Monday, January 27, 2014

SSL Crisis Aversion Made Easy - For Apache

You know what I like about you...? You're here reading this post with the hopes that whatever problem you are trying to solve can be alleviated with a little extra knowledge.

I wish I would have been as smart as you the first time I tried to install an SSL Cert on our server. Let me rewind real quick...

When my company's site was created the CTO and Senior Developer at the time installed our SSL Cert. Now fast forward to a year later... Both of them are gone and the task now falls to me. Now that you have some context on the situation you can appreciate how much it sucked.

I figured okay, I'll copy this new cert from GeoTrust and paste it into the old file and boom we'll be rocking secure again...right? WRONG!

Apparently there's these things called, Intermediate Certificates, and guess what...those aren't your main certs. Basically I installed the Primary Intermediate Certificate as mysite.crt then restarted apache and got this funky error that looked something like this:


Error: "Unable to configure RSA server private key" 
Eror: "mod_ssl: Init: (www.domain.com:443) Unable to configure RSA server private key (OpenSSL library error follows)" 
Error: "OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch"

So now your website is down because apache can't recover from that very gracefully. If this happens make the quick save and run sudo a2endismod ssl followed by sudo /etc/init.d/apache2 restart

At least now the site is up again...right? RIGHT! ...hopefully :-/

Then I found this little gem which made me realize how simple the solution was:
https://www.sslshopper.com/certificate-key-matcher.html

Basically what that link does is allow you to paste in the code from your .key file in one textarea and your .crt file in another and it will tell you if they're a match. It's super easy, even easier than using openssl on your server to check first.

I found out that I was using the wrong .crt and once I replace it with the proper cert I was up and running in no time. Crisis averted! #downtimeisdeath #fixftw

I hope this little snippet helps all you other SSL newbs out there.

Please comment and share.

Also, stay tuned for my next article on setting up SSL for an nginx server with a reverse proxy to Apache.