSON-RPC', referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] Location: '/webui', referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] Directory: None, referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] Filename: 'JSON-RPC', referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] PathInfo: None, referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] Traceback (most recent call last):, referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/site-packages/mod_python/importer.py", line 1537, in HandlerDispatch\n    default=default_handler, arg=req, silent=hlist.silent), referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/site-packages/mod_python/importer.py", line 1229, in _process_target\n    result = _execute_target(config, req, object, arg), referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/site-packages/mod_python/importer.py", line 1128, in _execute_target\n    result = object(arg), referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/uvmlogin.py", line 58, in headerparserhandler\n    sess = Session.Session(req, lock=0), referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/site-packages/mod_python/Session.py", line 803, in Session\n    timeout=timeout, lock=lock), referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/site-packages/mod_python/Session.py", line 372, in __init__\n    timeout=timeout, lock=lock), referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/site-packages/mod_python/Session.py", line 180, in __init__\n    if self.load():, referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/site-packages/mod_python/Session.py", line 250, in load\n    dict = self.do_load(), referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/site-packages/mod_python/Session.py", line 392, in do_load\n    _apache._global_lock(self._req.server, None, 0), referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] ValueError: Failed to acquire global mutex lock, referer: https://edge.databalance.com:446/webui/startPage.do
[Wed Mar 21 15:59:51 2012] [warn] No JkShmFile defined in httpd.conf. Using default /var/log/apache2/jk-runtime-status
[Wed Mar 21 15:59:51 2012] [notice] mod_python: Creating 8 session mutexes based on 5 max processes and 25 max threads.
[Wed Mar 21 15:59:51 2012] [notice] mod_python: using mutex_directory /tmp
[Wed Mar 21 15:59:51 2012] [error] Init: Private key not found
[Wed Mar 21 15:59:51 2012] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Wed Mar 21 15:59:51 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Mar 21 15:59:51 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Wed Mar 21 15:59:51 2012] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

**dmorris** · 03-21-2012, 01:05 PM

Are there any errors in uvm.log that you see when you import the cert?

Would you mind sending me the cert to dmorris@untangle.com so I can try to import it into my system?
Just let me know exactly what steps you took and I'll try it.

**Big D** · 03-21-2012, 01:16 PM

uvm.log

No errors just INFO. You can see where I generated a new self-signed then the CSR.

Code:

Mar 21 15:53:18 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl req -new -key /etc/apache2/ssl/apache.pem -subj /CN=edge.databalance.com/O=Data_Balance/OU=ICOT/L=Clearwater/ST=Florida/C=US)
Mar 21 15:53:18 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl req -new -key /etc/apache2/ssl/apache.pem -subj /CN=edge.databalance.com/O=Data_Balance/OU=ICOT/L=Clearwater/ST=Florida/C=US) = 0 took 19 ms.
Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl x509 -in /tmp/gci3197694006986955844.tmp -dates -noout -subject -issuer -nameopt RFC2253)
Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl x509 -in /tmp/gci3197694006986955844.tmp -dates -noout -subject -issuer -nameopt RFC2253) = 0 took 6 ms.
Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(/usr/share/untangle/bin/ut-inspect_ca /tmp/gci3197694006986955844.tmp)
Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(/usr/share/untangle/bin/ut-inspect_ca /tmp/gci3197694006986955844.tmp) = 1 took 10 ms.
Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl x509 -in /tmp/gci3197694006986955844.tmp -text)
Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl x509 -in /tmp/gci3197694006986955844.tmp -text) = 0 took 6 ms.
Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl verify -CApath /usr/share/ca-certificates -CAfile /tmp/gci3197694006986955844.tmp -purpose any /tmp/gci3197694006986955844.tmp)
Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl verify -CApath /usr/share/ca-certificates -CAfile /tmp/gci3197694006986955844.tmp -purpose any /tmp/gci3197694006986955844.tmp) = 0 took 5 ms.
Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl rsa -i /etc/apache2/ssl/apache.pem)
Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl rsa -i /etc/apache2/ssl/apache.pem) = 1 took 5 ms.
Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl verify -CApath /usr/share/ca-certificates -CAfile /tmp/apache2031153014084878723.tmp -purpose any /tmp/apache2031153014084878723.tmp)
Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl verify -CApath /usr/share/ca-certificates -CAfile /tmp/apache2031153014084878723.tmp -purpose any /tmp/apache2031153014084878723.tmp) = 0 took 6 ms.
Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(apache2ctl graceful)
Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(apache2ctl graceful) = 0 took 42 ms.

**dmorris** · 03-21-2012, 03:52 PM

Thanks for your help figuring this one out Big D!

I have updated the patch here which should now fix the space issue and the import issue:
http://wiki.untangle.com/index.php/9...ates_issue_fix

The issue was this command:
ExecManager.exec(openssl rsa -i /etc/apache2/ssl/apache.pem)

should have been:
ExecManager.exec(openssl rsa -in /etc/apache2/ssl/apache.pem)

edit: btw, if you ever get apache where it won't start you can do the following to create a new cert and restart it:

Code:

curl "http://www.untangle.com/download/patches/generic/update_cert.sh" | dash

**sky-knight** · 03-21-2012, 04:22 PM

Ouch, yeah openssl really does work much better when it can find the private key.

Also, I made this exact typo myself yesterday. I'm trying to get my brain wrapped around Debian 6 for a new LAMP server. I figured I'd actually get the SSL going this trip around, and did the exact same thing before I pulled the facepalm.

For the curious, and there are I'm sure more condensed way of doing this, but a raw self signed cert process I've got working on Debian 6.

#Generate 2048bit RSA Private Key as privkey.key
openssl genrsa -out privkey.key 2048
#Generate a CSR Request based on RSA Private key
openssl req -new -key privkey.key -out certreq.csr
#Sign CSR yourself for 10 years.
openssl x509 -req -days 3650 -in certreq.csr -signkey privkey.key -out newcert.crt

The last step there can be done by a certificate authority if you want a fully functional keychain.

Anyway Apache2 tends to play better if both the private key and the certificate are in the same file. So I do these commands real quick to make the .pem.

cp privkey.key apache.pem
cat newcert.crt >> apache.pem

I haven't gotten into an actual cert yet, that challenge will wait until this thing is ready for production. I'm assuming that .pem has to have the certificate authority's cert in there too.

UT's UI makes all this point and click, which has us all far too spoiled.

**johnsonx42** · 03-23-2012, 01:03 PM

oh, I ran into this exact problem a couple of weeks ago, kept thinking I was doing something wrong in the way I was creating the SSL certificate. I should have had more confidence in myself and reported it.

thanks for the fix.

Protect

Filter

Perform

Connect

Manage

Add-Ons

Thread: Difficulties importing SSL certificate

LinkBack

Thread Tools

Difficulties importing SSL certificate

Posting Permissions