apache server for ejbca certificate error
Multi tool use
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
0
down vote
favorite
my name is Adrian and I need your help.
I was configuring EJBCA certification authority over apache server for commertial certificate on centos 7 and apache version is 2.4.6.
With apache configuration for file vim /etc/httpd/conf.d/ca.company.cz.conf:
NameVirtualHost ca.company.cz:80
<VirtualHost ca.company.cz:80>
DocumentRoot /var/www/
#Listen 80
# Proxy requests to EJBCA instances (only one on local machine configured)
<Proxy balancer://mycluster-kerb>
BalancerMember ajp://localhost:8009/ejbca/
</Proxy>
ProxyPass / balancer://mycluster-kerb/
RewriteEngine On
# Redirect all but the CRL Distribution Point, OCSP and Helthcheck to HTTPS
RewriteCond %THE_REQUEST !(/publicweb/webdist/certdist.*cmd=crl|/publicweb/status/)
RewriteRule ^(.*)$ https://%SERVER_NAME$1 [L,R]
# Treat reqeusts to / and /ejbca/ as the same. Required by EJBCA's Admin Web.
RewriteCond %THE_REQUEST /ejbca/
RewriteRule ^/ejbca/(.*)$ /$1 [PT]
# Configure log
LogLevel debug
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log combined
</VirtualHost>
NameVirtualHost ca.company.cz:443
<VirtualHost ca.company.cz:443>
DocumentRoot /var/www/
#Listen 443
RewriteEngine On
# Treat reqeusts to / and /ejbca/ as the same. Required by EJBCA's Admin Web.
RewriteCond %THE_REQUEST /ejbca/
RewriteRule ^/ejbca/(.*)$ /$1 [PT]
# Configure secure SSL for this server using SSL certificate generated by EJBCA
SSLEngine on
SSLCipherSuite HIGH
SSLProtocol all -SSLv2
#SSLCertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
SSLCertificateKeyFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/serverkey.key
SSLCACertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
# Require Client SSL certificate for the Admin GUI
<Location /adminweb>
SSLVerifyClient require
SSLVerifyDepth 1
#SSLCACertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/wildcard.system4u.cz_2015_incl_private_key.pem
</Location>
# Proxy requests to EJBCA instances (only one on local machine configured)
<Proxy balancer://mycluster-kerb>
BalancerMember ajp://localhost:8009/ejbca/
</Proxy>
ProxyPass / balancer://mycluster-kerb/
# Configure log
LogLevel warn
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log combined
</VirtualHost>
I have also included this config in httpd.conf:
Listen 80
Listen 443
Include conf.modules.d/*.conf
Include /etc/httpd/conf.d/ca.company.cz.conf
Include /etc/httpd/conf.d/*.conf
Then I have checked the certificate which was converted from pfs format to crt format with output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3c:24:68:14:5c:8b:09:cd:44:0f:0b:e4:23:2d:0b:4e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=RapidSSL SHA256 CA
Validity
Not Before: May 4 00:00:00 2017 GMT
Not After : Jun 3 23:59:59 2019 GMT
Subject: CN=*.company.cz
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
I also verified the certificate online and it was verified as valid certificate.
When I restarted httpd service showed me error message:
Jul 19 17:57:42 c76vm4u.hosting4u.s4u httpd[22216]: SSLCertificateFile: file '/root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.pem' does not exist or is empty
When I checked the certificate, the certificate contained:
Bag Attributes
localKeyID: 5B 57 E2 C3 7F 0E 76 12 F1 70 35 44 91 CE 56 34 58 CE 5D B9
subject=/CN=*.company.cz
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
-----BEGIN CERTIFICATE-----
MIIF5DCCBMygAwIBAgIQPCRoFFyLCc1EDwvkIy0LTjANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
UmFwaWRTU0wgU0hBMjU2IENBMB4XDTE3MDUwNDAwMDAwMFoXDTE5MDYwMzIzNTk1
OVowGDEWMBQGA1UEAwwNKi5zeXN0ZW00dS5jejCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANnpLQDxv5GY5b9F0/U38MLK7NI8peMcvXYOwqEk2akaADJX
CLR5vGkySXBaJ6K8m0DQKq2sZ1A62bai0B77SMuCZfqnndjwf+6odibuk1eFE12k
+U+CR/G0+r0cSZIzWiGB6yNJl4VYnAwyJYioqwOcJnFyTEKR1rOPNYqT74TyAdPt
SMsQ4QUvQy0f2q7Yp+7oIusjF5aDwj9QdqYPxhUdP3Xkq6WaFyojt5ty4NzExqU1
lvgGwS0Th9rEV+HC8tYFZtqRSqVtE5ZwqPKe8/M61kOyeBI6cRK9F70jWOx5i4EK
fYTBlblPUFaJ4LAWYNcSA3XlMe6RUpHwfvIjumsCAwEAAaOCAv4wggL6MCUGA1Ud
EQQeMByCDSouc3lzdGVtNHUuY3qCC3N5c3RlbTR1LmN6MAkGA1UdEwQCMAAwKwYD
VR0fBCQwIjAgoB6gHIYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcmwwbwYDVR0g
BGgwZjBkBgZngQwBAgEwWjAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRz
c2wuY29tL2xlZ2FsMCwGCCsGAQUFBwICMCAMHmh0dHBzOi8vd3d3LnJhcGlkc3Ns
LmNvbS9sZWdhbDAfBgNVHSMEGDAWgBSXwidQnsLJ7AyIMsh8reKmAU/abzAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFcGCCsG
AQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2dwLnN5bWNkLmNvbTAmBggr
BgEFBQcwAoYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcnQwggF9BgorBgEEAdZ5
AgQCBIIBbQSCAWkBZwB2AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7M
AAABW9OvN08AAAQDAEcwRQIhAMIJGR5p+GAdeQpcK8OZYF6t/303Hl8RKgh3cgGp
0OH6AiA9clDoLK8z+8GYj5EV0yAbOrabYRHhKdnzOH7SG9H8WgB1AKS5CZC0GFgU
h7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABW9OvN5YAAAQDAEYwRAIgZPbNdVp7
ExZG650RLrdUsrcK8DPS4J35HIJB3CxoxNYCIEVOmim6cpbVXFbWXi4IcYel6bXm
Xssed+c2CinvmlfBAHYA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csA
AAFb0685bAAABAMARzBFAiAhU1Ie1mqBlWFb/NurPRYlGNiEwyFXelqE+0kWC7jA
PAIhAMA5teg26Gwpn2o+nCxGkus7jqC/exq0CBVfeSet8z/zMA0GCSqGSIb3DQEB
CwUAA4IBAQCAaIgO1XPTJvaRd4dUKZ5AMyHC71EYl1EYxIyptRhqWL9bzhejq2cC
q2te40m3R0JTl78wG+JD6ub6HDb6BysI+oYp6I1Amg3luWS8gnn2i+SCFNKVuDKU
fQ5cPbZtWEg5mMx64X5NlF0owxTPpJM4Om8ahvIb88r2T7eJUBTW1F1nVkI4xZr5
i+wPX0VGDxf+/QD+Xwc+Wu13SznX3Z44XB5SAjG4RKEuc/KuKdc+ErUYaXxuPDzW
cIQoO9NCOI1enEBm0nKGVrQBrwcB0voOMXwOqD3fRT4RULsO+x05QZ9FM1nklyr5
dUlLC3ukq6v3EDgbVn0ENSIrSIf29g5J
-----END CERTIFICATE-----
Can you please help me resolve this issue?
Thank you
Adrian Bardossy
centos apache-httpd openssl reverse-proxy
asked Jul 19 at 16:02
Adrian Bardossy
23
add a comment |Â
up vote
0
down vote
favorite
my name is Adrian and I need your help.
I was configuring EJBCA certification authority over apache server for commertial certificate on centos 7 and apache version is 2.4.6.
With apache configuration for file vim /etc/httpd/conf.d/ca.company.cz.conf:
NameVirtualHost ca.company.cz:80
<VirtualHost ca.company.cz:80>
DocumentRoot /var/www/
#Listen 80
# Proxy requests to EJBCA instances (only one on local machine configured)
<Proxy balancer://mycluster-kerb>
BalancerMember ajp://localhost:8009/ejbca/
</Proxy>
ProxyPass / balancer://mycluster-kerb/
RewriteEngine On
# Redirect all but the CRL Distribution Point, OCSP and Helthcheck to HTTPS
RewriteCond %THE_REQUEST !(/publicweb/webdist/certdist.*cmd=crl|/publicweb/status/)
RewriteRule ^(.*)$ https://%SERVER_NAME$1 [L,R]
# Treat reqeusts to / and /ejbca/ as the same. Required by EJBCA's Admin Web.
RewriteCond %THE_REQUEST /ejbca/
RewriteRule ^/ejbca/(.*)$ /$1 [PT]
# Configure log
LogLevel debug
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log combined
</VirtualHost>
NameVirtualHost ca.company.cz:443
<VirtualHost ca.company.cz:443>
DocumentRoot /var/www/
#Listen 443
RewriteEngine On
# Treat reqeusts to / and /ejbca/ as the same. Required by EJBCA's Admin Web.
RewriteCond %THE_REQUEST /ejbca/
RewriteRule ^/ejbca/(.*)$ /$1 [PT]
# Configure secure SSL for this server using SSL certificate generated by EJBCA
SSLEngine on
SSLCipherSuite HIGH
SSLProtocol all -SSLv2
#SSLCertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
SSLCertificateKeyFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/serverkey.key
SSLCACertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
# Require Client SSL certificate for the Admin GUI
<Location /adminweb>
SSLVerifyClient require
SSLVerifyDepth 1
#SSLCACertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/wildcard.system4u.cz_2015_incl_private_key.pem
</Location>
# Proxy requests to EJBCA instances (only one on local machine configured)
<Proxy balancer://mycluster-kerb>
BalancerMember ajp://localhost:8009/ejbca/
</Proxy>
ProxyPass / balancer://mycluster-kerb/
# Configure log
LogLevel warn
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log combined
</VirtualHost>
I have also included this config in httpd.conf:
Listen 80
Listen 443
Include conf.modules.d/*.conf
Include /etc/httpd/conf.d/ca.company.cz.conf
Include /etc/httpd/conf.d/*.conf
Then I have checked the certificate which was converted from pfs format to crt format with output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3c:24:68:14:5c:8b:09:cd:44:0f:0b:e4:23:2d:0b:4e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=RapidSSL SHA256 CA
Validity
Not Before: May 4 00:00:00 2017 GMT
Not After : Jun 3 23:59:59 2019 GMT
Subject: CN=*.company.cz
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
I also verified the certificate online and it was verified as valid certificate.
When I restarted httpd service showed me error message:
Jul 19 17:57:42 c76vm4u.hosting4u.s4u httpd[22216]: SSLCertificateFile: file '/root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.pem' does not exist or is empty
When I checked the certificate, the certificate contained:
Bag Attributes
localKeyID: 5B 57 E2 C3 7F 0E 76 12 F1 70 35 44 91 CE 56 34 58 CE 5D B9
subject=/CN=*.company.cz
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
-----BEGIN CERTIFICATE-----
MIIF5DCCBMygAwIBAgIQPCRoFFyLCc1EDwvkIy0LTjANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
UmFwaWRTU0wgU0hBMjU2IENBMB4XDTE3MDUwNDAwMDAwMFoXDTE5MDYwMzIzNTk1
OVowGDEWMBQGA1UEAwwNKi5zeXN0ZW00dS5jejCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANnpLQDxv5GY5b9F0/U38MLK7NI8peMcvXYOwqEk2akaADJX
CLR5vGkySXBaJ6K8m0DQKq2sZ1A62bai0B77SMuCZfqnndjwf+6odibuk1eFE12k
+U+CR/G0+r0cSZIzWiGB6yNJl4VYnAwyJYioqwOcJnFyTEKR1rOPNYqT74TyAdPt
SMsQ4QUvQy0f2q7Yp+7oIusjF5aDwj9QdqYPxhUdP3Xkq6WaFyojt5ty4NzExqU1
lvgGwS0Th9rEV+HC8tYFZtqRSqVtE5ZwqPKe8/M61kOyeBI6cRK9F70jWOx5i4EK
fYTBlblPUFaJ4LAWYNcSA3XlMe6RUpHwfvIjumsCAwEAAaOCAv4wggL6MCUGA1Ud
EQQeMByCDSouc3lzdGVtNHUuY3qCC3N5c3RlbTR1LmN6MAkGA1UdEwQCMAAwKwYD
VR0fBCQwIjAgoB6gHIYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcmwwbwYDVR0g
BGgwZjBkBgZngQwBAgEwWjAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRz
c2wuY29tL2xlZ2FsMCwGCCsGAQUFBwICMCAMHmh0dHBzOi8vd3d3LnJhcGlkc3Ns
LmNvbS9sZWdhbDAfBgNVHSMEGDAWgBSXwidQnsLJ7AyIMsh8reKmAU/abzAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFcGCCsG
AQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2dwLnN5bWNkLmNvbTAmBggr
BgEFBQcwAoYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcnQwggF9BgorBgEEAdZ5
AgQCBIIBbQSCAWkBZwB2AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7M
AAABW9OvN08AAAQDAEcwRQIhAMIJGR5p+GAdeQpcK8OZYF6t/303Hl8RKgh3cgGp
0OH6AiA9clDoLK8z+8GYj5EV0yAbOrabYRHhKdnzOH7SG9H8WgB1AKS5CZC0GFgU
h7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABW9OvN5YAAAQDAEYwRAIgZPbNdVp7
ExZG650RLrdUsrcK8DPS4J35HIJB3CxoxNYCIEVOmim6cpbVXFbWXi4IcYel6bXm
Xssed+c2CinvmlfBAHYA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csA
AAFb0685bAAABAMARzBFAiAhU1Ie1mqBlWFb/NurPRYlGNiEwyFXelqE+0kWC7jA
PAIhAMA5teg26Gwpn2o+nCxGkus7jqC/exq0CBVfeSet8z/zMA0GCSqGSIb3DQEB
CwUAA4IBAQCAaIgO1XPTJvaRd4dUKZ5AMyHC71EYl1EYxIyptRhqWL9bzhejq2cC
q2te40m3R0JTl78wG+JD6ub6HDb6BysI+oYp6I1Amg3luWS8gnn2i+SCFNKVuDKU
fQ5cPbZtWEg5mMx64X5NlF0owxTPpJM4Om8ahvIb88r2T7eJUBTW1F1nVkI4xZr5
i+wPX0VGDxf+/QD+Xwc+Wu13SznX3Z44XB5SAjG4RKEuc/KuKdc+ErUYaXxuPDzW
cIQoO9NCOI1enEBm0nKGVrQBrwcB0voOMXwOqD3fRT4RULsO+x05QZ9FM1nklyr5
dUlLC3ukq6v3EDgbVn0ENSIrSIf29g5J
-----END CERTIFICATE-----
Can you please help me resolve this issue?
Thank you
Adrian Bardossy
centos apache-httpd openssl reverse-proxy
asked Jul 19 at 16:02
Adrian Bardossy
23
Have you checked the permissions on your certificate file? Can it be read by the account under which Apache is running?
– garethTheRed
Jul 19 at 17:29
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
my name is Adrian and I need your help.
I was configuring EJBCA certification authority over apache server for commertial certificate on centos 7 and apache version is 2.4.6.
With apache configuration for file vim /etc/httpd/conf.d/ca.company.cz.conf:
NameVirtualHost ca.company.cz:80
<VirtualHost ca.company.cz:80>
DocumentRoot /var/www/
#Listen 80
# Proxy requests to EJBCA instances (only one on local machine configured)
<Proxy balancer://mycluster-kerb>
BalancerMember ajp://localhost:8009/ejbca/
</Proxy>
ProxyPass / balancer://mycluster-kerb/
RewriteEngine On
# Redirect all but the CRL Distribution Point, OCSP and Helthcheck to HTTPS
RewriteCond %THE_REQUEST !(/publicweb/webdist/certdist.*cmd=crl|/publicweb/status/)
RewriteRule ^(.*)$ https://%SERVER_NAME$1 [L,R]
# Treat reqeusts to / and /ejbca/ as the same. Required by EJBCA's Admin Web.
RewriteCond %THE_REQUEST /ejbca/
RewriteRule ^/ejbca/(.*)$ /$1 [PT]
# Configure log
LogLevel debug
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log combined
</VirtualHost>
NameVirtualHost ca.company.cz:443
<VirtualHost ca.company.cz:443>
DocumentRoot /var/www/
#Listen 443
RewriteEngine On
# Treat reqeusts to / and /ejbca/ as the same. Required by EJBCA's Admin Web.
RewriteCond %THE_REQUEST /ejbca/
RewriteRule ^/ejbca/(.*)$ /$1 [PT]
# Configure secure SSL for this server using SSL certificate generated by EJBCA
SSLEngine on
SSLCipherSuite HIGH
SSLProtocol all -SSLv2
#SSLCertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
SSLCertificateKeyFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/serverkey.key
SSLCACertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
# Require Client SSL certificate for the Admin GUI
<Location /adminweb>
SSLVerifyClient require
SSLVerifyDepth 1
#SSLCACertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/wildcard.system4u.cz_2015_incl_private_key.pem
</Location>
# Proxy requests to EJBCA instances (only one on local machine configured)
<Proxy balancer://mycluster-kerb>
BalancerMember ajp://localhost:8009/ejbca/
</Proxy>
ProxyPass / balancer://mycluster-kerb/
# Configure log
LogLevel warn
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log combined
</VirtualHost>
I have also included this config in httpd.conf:
Listen 80
Listen 443
Include conf.modules.d/*.conf
Include /etc/httpd/conf.d/ca.company.cz.conf
Include /etc/httpd/conf.d/*.conf
Then I have checked the certificate which was converted from pfs format to crt format with output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3c:24:68:14:5c:8b:09:cd:44:0f:0b:e4:23:2d:0b:4e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=RapidSSL SHA256 CA
Validity
Not Before: May 4 00:00:00 2017 GMT
Not After : Jun 3 23:59:59 2019 GMT
Subject: CN=*.company.cz
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
I also verified the certificate online and it was verified as valid certificate.
When I restarted httpd service showed me error message:
Jul 19 17:57:42 c76vm4u.hosting4u.s4u httpd[22216]: SSLCertificateFile: file '/root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.pem' does not exist or is empty
When I checked the certificate, the certificate contained:
Bag Attributes
localKeyID: 5B 57 E2 C3 7F 0E 76 12 F1 70 35 44 91 CE 56 34 58 CE 5D B9
subject=/CN=*.company.cz
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
-----BEGIN CERTIFICATE-----
MIIF5DCCBMygAwIBAgIQPCRoFFyLCc1EDwvkIy0LTjANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
UmFwaWRTU0wgU0hBMjU2IENBMB4XDTE3MDUwNDAwMDAwMFoXDTE5MDYwMzIzNTk1
OVowGDEWMBQGA1UEAwwNKi5zeXN0ZW00dS5jejCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANnpLQDxv5GY5b9F0/U38MLK7NI8peMcvXYOwqEk2akaADJX
CLR5vGkySXBaJ6K8m0DQKq2sZ1A62bai0B77SMuCZfqnndjwf+6odibuk1eFE12k
+U+CR/G0+r0cSZIzWiGB6yNJl4VYnAwyJYioqwOcJnFyTEKR1rOPNYqT74TyAdPt
SMsQ4QUvQy0f2q7Yp+7oIusjF5aDwj9QdqYPxhUdP3Xkq6WaFyojt5ty4NzExqU1
lvgGwS0Th9rEV+HC8tYFZtqRSqVtE5ZwqPKe8/M61kOyeBI6cRK9F70jWOx5i4EK
fYTBlblPUFaJ4LAWYNcSA3XlMe6RUpHwfvIjumsCAwEAAaOCAv4wggL6MCUGA1Ud
EQQeMByCDSouc3lzdGVtNHUuY3qCC3N5c3RlbTR1LmN6MAkGA1UdEwQCMAAwKwYD
VR0fBCQwIjAgoB6gHIYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcmwwbwYDVR0g
BGgwZjBkBgZngQwBAgEwWjAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRz
c2wuY29tL2xlZ2FsMCwGCCsGAQUFBwICMCAMHmh0dHBzOi8vd3d3LnJhcGlkc3Ns
LmNvbS9sZWdhbDAfBgNVHSMEGDAWgBSXwidQnsLJ7AyIMsh8reKmAU/abzAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFcGCCsG
AQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2dwLnN5bWNkLmNvbTAmBggr
BgEFBQcwAoYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcnQwggF9BgorBgEEAdZ5
AgQCBIIBbQSCAWkBZwB2AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7M
AAABW9OvN08AAAQDAEcwRQIhAMIJGR5p+GAdeQpcK8OZYF6t/303Hl8RKgh3cgGp
0OH6AiA9clDoLK8z+8GYj5EV0yAbOrabYRHhKdnzOH7SG9H8WgB1AKS5CZC0GFgU
h7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABW9OvN5YAAAQDAEYwRAIgZPbNdVp7
ExZG650RLrdUsrcK8DPS4J35HIJB3CxoxNYCIEVOmim6cpbVXFbWXi4IcYel6bXm
Xssed+c2CinvmlfBAHYA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csA
AAFb0685bAAABAMARzBFAiAhU1Ie1mqBlWFb/NurPRYlGNiEwyFXelqE+0kWC7jA
PAIhAMA5teg26Gwpn2o+nCxGkus7jqC/exq0CBVfeSet8z/zMA0GCSqGSIb3DQEB
CwUAA4IBAQCAaIgO1XPTJvaRd4dUKZ5AMyHC71EYl1EYxIyptRhqWL9bzhejq2cC
q2te40m3R0JTl78wG+JD6ub6HDb6BysI+oYp6I1Amg3luWS8gnn2i+SCFNKVuDKU
fQ5cPbZtWEg5mMx64X5NlF0owxTPpJM4Om8ahvIb88r2T7eJUBTW1F1nVkI4xZr5
i+wPX0VGDxf+/QD+Xwc+Wu13SznX3Z44XB5SAjG4RKEuc/KuKdc+ErUYaXxuPDzW
cIQoO9NCOI1enEBm0nKGVrQBrwcB0voOMXwOqD3fRT4RULsO+x05QZ9FM1nklyr5
dUlLC3ukq6v3EDgbVn0ENSIrSIf29g5J
-----END CERTIFICATE-----
Can you please help me resolve this issue?
Thank you
Adrian Bardossy
centos apache-httpd openssl reverse-proxy
asked Jul 19 at 16:02
Adrian Bardossy
23
my name is Adrian and I need your help.
I was configuring EJBCA certification authority over apache server for commertial certificate on centos 7 and apache version is 2.4.6.
With apache configuration for file vim /etc/httpd/conf.d/ca.company.cz.conf:
NameVirtualHost ca.company.cz:80
<VirtualHost ca.company.cz:80>
DocumentRoot /var/www/
#Listen 80
# Proxy requests to EJBCA instances (only one on local machine configured)
<Proxy balancer://mycluster-kerb>
BalancerMember ajp://localhost:8009/ejbca/
</Proxy>
ProxyPass / balancer://mycluster-kerb/
RewriteEngine On
# Redirect all but the CRL Distribution Point, OCSP and Helthcheck to HTTPS
RewriteCond %THE_REQUEST !(/publicweb/webdist/certdist.*cmd=crl|/publicweb/status/)
RewriteRule ^(.*)$ https://%SERVER_NAME$1 [L,R]
# Treat reqeusts to / and /ejbca/ as the same. Required by EJBCA's Admin Web.
RewriteCond %THE_REQUEST /ejbca/
RewriteRule ^/ejbca/(.*)$ /$1 [PT]
# Configure log
LogLevel debug
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log combined
</VirtualHost>
NameVirtualHost ca.company.cz:443
<VirtualHost ca.company.cz:443>
DocumentRoot /var/www/
#Listen 443
RewriteEngine On
# Treat reqeusts to / and /ejbca/ as the same. Required by EJBCA's Admin Web.
RewriteCond %THE_REQUEST /ejbca/
RewriteRule ^/ejbca/(.*)$ /$1 [PT]
# Configure secure SSL for this server using SSL certificate generated by EJBCA
SSLEngine on
SSLCipherSuite HIGH
SSLProtocol all -SSLv2
#SSLCertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
SSLCertificateKeyFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/serverkey.key
SSLCACertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
# Require Client SSL certificate for the Admin GUI
<Location /adminweb>
SSLVerifyClient require
SSLVerifyDepth 1
#SSLCACertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/wildcard.system4u.cz_2015_incl_private_key.pem
</Location>
# Proxy requests to EJBCA instances (only one on local machine configured)
<Proxy balancer://mycluster-kerb>
BalancerMember ajp://localhost:8009/ejbca/
</Proxy>
ProxyPass / balancer://mycluster-kerb/
# Configure log
LogLevel warn
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log combined
</VirtualHost>
I have also included this config in httpd.conf:
Listen 80
Listen 443
Include conf.modules.d/*.conf
Include /etc/httpd/conf.d/ca.company.cz.conf
Include /etc/httpd/conf.d/*.conf
Then I have checked the certificate which was converted from pfs format to crt format with output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3c:24:68:14:5c:8b:09:cd:44:0f:0b:e4:23:2d:0b:4e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=RapidSSL SHA256 CA
Validity
Not Before: May 4 00:00:00 2017 GMT
Not After : Jun 3 23:59:59 2019 GMT
Subject: CN=*.company.cz
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
I also verified the certificate online and it was verified as valid certificate.
When I restarted httpd service showed me error message:
Jul 19 17:57:42 c76vm4u.hosting4u.s4u httpd[22216]: SSLCertificateFile: file '/root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.pem' does not exist or is empty
When I checked the certificate, the certificate contained:
Bag Attributes
localKeyID: 5B 57 E2 C3 7F 0E 76 12 F1 70 35 44 91 CE 56 34 58 CE 5D B9
subject=/CN=*.company.cz
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
-----BEGIN CERTIFICATE-----
MIIF5DCCBMygAwIBAgIQPCRoFFyLCc1EDwvkIy0LTjANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
UmFwaWRTU0wgU0hBMjU2IENBMB4XDTE3MDUwNDAwMDAwMFoXDTE5MDYwMzIzNTk1
OVowGDEWMBQGA1UEAwwNKi5zeXN0ZW00dS5jejCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANnpLQDxv5GY5b9F0/U38MLK7NI8peMcvXYOwqEk2akaADJX
CLR5vGkySXBaJ6K8m0DQKq2sZ1A62bai0B77SMuCZfqnndjwf+6odibuk1eFE12k
+U+CR/G0+r0cSZIzWiGB6yNJl4VYnAwyJYioqwOcJnFyTEKR1rOPNYqT74TyAdPt
SMsQ4QUvQy0f2q7Yp+7oIusjF5aDwj9QdqYPxhUdP3Xkq6WaFyojt5ty4NzExqU1
lvgGwS0Th9rEV+HC8tYFZtqRSqVtE5ZwqPKe8/M61kOyeBI6cRK9F70jWOx5i4EK
fYTBlblPUFaJ4LAWYNcSA3XlMe6RUpHwfvIjumsCAwEAAaOCAv4wggL6MCUGA1Ud
EQQeMByCDSouc3lzdGVtNHUuY3qCC3N5c3RlbTR1LmN6MAkGA1UdEwQCMAAwKwYD
VR0fBCQwIjAgoB6gHIYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcmwwbwYDVR0g
BGgwZjBkBgZngQwBAgEwWjAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRz
c2wuY29tL2xlZ2FsMCwGCCsGAQUFBwICMCAMHmh0dHBzOi8vd3d3LnJhcGlkc3Ns
LmNvbS9sZWdhbDAfBgNVHSMEGDAWgBSXwidQnsLJ7AyIMsh8reKmAU/abzAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFcGCCsG
AQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2dwLnN5bWNkLmNvbTAmBggr
BgEFBQcwAoYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcnQwggF9BgorBgEEAdZ5
AgQCBIIBbQSCAWkBZwB2AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7M
AAABW9OvN08AAAQDAEcwRQIhAMIJGR5p+GAdeQpcK8OZYF6t/303Hl8RKgh3cgGp
0OH6AiA9clDoLK8z+8GYj5EV0yAbOrabYRHhKdnzOH7SG9H8WgB1AKS5CZC0GFgU
h7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABW9OvN5YAAAQDAEYwRAIgZPbNdVp7
ExZG650RLrdUsrcK8DPS4J35HIJB3CxoxNYCIEVOmim6cpbVXFbWXi4IcYel6bXm
Xssed+c2CinvmlfBAHYA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csA
AAFb0685bAAABAMARzBFAiAhU1Ie1mqBlWFb/NurPRYlGNiEwyFXelqE+0kWC7jA
PAIhAMA5teg26Gwpn2o+nCxGkus7jqC/exq0CBVfeSet8z/zMA0GCSqGSIb3DQEB
CwUAA4IBAQCAaIgO1XPTJvaRd4dUKZ5AMyHC71EYl1EYxIyptRhqWL9bzhejq2cC
q2te40m3R0JTl78wG+JD6ub6HDb6BysI+oYp6I1Amg3luWS8gnn2i+SCFNKVuDKU
fQ5cPbZtWEg5mMx64X5NlF0owxTPpJM4Om8ahvIb88r2T7eJUBTW1F1nVkI4xZr5
i+wPX0VGDxf+/QD+Xwc+Wu13SznX3Z44XB5SAjG4RKEuc/KuKdc+ErUYaXxuPDzW
cIQoO9NCOI1enEBm0nKGVrQBrwcB0voOMXwOqD3fRT4RULsO+x05QZ9FM1nklyr5
dUlLC3ukq6v3EDgbVn0ENSIrSIf29g5J
-----END CERTIFICATE-----
Can you please help me resolve this issue?
Thank you
Adrian Bardossy
centos apache-httpd openssl reverse-proxy
asked Jul 19 at 16:02
Adrian Bardossy
23
asked Jul 19 at 16:02
Adrian Bardossy
23
asked Jul 19 at 16:02
Adrian Bardossy
23
asked Jul 19 at 16:02
Adrian Bardossy
23
23
Have you checked the permissions on your certificate file? Can it be read by the account under which Apache is running?
– garethTheRed
Jul 19 at 17:29
add a comment |Â
Have you checked the permissions on your certificate file? Can it be read by the account under which Apache is running?
– garethTheRed
Jul 19 at 17:29
Have you checked the permissions on your certificate file? Can it be read by the account under which Apache is running?
– garethTheRed
Jul 19 at 17:29
Have you checked the permissions on your certificate file? Can it be read by the account under which Apache is running?
– garethTheRed
Jul 19 at 17:29
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
in config
SSLCACertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
#SSLCertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
error
SSLCertificateFile: file '/root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.pem' does not exist or is empty
SSLCACertificateFile issuer cert
SSLCertificateFile you cert
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
need to specify SSLCertificateFile
check file name certificate.pem or certificate.crt
https://www.ejbca.org/docs/Setting_up_an_Apache_Web_Server_as_a_Proxy.html
Generate the SSL-certificate for Apache. Note that the SSL-certificate should be issued by the same CA that issued the Tomcat SSL certificate (ManagementCA in the default configuration).
answered Jul 26 at 17:07
Maryan
11
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
in config
SSLCACertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
#SSLCertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
error
SSLCertificateFile: file '/root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.pem' does not exist or is empty
SSLCACertificateFile issuer cert
SSLCertificateFile you cert
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
need to specify SSLCertificateFile
check file name certificate.pem or certificate.crt
https://www.ejbca.org/docs/Setting_up_an_Apache_Web_Server_as_a_Proxy.html
Generate the SSL-certificate for Apache. Note that the SSL-certificate should be issued by the same CA that issued the Tomcat SSL certificate (ManagementCA in the default configuration).
answered Jul 26 at 17:07
Maryan
11
add a comment |Â
up vote
0
down vote
in config
SSLCACertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
#SSLCertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
error
SSLCertificateFile: file '/root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.pem' does not exist or is empty
SSLCACertificateFile issuer cert
SSLCertificateFile you cert
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
need to specify SSLCertificateFile
check file name certificate.pem or certificate.crt
https://www.ejbca.org/docs/Setting_up_an_Apache_Web_Server_as_a_Proxy.html
Generate the SSL-certificate for Apache. Note that the SSL-certificate should be issued by the same CA that issued the Tomcat SSL certificate (ManagementCA in the default configuration).
answered Jul 26 at 17:07
Maryan
11
add a comment |Â
up vote
0
down vote
up vote
0
down vote
in config
SSLCACertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
#SSLCertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
error
SSLCertificateFile: file '/root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.pem' does not exist or is empty
SSLCACertificateFile issuer cert
SSLCertificateFile you cert
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
need to specify SSLCertificateFile
check file name certificate.pem or certificate.crt
https://www.ejbca.org/docs/Setting_up_an_Apache_Web_Server_as_a_Proxy.html
Generate the SSL-certificate for Apache. Note that the SSL-certificate should be issued by the same CA that issued the Tomcat SSL certificate (ManagementCA in the default configuration).
answered Jul 26 at 17:07
Maryan
11
in config
SSLCACertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
#SSLCertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
error
SSLCertificateFile: file '/root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.pem' does not exist or is empty
SSLCACertificateFile issuer cert
SSLCertificateFile you cert
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
need to specify SSLCertificateFile
check file name certificate.pem or certificate.crt
https://www.ejbca.org/docs/Setting_up_an_Apache_Web_Server_as_a_Proxy.html
Generate the SSL-certificate for Apache. Note that the SSL-certificate should be issued by the same CA that issued the Tomcat SSL certificate (ManagementCA in the default configuration).
answered Jul 26 at 17:07
Maryan
11
edited Jul 26 at 17:45
answered Jul 26 at 17:07
Maryan
11
answered Jul 26 at 17:07
Maryan
11
answered Jul 26 at 17:07
Maryan
11
11
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f457255%2fapache-server-for-ejbca-certificate-error%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Have you checked the permissions on your certificate file? Can it be read by the account under which Apache is running?
– garethTheRed
Jul 19 at 17:29