Deployment: Self-hosted on VM
EaaSI Version (if self-hosting): 2021.10
Browser: Chrome
Description: Our SSL certificate has expired. When we tried to renew it, the EaaSI service would not start. We have put the old certificate back in place, but we’re not sure how to upgrade the SSL within EaaSI.
Urgency: We would love to have this addressed ASAP. Thanks!
Hi @hannah.wang! According to the log, configured private key does not match your updated certificate:
NOTICE (shrpx.cc:854) Listening on 0.0.0.0, tls
NOTICE (shrpx.cc:854) Listening on [::], tls
NOTICE (shrpx.cc:1297) Worker process [195845] spawned
NOTICE (shrpx_worker_process.cc:213) Renew new ticket keys
FATAL (shrpx_tls.cc:875) SSL_CTX_check_private_key failed: error:140A80BE:SSL routines:SSL_CTX_check_private_key:no private key assigned
NOTICE (shrpx_log.cc:697) Worker process: [195845] exited normally with status 100; exit status 1
NOTICE (shrpx.cc:4193) Shutdown momentarily
It looks like you are still using the private key from your expired certificate, which is different from the one required for the new certificate:
$ cd /eaasi/certificates
# checksum of public key (derived from private key used)
$ openssl pkey -in server.key -pubout -outform pem | sha256sum
af9fe39fb65ce612ed3e6706036093823d23fe1472284ffd6c2008a0acb55bd4 -
# checksum of public key used in expired certificate
$ openssl x509 -in server.crt.expired -pubkey -noout -outform pem | sha256sum
af9fe39fb65ce612ed3e6706036093823d23fe1472284ffd6c2008a0acb55bd4 -
# checksum of public key used in renewed certificate
$ openssl x509 -in server.crt.renewed -pubkey -noout -outform pem | sha256sum
893bc6bd61825ed418f7f228011753228c2bb7932d22afdbfd93aca058da82e4 -
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.