How to debug your ssl certificate installation

If you're, like me, a hack who is always treading treacherous waters, who knows just enough server administration to destroy his own server, but so proud - or cheap - that you insist on doing it all yourself, you will eventually install a SSL certificate.

And you will eventually screw it up. I don't know why you did. I'm not sure how to fix it either. But, having screwed up enough times on my own, I know a few tricks that will solve most of the problems you have.

Hard and fast rules:
  1. You are going to screw it up. Maybe you won't. Maybe you're going to meticulously follow the steps, checking your list twice like Santa. Congratulations. You are the 1%. For the other 99%, assume you're going to do something wrong, and move forward with that expectation.
  2. Back up everything, everything, everything. Can you imagine the hell you will go through if you edit an apache conf file so hard that it bleeds, then breaks, and you have no record of what you changed? For god's sake, man, you aren't Linus Torvalds (which is actually a very good thing, because he's dead). 
  3. Get your instructions in place. Your SSL issue will have them for you and, if you follow them slowly enough, you will probably have no trouble. But you won't, will you? Of course not. You're a server administrator and those instructions were meant for morons.
So now follow the installation steps, restart apache, then sit back annnnnd ...

...stare at the error screen on your browser. And then panic when all seven of your private blogs, spam sites, and failed startup attempts are now down because apache won't restart. 

What do you do? Here are some of the things I have done to eventually get me back on track:
  1. Phone my systems admin friend and have him tell you what to do. But I guess that's not a practical approach. I don't want to spend too much time handing out his phone number. And he might get mad.
  2. Is the SSL engine turned on? Of course it is. Why would I ask such a stupid question. I myself have never accidentally missed a configuration setting. And for that matter, there's no reason to check if you have told apache to listen on port 443, is there?
  3. Type in
    # sudo apachectl configtest
    . Of course you ran this test before you restarted the server. Of course you didn't forget this one time. Just get over it and run configtest, and it will spit back any errors are you.
  4. Turn on debugs in your conf file: LogLevel debug.
  5. Compare your key and certificate. If they don't match up, you have installed wrong, and should just start again from scratch. The private key contains a series of numbers; two of those numbers make the "public key", and the others are part of the "private key". The "public key" bits are also found in your Certificate . Check that the public key in your cert matches the public portion of your private key:
    $ openssl x509 -noout -text -in server.crt
    $ openssl rsa -noout -text -in server.key

    Also try:
    $ openssl x509 -noout -modulus -in server.crt | openssl md5
    $ openssl rsa -noout -modulus -in server.key | openssl md5 

No comments:

Post a Comment