Re: Can a certificate error bring down a server?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Oct 16, 2013 at 5:17 AM, John McIntyre <joh98.mac@xxxxxxxxx> wrote:
This morning, I head into the office, and as usual, login to my horde instance for e-mail and calendar.  At the same time, trying to get mailman running, I decide to remove the mailman instance with yum remove mailman.  Five minutes later, as I'm typing an e-mail, I suddenly get kicked off the server, and when I try to reconnect, I get 'certificate not approved' in my browser (chrome).

It does not look like the default CentOS mailman package touches apache configuration except the file /etc/httpd/conf.d/mainman.conf which it creates.

That's not right, I thought.  So I change that and the other SSL file lines to point to my certificates, which are in /etc/httpd/ssl.  Like an idiot, I didn't back that file up beforehand.

I restart apache and this appears in the logs .. 

[Wed Oct 16 09:52:34 2013] [error] Init: Unable to read server certificate from file /etc/pki/tls/private/localhost.key
[Wed Oct 16 09:52:34 2013] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Oct 16 09:52:34 2013] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

And this is rather worrying, since at no time in the past fortnight, have I fiddled with the httpd.conf file, so there's no reason why it should suddenly stop pointing to the correct certificate.  And I don't think that removing mailman would cause this - I only mentioned it to eliminate it as a possible cause.

Any ideas?

That should only appear in the logs if there is some other place in the the httpd configuration that has that path (/etc/pki/tls/private/localhost.key).
That particular error indicates that you should open the file in question and see if it looks right.


I have started using etckeeper to automatically version /etc . I don't know if there is a package for CentOS, but it is not too hard to install and would probably help you next time.
It hooks into YUM (and other package managers) to make sure there is a commit before and after each action the package manager does.
It also has an option to make a nightly commit in case you made changes and did not manually commit them.

- Y

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux