poppopretn's questions -server

poppopretn

Asked: 2023-11-29 07:19:42 +0800 CST

AH02565: Certificate and private key from <cert> and <private key> do not match

I'm trying to update some expired SSL certificates internally on some Ubuntu and Redhat servers. I have an internal certificate authority for this (ADCS). These are the steps I'm taking:

Generate CSR + private key using openssl

openssl req -out file.csr -newkey rsa:2048 -nodes -keyout file.key -config req.conf

Submit CSR to Internal Active Directory Certificate Authority
I'm given back a certificate in base64 format.
I use this certificate and the private key on the web server. Everything works fine when I do this on an Ubuntu web server running lighttpd. I update the certificate/key and restart lighttpd, it works.

I replicate these exact steps but this time for a Redhat 7/8 server running Httpd and I get the following error: AH02565: Certificate and private key from and do not match

I've probably generated a new private key/csr five or six times now hoping the result would be different :D

What am I doing wrong here?

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  127.0.0.1 (/etc/httpd/conf.d/ssl.conf:39)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
PidFile: "/etc/httpd/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

poppopretn

Asked: 2020-12-02 18:20:08 +0800 CST

Lighttpd Client Certificate Authentication

I'm trying to enable client certificate authentication with lighttpd using my own internal windows CA's. Disclaimer: I'm still very new to PKI :D

I have an offline root CA and a subordinate CA in my homelab. I've already imported the root CA into Firefox under trusted CA's. For the client certificate, I used openssl to generate a CSR which I signed with my subordinate CA using a template that has client authentication enabled. This client certificate is also imported into Firefox as a pfx file. I've also configured lighttpd as follows:

ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem"
ssl.ca-file = "/etc/lighttpd/certs/ca.cer"
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"

I get the following error:

Firefox Error:

Peer does not recognize and trust the CA that issued your certificate.
Error code: SSL_ERROR_UNKNOWN_CA_ALERT

Lighttpd Error:

SSL: 1 error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed 
SSL: 1 -1 error:140E0197:SSL routines:SSL_shutdown:shutdown while in ini

Other:

Acceptable client certificate CA names
DC = org, DC = homelab, CN = homelab-V-2019-ICA-CA
Client Certificate Types: RSA sign, DSA sign, ECDSA sign

CA.cer

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5a:00:00:00:02:47:18:65:49:6e:51:2a:56:00:00:00:00:00:02
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=V-2019-RCA-CA
        Validity
            Not Before: Nov 24 06:00:19 2020 GMT
            Not After : Nov 24 06:10:19 2021 GMT
        Subject: DC=org, DC=homelab, CN=homelab-V-2019-ICA-CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

Client Certificate

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            56:00:00:00:23:c0:0e:f2:75:d8:de:ef:65:00:00:00:00:00:23
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = org, DC = homelab, CN = homelab-V-2019-ICA-CA
        Validity
            Not Before: Dec  1 23:54:33 2020 GMT
            Not After : Nov 24 06:10:19 2021 GMT
        Subject: C = US, ST = Rhode Island, L = Providence, O = HOMELAB, OU = HOMELAB, CN = homelab-V-2019-ICA-CA.homelab.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
...
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            1.3.6.1.4.1.311.21.10:

Not sure where to go from here. Any help or articles would be very much appreciated. :)

AH02565: Certificate and private key from <cert> and <private key> do not match

Lighttpd Client Certificate Authentication

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?