Bug 144274

Summary: Apache:mod_ssl:Error: Private key not found
Product: [Fedora] Fedora Reporter: Bob <bobpilly>
Component: httpdAssignee: Joe Orton <jorton>
Status: CLOSED CANTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: bill, dagrichards
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-13 19:54:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bob 2005-01-05 15:11:54 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
I am trying to generate a self signed ssl certificate for testing my
machine. I follow the folling steps to create my own key:

to delete the dummy keys that are default with FC3
rm -f /etc/httpd.conf/ssl.crt/server.crt \
/etc/httpd.conf/ssl.key/server.key

then create a new key
cd /usr/share/ssl/certs/
make genkey

now to create the cert

cd /usr/share/ssl/certs/
make testcert

now when i go to start my httpd service i get this error:

service httpd start

Starting httpd: Apache/2.0.52 mod_ssl/2.0.52 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server server.domain.co.uk:443 (RSA)
Enter pass phrase:Apache:mod_ssl:Error: Private key not found.
**Stopped
[FAILED]

I dont even get as far as entering the password for the key.
This would suggest that the server.key file isnt in
/etc/httpd/conf/ssl.key but i have checked and it is.
Also /etc/httpd/conf.d/ssl.conf correctly points to this file as well.

The out put of my ssl_errors.log is:
[Wed Jan 05 14:33:45 2005] [error] Init: Unable to read pass phrase
[Hint: key introduced or changed before restart?]
[Wed Jan 05 14:33:45 2005] [error] SSL Library Error: 218710120
error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Wed Jan 05 14:33:45 2005] [error] SSL Library Error: 218529960
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Jan 05 14:33:45 2005] [error] SSL Library Error: 218595386
error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Wed Jan 05 14:33:45 2005] [error] SSL Library Error: 218734605
error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

There is also this output from dmesg:

SELinux: initialized (dev 0:13, type nfs), uses genfs_contexts
audit(1104934858.355:0): avc:  denied  { getattr } for  pid=3695
exe=/usr/sbin/httpd path=/etc/httpd/conf.d/ssl.conf dev=dm-0 ino=32789
scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t
tclass=file
audit(1104934858.356:0): avc:  denied  { read } for  pid=3695
exe=/usr/sbin/httpd name=ssl.conf dev=dm-0 ino=32789
scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t
tclass=file
audit(1104934951.020:0): avc:  denied  { getattr } for  pid=3708
exe=/usr/sbin/httpd path=/etc/httpd/conf.d/ssl.conf dev=dm-0 ino=32789
scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t
tclass=file
audit(1104934951.020:0): avc:  denied  { read } for  pid=3708
exe=/usr/sbin/httpd name=ssl.conf dev=dm-0 ino=32789
scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t
tclass=file


I have also tried with a test certificate from freessl.com but the
same thing happens.


Version-Release number of selected component (if applicable):
kernel 2.6.9-1.724_FC,httpd-2.0.52-3.1, mod_ssl-2.0.52-3.1 and
openssl-0.9.7a-4

How reproducible:
Always

Steps to Reproduce:
1.delete current key + cert
rm -f /etc/httpd.conf/ssl.crt/server.crt \
/etc/httpd.conf/ssl.key/server.key
2.then create a new key
cd /usr/share/ssl/certs/
make genkey

3.create a new cert 
cd /usr/share/ssl/certs/
make testcert

4. start apache
service httpd start



    

Actual Results:  Starting httpd: Apache/2.0.52 mod_ssl/2.0.52 (Pass
Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server server.domain.co.uk:443 (RSA)
Enter pass phrase:Apache:mod_ssl:Error: Private key not found.
**Stopped
[FAILED]

Expected Results:  apache to start and be able to serve ssl encypted
pages.

Additional info:

The install is a standard install. The ssl.conf file hasnt been
modified in any way and the passwords used for the server.key dont
have any special chars in them
Comment 1 Joe Orton 2005-01-05 15:14:20 UTC 
audit(1104934858.356:0): avc:  denied  { read } for  pid=3695
exe=/usr/sbin/httpd name=ssl.conf dev=dm-0 ino=32789
scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t
tclass=file

implies simply that /etc/httpd/conf.d/ssl.conf is not labelled
correctly.  Can you try:

restorecon /etc/httpd/conf.d/ssl.conf
Comment 2 Bob 2005-01-05 15:19:20 UTC 
I get no output to the term when i run that command is that correct?

I have tried running service start httpd after running  

restorecon /etc/httpd/conf.d/ssl.conf

and the same thing as before happens with the same errors
Comment 3 Joe Orton 2005-01-05 16:41:15 UTC 
No output is expected.  What does:

# ls -lZ /etc/httpd/conf.d/ssl.conf

give?
Comment 4 Bob 2005-01-05 19:25:23 UTC 
It gives back

-rw-r--r--  root     root     system_u:object_r:httpd_config_t
/etc/httpd/conf.d/ssl.conf
Comment 5 Dag Richards 2005-02-16 18:32:58 UTC 
I am having the same issue. 
As a work around turning selinux enforcement off (setenforce 0 )
allows me to start httpd and enter the passphrase. No audit messages
appear in /var/log/messages to indicate what selinux is complaining
about, when enforcement is on.
Comment 6 Bill Blackford 2005-05-05 23:41:41 UTC 
For what it's worth, I'm getting the same exact error with rhel4.

Thanks
Comment 7 Joe Orton 2005-05-06 09:50:09 UTC 
Bill, please file a new bug against RHEL4 if you are seeing issues there.

I still don't have a specific repro case here.  You need to check that the SSL
certificate and private key are labelled correctly, e.g. use:

   # restorecon -R /etc/httpd/conf

if the certs are all in /etc/httpd/conf.d/ssl.*.  If that's not the case then
please use "setenforce 0" and report the avc denials which are logged (via dmesg
or /var/log/messages) when starting httpd.
Comment 8 John Thacker 2007-01-13 19:54:37 UTC 
(This is a mass update to bugs which have been in NEEDINFO unmodified for over a
year and are for a currently unsupported version of Fedora Core.)

Closing per lack of response to previous request for information.
This bug was originally filed against a much earlier version of Fedora
Core, and significant changes have taken place since the last version
for which this bug is confirmed.

Note that FC3 and FC4 are supported by Fedora Legacy for security
fixes only.  Please install a still supported version and retest.  If
it still occurs on FC5 or FC6, please reopen and assign to the correct
version.  Otherwise, if this a security issue, please change the
product to Fedora Legacy.  Thanks, and we are sorry that we did not
get to this bug earlier.