Httpd has stopped working when I restarted Apache

chetd90 2020-04-28 16:40:37 UTC #21

The zip file bundle it came in features a certificate file called "b2d114723d42a705.crt" and a pem file with the same name. Also, there is a certificate authority file called "gd_bundle-g2-g1.crt" but that's typical. However, these files are renamed to speedwaygroceries.crt when they are on the server because they are configured that way in the bitnami configuration file. If you need more information about the server let me know.

chetd90 2020-04-28 17:46:21 UTC #22

Another question, how do I update the Virtual Host in order to use the new domain?

amoreno 2020-04-29 09:34:48 UTC #23

Hi, @chetd90.

Can you run this in the directory you have your unzipped certificates to check if they match?

openssl x509 -in b2d114723d42a705.crt -pubkey -noout -outform pem | sha256sum
openssl pkey -in b2d114723d42a705.pem -pubout -outform pem | sha256sum

Do the outputs match?

You shouldn't need to change anything in the Virtual Host to use the new domain.

Regards,
Alejandro

chetd90 2020-04-29 18:20:56 UTC #24

Ok, I added the new certificates along with the pem file that came with those files from godaddy. I wanted to know is there any special instructions I am supposed to do in order to set up the pem key?
Also, the domain name associated with the vm instance is speedway-groceries.com. I think I am getting close to solving this.

amoreno 2020-04-30 09:23:00 UTC #25

You can use your PEM file directly, no need to do anything with it.

Were you finally able to configure the right certificates in your instance?

chetd90 2020-05-09 17:34:10 UTC #26

I added the pem file to the server as well as the new certificates and I even generated a new key and csr file. All of that still didn't work. I have just been following the tutorials but I feel as if there is a step that I am missing here. How do you correctly configure a new certificate with a new domain name?

amoreno 2020-05-11 08:51:07 UTC #27

I've tested the steps described in this article (https://docs.bitnami.com/google/apps/opencart/administration/enable-https-ssl-apache/) and they worked for me, @chetd90.

With all the information you have provided us until now, this looks like an issue with your certificates and not with the configuration. Do you mind sharing a new Bitnami Support code to check those last changes you made?

Regards,
Alejandro

chetd90 2020-05-11 16:58:11 UTC #28

Ok, here is the code:

bd6aa143-0ef7-12aa-4cfe-57af253c43f8

amoreno 2020-05-12 09:37:54 UTC #29

Please, execute the following commands and paste the output:

cd /opt/bitnami/apache2/conf
openssl x509 -in speedwaygroceries.crt -pubkey -noout -outform pem | sha256sum
openssl pkey -in speedwaygroceries.key -pubout -outform pem | sha256sum
openssl pkey -in speedwaygroceries.pem -pubout -outform pem | sha256sum

Regards,
Alejandro

chetd90 2020-05-12 16:16:17 UTC #30

Okay, here is the output

furiousstyles90@opencart-speedway:/opt/bitnami/apache2/conf$ sudo openssl x509 -in speedwaygroceries.crt -pubkey -noout -outform pem | sha256sum
dff6162e71bffe762d332e28a49c8a4374dce677a4518127738b97dc864c3f6c  -
furiousstyles90@opencart-speedway:/opt/bitnami/apache2/conf$ sudo openssl pkey -in speedwaygroceries.key -pubout -outform pem | sha256sum
dff6162e71bffe762d332e28a49c8a4374dce677a4518127738b97dc864c3f6c  -
furiousstyles90@opencart-speedway:/opt/bitnami/apache2/conf$ sudo openssl pkey -in speedwaygroceries.pem -pubout -outform pem | sha256sum
unable to load key
139845077026472:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  -

Also, do you want me to do this with the new certificates as well?

amoreno 2020-05-13 08:43:19 UTC #31

Ok, the following certificates match:

/opt/bitnami/apache2/conf/speedwaygroceries.crt
/opt/bitnami/apache2/conf/speedwaygroceries.key

So you should be able to start Apache if you set them up in your /opt/bitnami/apache2/conf/bitnami/bitnami.conf file (which you already have):

SSLCertificateFile "/opt/bitnami/apache2/conf/speedwaygroceries.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/speedwaygroceries.key"
SSLCACertificateFile "/opt/bitnami/apache2/conf/speedwaygroceries-ca.crt"

Just to be sure, this current configuration works, right?

Let's continue. Are those your old certificates or your new certificates? If those are your old certificates, you now need to get your new ones and find the matching key-certificate pair. Use the commands from above to find the matching pair:

sudo openssl x509 -in YOUR-CERTIFICATE -pubkey -noout -outform pem | sha256sum
sudo openssl pkey -in YOUR-KEY -pubout -outform pem | sha256sum

Replace YOUR-CERTIFICATE and YOUR-KEY with the corresponding files. You need to get the same output on the certificate and key for them to be valid.

Let me know how it goes.

Regards,
Alejandro

chetd90 2020-05-13 17:20:15 UTC #32

Ok, I input the command with the new certificate installed and it said no such directory or file existed since I did not restart apache. However, I am sure the key and certificate do not match. So now the question is how to make the key file match the new certificate files? Usually, I just generate a new key file with a new key thinking that will work.

amoreno 2020-05-14 10:37:01 UTC #33

You can't just make a key and a certificate match, @chetd90. To create a CSR for the CA authority to sign, you use a key that you have previously generated. You need that key you used to generate the new certificate files.

chetd90 2020-05-14 15:07:37 UTC #34

Ok, so instead of generating a new key and csr. I just need to generate a new csr from the key file I already have what would be the commands in order to make that happen? I just know the commands for making a new csr and key. I didn't know the key file worked that way.

amoreno 2020-05-15 08:19:18 UTC #35

This command should create a new CSR using your current key:

sudo openssl req -new -key YOUR_KEY_FILE -out THE_CSR_YOU_ARE_CREATING

So, for example, if your key was /opt/bitnami/apache2/conf/server.key, the following command would generate a CSR on /opt/bitnami/apache2/conf/cert.csr:

sudo openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr

IMPORTANT: Enter the server domain name when the above command asks for the “Common Name”.

Regards,
Alejandro

chetd90 2020-05-15 16:13:20 UTC #36

I generated a new csr with the command you gave me. So if I restart apache, httpd should be able to restart right?

amoreno 2020-05-18 08:36:28 UTC #37

The CSR has to be signed first. You can test it by signing it yourself. Run:

sudo openssl x509 -in YOUR_CSR -out CERTIFICATE_OUTPUT -req -signkey YOUR_KEY -days 365

Replace YOUR_CSR with the path to your CSR, CERTIFICATE_OUTPUT with the path where you want to save the certificate (for example, /opt/bitnami/apache2/conf/server_test.crt) and YOUR_KEY with the path to your key.

Then, if you configure Apache to use your new signed certificate and your key, it should work. If it does, then you can send your CSR to an authority to sign it.

Let me know how it goes.

Regards,
Alejandro

chetd90 2020-05-18 17:16:50 UTC #38

Alright, I ran the command and it said the signature was ok. Now if you can help me solve the biggest mystery of setting up ssl certificate is how to send a CSR to an authority to sign it? I never got how to send it from tutorial or anything for that matter. So, I guess the next thing I need to do is learn how to send csr to an authority.

amoreno 2020-05-19 08:43:23 UTC #39

Unfortunately that depends on the authority you have chosen to sign your certificate, we can't help you with that. They should provide you with instructions on how to send them the CSR.

One extra question: would using Let's Encrypt instead work for you?

chetd90 2020-05-19 18:52:38 UTC #40

Ok I figured that would be the case. I think I tried to use the Let's Encrypt certificate but it didn't quite work. Also, my client would rather a Godaddy ssl certificate.

Bitnami provides free all-in-one installers, virtual machines and cloud images for popular open source applications. Get them now!