SSL certificate transfer

[infield]

I just transfered an account using the "Copy multiple accounts from another server" in WHM. Everything is fine except the SSl. It transfered all the mysite.com.crt, and the mysite.com.key but I get an "Unable to connect" message when I try to access the site through https://mysite.com or http://mysite.com:443

Then through WHM I "Install a SSL Certificate and Setup the Domain" pasting in the mysite.com.key, mysite.com.crt and the mysite.com.csr bundle from the old server. Each time apache restarts without an error and things "seem" OK but I keep getting an "Unable to connect" message.

I compared httpd.conf files and in the <IfDefine SSL> for the domain the only differences between the configs is the IP number.

Any tips?

Thanks,
-marc

 

[chirpy]

You've done all the right things. Try stopping httpd and then starting it again:

httpd stop
(check that it has stopped)
httpd startssl

Other than that, make sure that the entries in httpd.conf definitely are correct. Also checking the ssl log might help in /usr/local/apache/logs/ssl_engine_log

 

[infield]

Thanks for the tip.

It gave no output and still no SSl connection. I went ahead and tried to connect localy using just the IP number thinking maybe the port was closed or somthing. But it just looks like SSL is down.

[email protected] [~]# lynx -dump https://xxx.xxx.xxx.xxx/

Looking up xxx.xxx.xxx.xxx
Making HTTPS connection to xxx.xxx.xxx.xxx
Retrying connection without TLS.
Looking up xxx.xxx.xxx.xxx
Making HTTPS connection to xxx.xxx.xxx.xxx
Alert!: Unable to make secure connection to remote host.

lynx: Can't access startfile https://xxx.xxx.xxx.xxx/

Also the lynx test works fine on a non-ssl connection.

I'm stumped.

 

[PWSowner]

Were the csr and ca (if needed) files also copied?

Are the httpd.conf file entries exactly the same, other than the IP address?

Does the site have a dedicated IP?

Is it the right IP in the httpd.conf file?

 

[infield]

Yeah I transfered key, crt, cabundle and even csr for good measures. I have checked to make sure the paths are correct on each. It's got a deicated IP and the whole <IfDefine SSL> block for the IP is identical to the working servers except for the IP number. It quickly rejects the connection attempt when I try to connect.

Here's some log info if your up for it.

[email protected] [/usr/local/apache/logs]# tail -40 ssl_engine_log

[23/Aug/2006 22:36:02 02642] [info] Server: Apache/1.3.37, Interface: mod_ssl/2.8.28, Library: OpenSSL/0.9.7a
[23/Aug/2006 22:36:02 02642] [info] Init: 1st startup round (still not detached)
[23/Aug/2006 22:36:02 02642] [info] Init: Initializing OpenSSL library
[23/Aug/2006 22:36:02 02642] [info] Init: Seeding PRNG with 140 bytes of entropy
[23/Aug/2006 22:36:02 02642] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[23/Aug/2006 22:36:02 02642] [info] Init: Configuring temporary DH parameters (512/1024 bits)
[23/Aug/2006 22:36:02 02657] [info] Init: 2nd startup round (already detached)
[23/Aug/2006 22:36:02 02657] [info] Init: Reinitializing OpenSSL library
[23/Aug/2006 22:36:02 02657] [info] Init: Seeding PRNG with 140 bytes of entropy
[23/Aug/2006 22:36:02 02657] [info] Init: Configuring temporary RSA private keys (512/1024 bits)
[23/Aug/2006 22:36:02 02657] [info] Init: Configuring temporary DH parameters (512/1024 bits)
[23/Aug/2006 22:36:02 02657] [info] Init: Initializing (virtual) servers for SSL TRUE !?)

[email protected] [/usr/local/apache/domlogs]# tail www.mydomain.org-ssl_data_log

[23/Aug/2006 22:33:30 02606] [info] Init: Loading certificate & private key of SSL-aware server www.mydomain.org:443
[23/Aug/2006 22:36:01 02609] [info] Init: Loading certificate & private key of SSL-aware server www.mydomain.org:443
[23/Aug/2006 22:36:02 02642] [info] Init: Loading certificate & private key of SSL-aware server www.mydomain.org:443
[23/Aug/2006 22:36:02 02657] [info] Init: Configuring server www.mydomain.org:443 for SSL protocol

I can't really see any problems.

Thanks,
-marc

 

[chirpy]

Is the SSL site the only one using the IP address that you assigned? You can only have one SSL site per IP address.

 

[infield]

Yup. It has a unique IP.

 

[PWSowner]

I don't know. I suggest getting an admin to look at it. PSM can fix it. I know that because when I first started using them it was an SSL problem I had too.