Topic: OpenSSL issue upgrade 2.4.7 to 2.4.10

[ALEX1980]

Hello,
I need to upgrade from 2.4.7 to 2.4.10 on my Windows 2008 servers. I have been looking in forums to find simple method to minor release upgrade without having to uninstall and common theme seems to be below.
1.) stop apache
2.) backup existing apache24 folder
3.) Download 2.4.10 zip
4.) from newly downloaded apache folder copy \bin, \modules, \include, \lib and \manual folders to existing apache24 folder overwriting existing.

Is this a recomended method to uprade minor release?

I tried this on one of my sandbox web servers and cant start the apache24 service afterwards. I can see in logs "Failed to Configure Cert" and "SSL Library Error". Nothing changed with the cert that failed or my existing httpd.conf file didnt change. Wondering if I'm going about the minor relase upgrade all wrong. Appreciate any advice whatsoever.
Thank You,
Alex

[gijs]

I usually overwrite all files, except for htdocs and conf.

Try starting httpd.exe in the bin folder trough the command prompt, to get some more details on the error when starting up.

[ALEX1980]

Thank you for the reply. I do appreciate it.

When starting through admin cmd I get no message or anything. The only log entries I can see are in ssl_engine.log. Last several lines where errors seem to start I posted below. I didnt touch conf or htdocs folders but did copy over everything else. I put backed up 2.4.7 folder back and apache starts up fine so something is missing when I copy 2.4.10 folders into apache24 but I cant see what.

[Sun Jan 25 21:06:41.147481 2015] [ssl:debug] [pid 10120:tid 172] ssl_engine_init.c(389): AH01893: Configuring TLS extension handling

[Sun Jan 25 21:06:41.147481 2015] [ssl:emerg] [pid 10120:tid 172] AH02562: Failed to configure certificate myserver.mycompany.com:8143:0 (with chain), check D:/Apache24/bin/certnew_Sandbox_request.cer

[Sun Jan 25 21:06:41.147481 2015] [ssl:emerg] [pid 10120:tid 172] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?

[Sun Jan 25 21:06:41.147481 2015] [ssl:emerg] [pid 10120:tid 172] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
AH00016: Configuration Failed

[Steffen]

Changed the subject to more meaningful.

Looks like you are dealing with a change in 2.4.8 :

*) mod_ssl: Remove the hardcoded algorithm-type dependency for the
SSLCertificateFile and SSLCertificateKeyFile directives, to enable
future algorithm agility, and deprecate the SSLCertificateChainFile
directive (obsoleted by SSLCertificateFile). [Kaspar Brand]

Simply add the contents of your chain file into your certificate file. If you are only using an RSA certificate your configuration should look like this:

SSLCertificateFile conf/ssl/yourdomain.com.cer
SSLCertificateKeyFile conf/ssl/yourdomain.com.key

[ALEX1980]

Thanks Steffen. I really appreciate it. Please excuse my lack of knowledge as recently took this over and am learning. We dont use chain file but use the SSLCACertificate file. Below are my entries in httpd.conf. Am I to combine SSLCACertificateFile into SSLCertificateFile? Can I ask how this is done? Thank you very much for help.


SSLCertificateFile "D:\Apache24\bin\certnew_Sandbox_request.cer"

SSLCertificateKeyFile "D:\Apache24\bin\myserver.mycompany.com.key"

SSLCACertificateFile "D:\mycompanyRootCA.cert"

[Steffen]

So you do not have SSLCertificateChainFile.

To add the contents of SSLCACertificateFile into your SSLCertificateFile file ;

copy/paste the content of SSLCACertificateFile "D:\mycompanyRootCA.cert" at the end of SSLCertificateFile "D:\Apache24\bin\certnew_Sandbox_request.cer", so both are in the SSLCertificateFile.

[ALEX1980]

With my SSLCertificateFile being .cer I cant copy contents of .cert into .cer manually via opening in notepad. Is there a tool for this?

Thank You very much Steffen.

[admin]

Do not know what you doing.

Post the steps.

[ALEX1980]

I am far from knowing exactly what I am doing... But I really appreciate the friendly help.

Due to 2.4.8 I apparently need to combine my SSLCACertificateFile into SSLCertificateFile. My SSLCACertificateFile is .cert file with --Begin Cert-- and --End Cert-- while my SSLCertificateFile is a .cert when opening up in notepad is encrypted. I'm not sure how to combine entries of .cert into .cer as recomended.

Thank You

[Steffen]

You do not ----- BEGIN and ---- END lines in it ?

When no, then looks like you have to convert it to the PEM format, search google with ; convert ssl certificate to pem .


Btw, you can also ask where you get your certificates from.

[ALEX1980]

Thanks Steffen. I'm good now. I really appreciate you taking the time on helping this beginner. I have much to learn.

Thanks!!!

[ronnielau]

I also experience happened in 2.4.12 and I try to merge the 2 certificates together and after that the error said our key not match with your certificates.


[Thu Jun 04 17:49:29.449722 2015] [ssl:emerg] [pid 1580:tid 400] AH02565: Certificate and private key C:/Apache24/conf/ssl/allinone.cer and C:/Apache24/conf/ssl/allinone.key do not match

For the SSLCertificateFile directive
I wanna know how the key was merge together here?
and
I don't have the key of ROOT CA

Thanks,
Ronnie