Unable to configure RSA server private key” and “certificate routines:X509_check_private_key:key values mismatch” Errors

“Unable to configure RSA server private key” and “certificate routines:X509_check_private_key:key values mismatch” Errors

If you see one of these errors it usually means that the private key that is being loaded in the VirtualHost section of your .conf file doesn’t match the SSL Certificate being loaded in the same section.

To check if the two files match, run the following OpenSSL command on each of them:

openssl x509 -noout -modulus -in your_domain_com.crt | openssl md5openssl rsa -noout -modulus -in your_domain_com.key | openssl md5

 

If the modulus of the two files doesn’t match exactly, do one of the following:

  1. Find the .key file matching your .crt file and update the VirtualHost in your .conf file to match.
  2. Reissue your certificate by either generating two new files with the OpenSSL CSR Wizard or by creating a new CSR from your existing private key file using the following command.

    Note that the existing private key must be at least 2048 bits. If the key is less than 2048 bits you will have to recreate the key.

openssl req -new -key your_domain_com.key -out your_domain_com.csr

 

ssl cert on Verio servers

(Apache v2.X)

  1. Download the appropriate GlobalSign root certificate and save it in a text editor as “gs_root.pem.” Only the ExtendedSSL certificate uses the GlobalSign root CA R2 certificate.
  2. Download the appropriate intermediate certificate(s) and save it in a text editor as “intermediate.pem”.
  3. Copy your SSL certificate from the order fulfillment e-mail or log into your GlobalSign Certificate Center account and download it. Paste it into a text editor. Save the file as “mydomain.crt.”
  4. Copy “mydomain.crt” and “intermediate.pem” to the directory in which you plan to store your certificates.
  5. Open your “httpd.conf” file with a text editor. Please note that some installations keep the SSL section separately in the “ssl.conf” file. Locate the the virtual host section for the site that the SSL certificate will secure.​Your virtual host section will need to contain the following directives:
    • SSLCACertificateFile – This will need to point to the appropriate GlobalSign root CA certificate.
    • SSLCertificateChainFile – This will need to point to the appropriate intermediate root CA certificates you previously created in Step 1 above.
    • SSLCertificateFile – This will need to point to the end entity certificate. This is the certificate you have called “mydomain.crt.”
    • SSLCertificateKeyFile – This will need to point to the private key file associated with your certificate.
  6. Save the changes to the file. Quit the text editor.
  7. Restart Apache.

(creating CSR)

  1. Make sure OpenSSL is installed and in your PATH.
  2. Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted):$ openssl genrsa -des3 -out server.key 2048

    Please backup this server.key file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command:

    $ openssl rsa -noout -text -in server.key

    Unless you want to enter the password each time you start apache, you will need a decrypted PEM version for later:

    $ openssl rsa -in server.key -out server.key.unsecure

  3. Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):$ openssl req -new -key server.key -out server.csr

search log files for most common hits

If you are having problems with possible attack on your server, check the log files for the most common hits. Many times you will find one page being accessed beyond what would be normal.

va1-fv00150# cat /usr/local/apache/logs/*/*access_log | awk ‘{print $7}’ | sort | uniq -c | sort -rn | head
35806 /administrator/index.php
89 /
37 /robots.txt
30 /favicon.ico
20 /administrator/index.php?option=com_login
16 /imgs/flash.swf
15 /imgs/home.html
14 /wp-login.php
14 /js/AC_RunActiveContent.js
14 /imgs/styles.css

Use this information to find what log file is getting the hits:

va1-fv00150# grep -R “/administrator/index.php” /usr/local/apache/logs/*/*access_log | cut -d: -f1 | sort | uniq -c | sort -rn | head
38313 /usr/local/apache/logs/ibreporttv/ibreporttv.com-access_log
5 /usr/local/apache/logs/goinsidebusiness/goinsidebusiness.com-access_log

Use mutt to bounce emails to a different account

Login to the server and (as root or the account owner) run ‘mutt -f /path/to/his/mailbox’. From there you can type a capital ‘T’ (for “Tag messages matching the pattern I’m about to enter”), you will then be prompted to enter a pattern to match. Type ‘.’ (to match all strings) and enter. All messages should have an asterisk (“”) next to them.

Now type a semicolon (“;”–the semicolon tells mutt that the action you’re about to take applies to all tagged messages) and a lowercase ‘b’ (for “bounce”. Together ‘;b’ means “bounce all these messages I’ve just tagged”).

You’ll be prompted for an address to bounce the messages to. Type it in and wait a little bit for all the messages to bounce (you may be prompted by mutt to confirm you want to bounce the messages). When mutt tells you that it’s done, you can type semicolon again and then a lowercase ‘d’ (for “delete”). Type a ‘q’ to quit mutt.

count pop3 logins

show users that are sending email:
mail /var/log# grep authid= /var/log/maillog | awk -F “]” ‘{print$3}’ | awk -F , ‘{print$2}’ | tr -d ” ” | sort | uniq -c | sort -rn

show what IP addresses are sending email:
mail /var/log# grep authid= /var/log/maillog | awk -F “]” ‘{print$2}’ | awk -F “[” ‘{print$2}’ | tr -d ” ” | sort | uniq -c | sort -rn