0

I have tried several methods, but the SSL certificate doesn't work.

BSD# curl -vi https://192.168.1.21:443                           
*   Trying 192.168.1.21:443...
* Connected to 192.168.1.21 (192.168.1.21) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* error:02FFF036:system library:func(4095):Connection reset by peer
* Closing connection 0
curl: (35) error:02FFF036:system library:func(4095):Connection reset by peer

httpd.conf:

server "www.somename.ru" {
  3     listen on 192.168.1.21      port 80 
  4     listen on 192.168.1.21  tls port 443
  5     root "/htdocs/somename.ru"
  6     directory index index.php
  7     location "*.php*" {
  8         fastcgi socket "/run/php-fpm.sock"
  9     }
 10 
 11     tls certificate "/etc/ssl/server.crt"
 12     tls key "/etc/ssl/private/server.key"
 13 
 14 }

And I haven't changed the DNS server yet for this domain. Maybe this causes the problem, because the web site is accessible only via IP address and ports.

The certificate is from Comodo.
I received four files, and verified them properly using cat, to make a bundle in the right order.

External ports for my network are 543 (TLS) and 2050 (HTTP), so 443 taking for tunnel remote access, 80 for router, i can't take it.

If I run httpd in debug mode:

BSD# httpd -d             
startup
server_tls_init: failed to configure tls - failed to read private key
server_tls_init: failed to configure tls - failed to read private key
server_tls_init: failed to configure tls - failed to read private key

But the key is correct; I checked it with

openssl rsa -check -noout -in myserver.key | openssl md5
openssl x509 -modulus -noout -in myserver.crt | openssl md5

The key was encrypted

openssl genrsa -out /etc/ssl/private/server.key 4096
openssl genrsa -aes256 -out /etc/ssl/private/server.key 4096

UPDATE:

After some research, I close to answer. Something is wrong; the server couldn't decrypt server.key, and I don't know how to set instruction for that.

doesn't help to solve problem :ciphers "TLSv1.2:TLSv1.3:!CAMELLIA:!ARIA:!DSS:!ADH:!PSK:!RSA:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256"

berndbausch
  • 3,477
  • 2
  • 15
  • 21
igor
  • 1
  • 4
  • 2
    Either the file names on `httpd.conf` don't match the actual certificate file names (you have `server.key` on the config file, but `myserver.key` on the `openssl` check), or it doesn't have permissions to read them. Also, note that since you are using the IP to make the connection, it probably won't match the `server` section on `httpd.conf`, which is set by name. – Zé Loff Nov 06 '20 at 15:04
  • after some consideration, i decided trying use domain name connection, maybe that's is problem, because key and certificate is fine, checked many times, if certificate will not work, I will use let's encrypt, and don't comeback to comodo – igor Nov 12 '20 at 07:30

1 Answers1

4

OpenBSD httpd can't read encrypted keys, ie. passphrase protected ones.

Jiri B
  • 511
  • 1
  • 7
  • 16