Forum
Multi-domain SNI .pem not loading
Geoff
22 July 2015, 20:27
Hi
I've run into a brick wall trying to install a pem for a Comodo PositiveSSL Multi-Domain Certificate:
https://www.positivessl.com/multi-domain-ssl-certificate.php
I'm getting the error:
Error loading X.509 certificate from /etc/hiawatha/mycert.pem
I have Hiawatha running with pems on other servers, so I'm familiar with the settings. On this server I have a self-generated pem which loads fine. The permissions and layout of the two pem files are identical.
The problem pem contains the key, the multi-site cert and the permissions chain. I've checked with Comodo support that the chain is correct. I've also tried with just the key and the cert. The same cert is currently working fine in Litespeed on another server. Running an openssl check shows no issues with the pem file:
openssl x509 -in /etc/hiawatha/mycert.pem -text -noout
I've simply run out of ideas. Does Hiawathat have an issue with multi-domain certs?
I need to get this up and running very urgently, so any help would be very much appreciated.
I've run into a brick wall trying to install a pem for a Comodo PositiveSSL Multi-Domain Certificate:
https://www.positivessl.com/multi-domain-ssl-certificate.php
I'm getting the error:
Error loading X.509 certificate from /etc/hiawatha/mycert.pem
I have Hiawatha running with pems on other servers, so I'm familiar with the settings. On this server I have a self-generated pem which loads fine. The permissions and layout of the two pem files are identical.
The problem pem contains the key, the multi-site cert and the permissions chain. I've checked with Comodo support that the chain is correct. I've also tried with just the key and the cert. The same cert is currently working fine in Litespeed on another server. Running an openssl check shows no issues with the pem file:
openssl x509 -in /etc/hiawatha/mycert.pem -text -noout
I've simply run out of ideas. Does Hiawathat have an issue with multi-domain certs?
I need to get this up and running very urgently, so any help would be very much appreciated.
Hugo Leisink
22 July 2015, 20:32
Can you post the certificate? So I can see for myself what exact error mbed TLS generates with your certificate.
Geoff
23 July 2015, 13:06
Hi Hugo
Thanks for the quick response. Here's the cert, as requested:
Thanks for the quick response. Here's the cert, as requested:
-----BEGIN CERTIFICATE-----
MIIFSjCCBDKgAwIBAgIQbDRwOi2SVRkA8ZqzxnVYITANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNTA0MjcwMDAwMDBaFw0xNjA0MjYyMzU5NTlaMFoxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVs
dGktRG9tYWluMRIwEAYDVQQDEwl1dml2YS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCxJrLZJX1/k75w6hzD+OK+s/2OI5YrzambxP+td0Xkp5a0
cZBV6WyE3INRUHQjt+9sEmsuuWE3SGzFInXqTocl2Nfvuq9hq2vPR21n0g+0lcHj
HHhOwOIbO+T+l1DnNtO+LWxiY+LfYazIDRELdFKA33x+F3QY0bV1SLw3gcB8JaP+
zImChFy90/aEvfaIDdZ7vi4i0XRPtktGbXVwIqa+Rpa7EsnRyxeAkqGUOrAcV//V
lg3i+Q/G+hRwIfJ9+5GuVIkrfeCYVt0W0zb84VEtV+EOjkWVeuyXL/1k8zkkQfw3
GOHc46u0hs0nAAsdbfIsqwXw/wlHL689tD1oHS39AgMBAAGjggHTMIIBzzAfBgNV
HSMEGDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUeOFT8RrntyhI
X6/HBTXXgHi5A08wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQEC
AgcwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMw
CAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2Eu
Y29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmww
gYUGCCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9j
YS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
dDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMCEGA1UdEQQa
MBiCCXV2aXZhLmNvbYILdXZpdmEuY28udWswDQYJKoZIhvcNAQELBQADggEBAAFS
GyDLcUNWhN4V9ghNX24TEhlqVSvKVIVAS4If74W8rEjkaQGlykO0C2dVaE2w3o2e
4Y/ydRkyXwNWEqyABsMuHNNUYHqNwEOwx4cZ0bBPRt29PPkhQuvtdq9SWNisuI7Z
Q85PDWHbtqz8pWlNZYJRssLTlBfl8tvlZyuB2+VYJL8KeOJTK/OGRrRpFVVqhciE
fR1g1SV/uVx6AuVDFw7rHDV+aoxTiO+fvl1s+WdM8W5eHsIrCoQvEzCJ5+g8WANR
xdwuD3KQQxa1jogrrtKmU6P/8CtK+a8Lq8DmnShtPqzZLTOtMQC9M1AWwxIsKZni
bgJ8goFKiM9NNRXAxgc=
-----END CERTIFICATE-----
Hugo Leisink
27 July 2015, 13:29
I'm afraid I don't have the right mbed TLS tools and knowledge to find out what goes wrong with your certificate. Is it possible you contact the mbed TLS developers?
Geoff
28 July 2015, 17:23
Hugo
Thanks for getting back. Turns out that it's not specifically the multi-domain cert that's the issue. I also generated a free Comodo single-domain test cert and am having the same issue. If I can't resolve this I'm going to have to abandon Hiawatha. which would be very sad as it's much my preferred webserver. Please be kind enough to review what I've been doing to see if you can spot where I'm going wrong.
THE ISSUE
Just to recap, self-generated certs are working fine within both Binding and VirtualHost, but 3rd party certs are failing from both, with the error:
Checking the pem with
SERVER & VERSION
Latest Ubuntu Server with latest version of Hiawatha compiled locally and installed to /etc/hiawatha
Directory perms set to 700, pem perms set to 600. Owner is root.
KEY & CSR GENERATION
As root on the host server:
PEM FILE
Comodo deliver their keys in an email. I'm copying out of Gmail and pasting into Vim below the key. I've checked that all the line-endings are Unix. I've tried with the cert immediately below the key, and with an empty line between them.
HIAWATHA CONFIG
I've tried with just the Key and Cert, and with the 3 additional certs in the chain of trust for this product. I've checked with Comodo that the chain of trust is correct in the pem file.
I simply can't think of anything else to check. Please help if you can - I love Hiawatha and am very keen to keep using it!
Thanks for getting back. Turns out that it's not specifically the multi-domain cert that's the issue. I also generated a free Comodo single-domain test cert and am having the same issue. If I can't resolve this I'm going to have to abandon Hiawatha. which would be very sad as it's much my preferred webserver. Please be kind enough to review what I've been doing to see if you can spot where I'm going wrong.
THE ISSUE
Just to recap, self-generated certs are working fine within both Binding and VirtualHost, but 3rd party certs are failing from both, with the error:
Error loading X.509 certificate from /etc/hiawatha/mysite.com.pem
Checking the pem with
openssl x509 -inshows no issues.
SERVER & VERSION
Latest Ubuntu Server with latest version of Hiawatha compiled locally and installed to /etc/hiawatha
Directory perms set to 700, pem perms set to 600. Owner is root.
KEY & CSR GENERATION
As root on the host server:
> openssl genrsa -out mysite.com.key 2048
> openssl req -new -sha256 -key mysite.com.key -out mysite.com.csr
PEM FILE
Comodo deliver their keys in an email. I'm copying out of Gmail and pasting into Vim below the key. I've checked that all the line-endings are Unix. I've tried with the cert immediately below the key, and with an empty line between them.
HIAWATHA CONFIG
I've tried with just the Key and Cert, and with the 3 additional certs in the chain of trust for this product. I've checked with Comodo that the chain of trust is correct in the pem file.
Binding {
Port = 443
...
SSLcertFile = /etc/hiawatha/mysite.com.pem
}
VirtualHost {
Hostname = mysite.com
...
SSLcertFile = /etc/hiawatha/mysite.com.pem
}
I simply can't think of anything else to check. Please help if you can - I love Hiawatha and am very keen to keep using it!
Geoff
28 July 2015, 17:43
Hi Hugo
OK - I have a workaround - tried a Thawte Cert and it's loading no problem. So this seems to be something peculiar to Comodo Certs. I'll raise it with the mbed TLS team. Thanks for your help.
OK - I have a workaround - tried a Thawte Cert and it's loading no problem. So this seems to be something peculiar to Comodo Certs. I'll raise it with the mbed TLS team. Thanks for your help.
Geoff
30 July 2015, 18:02
For anyone facing the same issue, here's a summary. Hopefully it will save you wasting as much time as I have...
I have been unable to get any single or multi-domain Comodo cert to load with the current release of PolarSSL in Hiawatha. A single domain test cert from Thawte worked OK, and I now have full single domain RapidSSL certs from GeoTrust working OK.
I've posted a bug on the mbed TLS github site, but as I'm not a direct user of the lib they may ignore it, I guess. Hugo - if there's anything you can do to back up my report, it might help trigger some action:
https://github.com/ARMmbed/mbedtls/issues/226
I have been unable to get any single or multi-domain Comodo cert to load with the current release of PolarSSL in Hiawatha. A single domain test cert from Thawte worked OK, and I now have full single domain RapidSSL certs from GeoTrust working OK.
I've posted a bug on the mbed TLS github site, but as I'm not a direct user of the lib they may ignore it, I guess. Hugo - if there's anything you can do to back up my report, it might help trigger some action:
https://github.com/ARMmbed/mbedtls/issues/226
Manuel
31 July 2015, 11:27
Hi,
As an mbed TLS developer, I'd like to reassure Hiawatha users that you don't need Hugo to back up your reports for us to look at them. I just happened to be busier than usual these last few days. If we don't at least acknowledge your report in a few days, please feel free to send us a friendly reminder!
As an mbed TLS developer, I'd like to reassure Hiawatha users that you don't need Hugo to back up your reports for us to look at them. I just happened to be busier than usual these last few days. If we don't at least acknowledge your report in a few days, please feel free to send us a friendly reminder!
Geoff
3 August 2015, 16:38
Hi Manuel
Thanks for the update! Interested to see what you turn up on this issue...
Thanks for the update! Interested to see what you turn up on this issue...
Geoff
3 August 2015, 16:48
The PolarSSL guys found a little bug in their cert parser - it was barfing on a trailing space in the Comodo certs.
Workaround is to strip the trailing spaces till the fix is out. Feeling a bit dim as I check for Unix line endings but not for trailing space...
https://github.com/ARMmbed/mbedtls/issues/226
Workaround is to strip the trailing spaces till the fix is out. Feeling a bit dim as I check for Unix line endings but not for trailing space...
https://github.com/ARMmbed/mbedtls/issues/226
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
