Ubuntu Apache2 installing a SSL certificate for a website - key does not match certificate
I have a website on my Ubuntu 18.04.5 LTS using Apache2
This works fine but now I need to add SSL / enable HTTPS to it.We already have a wildcard SSL certificate for our server
Now I have configured the VirtualHost in the 'conf' file for the website (added in SSL block of commands) and 'apache2ctl configtest' says the definition is fine.
When I try and restart the Apache service however ('systemctl restart apache2') it fails with an error. When I look in the error log it says that the private key and certificate don't match.
We are already using this certificate for another piece of software, running on the same website address (CN).
The files we have:
Now being that the key was not created from that Ubuntu server (i.e. no CSR was created) do we need to 'register' the key with Ubuntu / Apache in some way. ?
My understanding that 'registering' the private key, in addition to the 'virtualhost' entrys. is not required but I can't see why Apache keep saying the key and certificate don't match since they obviously work for the other software.and show as valid when looking at the certificate in use by that other software when viewed in a browser
This works fine but now I need to add SSL / enable HTTPS to it.We already have a wildcard SSL certificate for our server
Now I have configured the VirtualHost in the 'conf' file for the website (added in SSL block of commands) and 'apache2ctl configtest' says the definition is fine.
When I try and restart the Apache service however ('systemctl restart apache2') it fails with an error. When I look in the error log it says that the private key and certificate don't match.
We are already using this certificate for another piece of software, running on the same website address (CN).
The files we have:
- Private Key
- Certificate file
- ca_bundle
Now being that the key was not created from that Ubuntu server (i.e. no CSR was created) do we need to 'register' the key with Ubuntu / Apache in some way. ?
My understanding that 'registering' the private key, in addition to the 'virtualhost' entrys. is not required but I can't see why Apache keep saying the key and certificate don't match since they obviously work for the other software.and show as valid when looking at the certificate in use by that other software when viewed in a browser
ASKER
So am i correct that a CSR is only for requesting a certificate from the CA and is not needed to validate the private key or certificate ?
In other words can you request a certificate via the csr from one machine and use the key+certificate on another / server (provided that the CN and SAN are for that server) ?
In other words can you request a certificate via the csr from one machine and use the key+certificate on another / server (provided that the CN and SAN are for that server) ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The CSR is The request for signing a public key + info by the CA. It is only used to send the info on a standardized form to a CA. After getting the certificate the CSR is only needed if you need another signed version of the certificate.
For the application that USES the certificate and the key only those two are needed. Some CA's sign with a sub-key. requiring an intermediate certificate to be inserted into the trusted store. or appended to the certificate file. (depending on configuration).
For the application that USES the certificate and the key only those two are needed. Some CA's sign with a sub-key. requiring an intermediate certificate to be inserted into the trusted store. or appended to the certificate file. (depending on configuration).
Simple solution.
1) Generate your cert files using certbot (LetsEncrypt).
2) Be sure to use the fullchain file, not the cert file, as all intermediate certs are also required for correct cert function.
3) An example of one way to accomplish this setup...
https://www.experts-exchange.com/questions/29167303/How-To-Re-direct-all-Traffic-to-WWW-Apache.html
1) Generate your cert files using certbot (LetsEncrypt).
certbot certonly --dry-run -m $email --agree-tos --rsa-key-size 4096 --webroot -w /your-site-docroot -d $site.com -d www.$site2) Be sure to use the fullchain file, not the cert file, as all intermediate certs are also required for correct cert function.
3) An example of one way to accomplish this setup...
https://www.experts-exchange.com/questions/29167303/How-To-Re-direct-all-Traffic-to-WWW-Apache.html
@david, that is an answer, i think just not for this question. S/He does have a certificate no immediate need to create another one. Also for Wildcard certificate one needs DNS authentication with letsencrypt.
ASKER
Thank you all for your contributions - all I am trying to confirm is my understanding that:
- You don't need the CSR to actually use the SSL certificate with the key - only to request it from the CA.
- You don't need a new CSR for each new piece of software that uses that key / certificate pair for the same domain (a wildcard certificate in this case).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks David.
I was really checking my own SSL understanding - I am glad it was correct. It now turns out that the key I was provided with was indeed not the correct one that matches to the CRT as it had become mixed up with another.
Thanks to all for their responses.
I was really checking my own SSL understanding - I am glad it was correct. It now turns out that the key I was provided with was indeed not the correct one that matches to the CRT as it had become mixed up with another.
Thanks to all for their responses.
@AL_XResearch:
1) Yes CSR is only the request to a CA.
2) As long as the same Public / Private keypair, and also there is no change in Subject, SAN or organisational data you can use the Same CSR. for renwal/prolongation.
With Lets Encrypt a CSR is generated, it is just in the private data for certbot, certbot creates a new CSR for each prolongation.
1) Yes CSR is only the request to a CA.
2) As long as the same Public / Private keypair, and also there is no change in Subject, SAN or organisational data you can use the Same CSR. for renwal/prolongation.
With Lets Encrypt a CSR is generated, it is just in the private data for certbot, certbot creates a new CSR for each prolongation.
You're welcome!
Aside: When the LetsEncrypt project first released, many a cheer went up.
Because...
With LetsEncrypt you're in complete control.
No longer any problems with cert bundles or guessing about where in the cert generation process something has gone wrong.
Also, since LetsEncrypt certs are free, any problems (rare) created at time cert was generated, can be fixed by just generating a new cert.
It's unclear how many countless debug hours LetsEncrypt has saved me over the past few years.
Because...
With LetsEncrypt you're in complete control.
No longer any problems with cert bundles or guessing about where in the cert generation process something has gone wrong.
Also, since LetsEncrypt certs are free, any problems (rare) created at time cert was generated, can be fixed by just generating a new cert.
It's unclear how many countless debug hours LetsEncrypt has saved me over the past few years.
It has nothing to do with hardware used ....
A CSR is the Public part of your keypair + some text identificaten (who are you, where are you,...) and what object does it describe (subject and subject alternate name). The Certificate is a Thirdparty (CA) testifying (by signing your CSR) with it's private key.
So a private key can be validated to a certificate (by deriving the public key from the private key) and comparing the signature.