Troubleshooting certificate installation issues
These are some of the most common certificate-related web server issues. See the SCS Facilities web server certificate documentation for instructions on how to request or install a certificate. If you continue to have issues with getting a certificate or SSL to work on your web server, please contact firstname.lastname@example.org.
Note: If you are using one of the SCS Facilities web server collections, the contents of all of the ssl.* directories are automatically updated by getwwwcert and other programs. With very few exceptions, you should not modify these contents by hand.
- How to determine the type of a Comodo certificate
- Problems verifying the web server's certificate chain
- Running keyclient fails with the error: SSL_write failed. Return code: 5
- Running keyclient fails with the error: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
- Problems using a Comodo certificate to secure a Windows Remote Desktop connection
Also, listed below are some OpenSSL commands that may be useful when debugging certificate and SSL-related issues.
How to determine the type of a Comodo certificateComodo makes several types of certificates. Some of these types require different intermediate certificates. When you get your certificate, it should come with information about the type. The Subject of a Comodo certificate will contain an OU (Organizational Unit) field that contains the certificate type (e.g. "Comodo Unified Communications" or "PlatinumSSL" or "Comodo Multi-Domain SSL"). You can use one of the OpenSSL commands listed below to view the Subject of a certificate file.
Problems verifying the web server's certificate chainMake sure you have the correct Comodo intermediate certificates installed. If you're using the Facilities http or Apache2 web server and a Comodo certificate, the necessary certificate chain files should already be installed and the correct one will automatically be configured to be used when you run /usr/local/sbin/getwwwcert. If you're using a non-Facilitized Apache server, SSLCertificateChainFile in your Apache configuration file should point to the file containing those certificates. Some of the OpenSSL commands below can help you verify your certificate chain.
Running keyclient fails with "SSL_write failed. Return code: 5"When the keyclient program talks to the keyserver, it needs to present the server certificate and certificate chain. This error is caused by keyclient not knowing how to find the certificate chain. The solution is to set the value of "ssl_ca_file" in the file /etc/pubcookie/config so that it points to your server certificate chain file. For example, add the line:
ssl_ca_file: /etc/apache2/ssl.crt/server-chain.crtto /etc/pubcookie/config if you are using the Facilities Apache 2 collection, or add the line:
ssl_ca_file: /etc/httpd/ssl.crt/server-chain.crtif you are using the Facilities httpd collection.
Running keyclient fails with the error: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The means that the keyclient program cannot verify the certificate that the keyserver is presenting. To (usually) fix this issue, cd to the directory containing the certificates (e.g. /etc/apache2/ssl.crt if you are running the Facilities Apache 2 collection), /etc/httpd/ssl.crt if you are running the httpd collection) and run "make").
Note: On Facilitized hosts running the httpd or apache2 collections, the ssl.crt directory contains symlinks and files that are maintained by the getwwwcert program. In almost all cases, you should not make modifications to those symlinks and files yourself.
Problems using a Comodo certificate to secure a Windows Remote Desktop connection
There are known issues with using some types of Comodo certificates issued by SCS Facilities or CMU Computing Services to secure a Remote Desktop connection. If you are running into this problem, send mail to: email@example.com and we can provide a re-issued certificate that should work with Remote Desktop.
Some useful openssl commands for troubleshooting certificate problems
The openssl program is available on all Facilitized Linux/Unix hosts and may be installed on many non-Facilitized hosts as well. Openssl provides several commands that are extremely useful when debugging certificate problems.
- To view the contents of a CSR:
openssl req -noout -text -in FileName
- To view the contents of a certificate file:
openssl x509 -noout -text -in FileName
- To view the Subject of certificate file: If you wish to view just the Subject of a certificate file and not the rest of the contents.
openssl x509 -noout -subject -in FileName
- To calculate the md5 checksum of a file:
openssl md5 FileName
- To verify that the server's private key, CSR, and certificate match. Run openssl to find the modulus (which is a very long number) and compare to see if the values are equal. Using the md5 checksums instead of the modulus itself makes comparing the numbers much easier:
openssl rsa -noout -modulus -in /etc/apache2/ssl.key/server.key |openssl md5
openssl req -noout -modulus -in /etc/apache2/ssl.csr/server.csr |openssl md5
openssl x509 -noout -modulus -in /etc/apache2/ssl.crt/server.crt |openssl md5
The paths above are correct for Facilitized hosts use the Apache2 misc collection. Modify them as appropriate to point to the server key, server certificate request and server certificate for the server you are using (e.g. substitute "httpd" for "apache2" if you are using the Facilities httpd collection).
- To see what certificates a web server is presenting to clients:
openssl s_client -connect ServerName:Port
The usual web server SSL port is 443.
- To verify a certificate against a certificate chain
openssl verify -purpose sslserver -CAfile ChainFile CertificateFile
Where "ChainFile" is the path to your certificate chain file and "CertificateFile" is the path to the file containing the certificate you wish to verify.