Change Server but not change certificate
-
[Mon Mar 21 16:59:14.067146 2016] [ssl:emerg] [pid 19633] AH02565: Certificate and private key 172.20.1.251:443:0 from /var/www/fog/management/other/ssl/srvpublic.crt and /opt/fog/snapins/ssl/.srvprivate.key do not match AH00016: Configuration Failed
-
@danilopinotti Please run the following commands:
openssl rsa -modulus -noout -in /opt/fog/snapins/ssl/.srvprivate.key | openssl md5 openssl x509 -modulus -noout -in /var/www/fog/management/other/ssl/srvpublic.crt | openssl md5
The MD5 sums should match!
Did you copy /opt/fog from the old to the new server and then ran the installer on the new server?
-
@Sebastian-Roth
Not match!
I tried copy the fog.csr to new and run the script again. Not works too -
If you copied over the root CA keys (it sounds like you did), run
./installfog.sh --recreate-keys
-
@Jbob
I’ve copied only /opt/fog/snapins/ssl/fog.csr of old to new and re-executed the script.
It has something else to copy or some other procedure to work ? -
@danilopinotti You need to copy the whole of the SSL folder.
If /opt/fog/snapins/ssl contains .srvprivate.key and the CA folder and fog.csr, why not just copy the WHOLE folder?
For example:
scp -r /opt/fog/snapins/ssl/* fog-server:/opt/fog/snapins/ssl/
-
@Tom-Elliott not works!
The same error appears:[Mon Mar 21 18:05:51.390582 2016] [ssl:emerg] [pid 27939] AH02565: Certificate and private key 172.20.1.251:443:0 from /var/www/fog/management/other/ssl/srvpublic.crt and /opt/fog/snapins/ssl/.srvprivate.key do not match AH00016: Configuration Failed
-
@danilopinotti So your main server is also having issues?
-
-
@danilopinotti After copying the files are you re-running the installer on the place you copied it to?
-
@Jbob said:
If you copied over the root CA keys (it sounds like you did), run ./installfog.sh --recreate-keys
With this argument it will take advantage of the old scripts or create new keys?
-
@danilopinotti It will use the old CA to generate a new Private key.
-
@Tom-Elliott said:
It will use the old CA to generate a new Private key.
In that case I’ll have to reinstall the client on all computers again?
-
@danilopinotti No. The ca.cert.der and ca.cert.pem files should be identical to what your clients already have.
The clients will need to reget the srvpublic.crt file (which they’ll do automatically anyway). This is checked very pass where the encryption key is no longer valid and on initial authentication.
-
@Tom-Elliott
So I will not have to redo the settings in clients? -
@danilopinotti Correct.