Moving SSL certificate to another Apache server

1

We just setup new Windows machine as a web server, with Apache 2.2.19 with openssl installed and we want to move our existing web including the SSL certificate (Verisign) from the old setup, Linux, Apache 2.2.3.

Now, if I search online, all I can find is to copy and paste the cert files to the new server. But when I have done all the configurations, Apache failed to start with nothing printed in error log, only a prompt saying The Requested Operation has failed.

I tried to run httpd.exe -e debug and saw it stopped on Loaded module ssl_module and these lines printed in the error.log:

[Thu Aug 18 18:18:18 2011] [info] Init: Initialized OpenSSL library
The system cannot find the path specified.
The system cannot find the path specified.
The system cannot find the path specified.
The system cannot find the path specified.

And from Windows event viewer:

Faulting application httpd.exe, version 2.2.19.0, time stamp 0x4dd6eda8, 
faulting module libapr-1.dll, version 1.4.5.0, time stamp 0x4dd6ed65, 
exception code 0xc0000005, fault offset 0x0000fc39, process id 0xe08, 
application start time 0x01cc5b07b33b8a60.

I'm sure that I configured the path to crt files correctly, since this is what I get if I tried to put a wrong path:

[Thu Aug 18 18:13:35 2011] [debug] mod_so.c(246): loaded module ssl_module
Syntax error on line 133 of C:/Apache2.2/conf/extra/httpd-ssl.conf: 
   SSLCACertificateFile: file 'C:/Apache2.2/conf/ssla/intermediate.crt' 
   does not exist or is empty

Apache runs perfectly if I use a self signed certificate. What might be gone wrong?

UPDATE

Checking using openssl verify command as @polynomial suggested in his answer:

> openssl verify /path/to/file.pem
> error 20 at 0 depth lookup:unable to get local issuer certificate

openssl version -d shows that OPENSSLDIR: "/usr/local/ssl"

Does OPENSSLDIR caused the error? If yes, how do I solve this?

windows
ssl-certificate
apache-2.2
openssl
mod-ssl
asked on Server Fault Aug 18, 2011 by hendry.fu • edited Aug 22, 2011 by MadHatter

3 Answers

1

This has been resolved.

The problem was that the pass-phrase file was written for linux so it didn't run on windows.

We also updated the cert files to use Windows line-endings but i'm not sure if that had any effect.

answered on Server Fault Aug 31, 2011 by Owen
0

It sounds like perhaps the certificate you have is munged or the OpenSSL install on your windows box is having a hard time understanding it for some reason. If you try to verify the certificate or extract information from it using the openssl command line on your windows box does it work?

Some command info:

http://www.madboa.com/geek/openssl/#verify-standard

Specifically check:

openssl verify /path/to/file.pem
openssl x509 -text -in /path/to/cert.pem
answered on Server Fault Aug 21, 2011 by polynomial
-3

SSL certificates are generated for a specific server at a specific address, you can't just copy them from one server to another [even if the IP address is the same]

Your paths and setup is probably correct [hence your self signed cert working]. What you need to do is generate a new CSR, contact your SSL certificate provider and have a new certificate issued, generlly you would not have to pay for that.

-sean

answered on Server Fault Aug 18, 2011 by Sean Kimball

User contributions licensed under CC BY-SA 3.0