Loading SHA256 certificate stops Apache from running (from SHA1 certificate)

When switching from a SHA1 to a SHA256 certificate for the same CN, Apache is having a hard time restarting and running. Here's the Virtualhost lines in /etc/httpd/conf.d/ssl.conf:

<VirtualHost *:443>
  DocumentRoot "/var/www/html"
  SSLEngine on
  SSLCertificateFile /etc/pki/tls/certs/STAR_workforce_wfs.sha1.cer
  SSLCertificateKeyFile /etc/pki/tls/private/myserver.star_workforce_wfs.sha1.key
  ServerName lii-mon01.workforce.wfs

  SetEnvIf User-Agent ".*MSIE.*" \         nokeepalive ssl-unclean-shutdown \         downgrade-1.0 force-response-1.0
  SSLCipherSuite AES256-SHA:2048:1024:256:HIGH:!ADH:!MD5:!aNULL
  SSLProtocol all -SSLv2

  ProxyRequests off
  ProxyPass /livonia/ http://localhost:5000/livonia/
  ProxyPassReverse /livonia/ http://localhost:5000/livonia/

  ErrorLog logs/nagios-error_log
  LogLevel warn
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  CustomLog logs/nagios-access_log combined
</VirtualHost>

Open in new window


Here is the nagios-error_log in /logs:

[root@lii-mon01 certs]# cat /etc/httpd/logs/nagios-error_log
[Mon May 18 08:23:57 2015] [error] Unable to configure RSA server private key
[Mon May 18 08:23:57 2015] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Mon May 18 10:43:09 2015] [error] Unable to configure RSA server private key
[Mon May 18 10:43:09 2015] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Open in new window


Is this because the private key and certificate don't match? I am almost sure that they were issued at the same time and pair.

Please advise.
LVL 2
meade470Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zephyr ICTCloud ArchitectCommented:
Did you check if they matched?

First:
openssl x509 -noout -modulus -in /var/yourcertificate.crt | openssl md5  

Open in new window


Second:
openssl rsa -noout -modulus -in /var/private.key | openssl md5

Open in new window


Change path to where your certificate/key are located.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
meade470Author Commented:
They didnt match
0
Zephyr ICTCloud ArchitectCommented:
Problem solved ;-)
Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.