Deployment: Self-hosted on VM
EaaSI Version (if self-hosting): 2021.10
Description: Our SSL certificate has expired. When we tried to renew it, the EaaSI service would not start. We have put the old certificate back in place, but we’re not sure how to upgrade the SSL within EaaSI.
Urgency: We would love to have this addressed ASAP. Thanks!
March 28, 2023, 5:47pm
@hannah.wang! According to the log, configured private key does not match your updated certificate:
NOTICE (shrpx.cc:854) Listening on 0.0.0.0, tls
NOTICE (shrpx.cc:854) Listening on [::], tls
NOTICE (shrpx.cc:1297) Worker process  spawned
NOTICE (shrpx_worker_process.cc:213) Renew new ticket keys
FATAL (shrpx_tls.cc:875) SSL_CTX_check_private_key failed: error:140A80BE:SSL routines:SSL_CTX_check_private_key:no private key assigned
NOTICE (shrpx_log.cc:697) Worker process:  exited normally with status 100; exit status 1
NOTICE (shrpx.cc:4193) Shutdown momentarily
It looks like you are still using the private key from your expired certificate, which is different from the one required for the new certificate:
$ cd /eaasi/certificates
# checksum of public key (derived from private key used)
$ openssl pkey -in server.key -pubout -outform pem | sha256sum
# checksum of public key used in expired certificate
$ openssl x509 -in server.crt.expired -pubkey -noout -outform pem | sha256sum
# checksum of public key used in renewed certificate
$ openssl x509 -in server.crt.renewed -pubkey -noout -outform pem | sha256sum
May 27, 2023, 5:47pm
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.