We use port forwarding to allow users to access their desktops by Remote Desktop. It was suggested that we try using Open VPN instead.
I installed the application from the Marketplace. It immediately sent me to Certificate Manager, where it had me generate a self-signed certificate, even though we already have certs we've paid for. There was no apparent way to upload certs you already have, so I made note of the filenames of the Manager-generated certs and did a search for them. They are created in /etc/pki/CA.
For each of the two files I created copies with a .bak extension, then created symlinks to our certificate files in /etc/pki/tls
These certs have been there for years and are in use for other applications.
However, once I added those links, webconfig stopped working--I get the "unable to connect" error.
OK, no problem, there must be something about the type of cert file. I'll just undo it, deleting the symlinks and renaming the original files back.
Nope, still won't connect.
Ok, I'll just restart the service:
Well, surely a reboot will fix it, right?
Nope, same result.
Maybe it has something to do with OpenVPN, I could uninstall that.
No difference.
OK, why won't it start?
I looked in /var/log/syswatch, nothing interesting there.
This is the entire content of /var/log/webconfig/error_log for today's date:
Would these things prevent webconfig from starting? What would I do at this point? Without any idea why webconfig won't start I have no clue what to do.
I thought of trying:
yum history rollback 8
with 8 being the transaction where OpenVPN was installed, but yum wants to remove 140 packages.
I installed the application from the Marketplace. It immediately sent me to Certificate Manager, where it had me generate a self-signed certificate, even though we already have certs we've paid for. There was no apparent way to upload certs you already have, so I made note of the filenames of the Manager-generated certs and did a search for them. They are created in /etc/pki/CA.
For each of the two files I created copies with a .bak extension, then created symlinks to our certificate files in /etc/pki/tls
These certs have been there for years and are in use for other applications.
However, once I added those links, webconfig stopped working--I get the "unable to connect" error.
OK, no problem, there must be something about the type of cert file. I'll just undo it, deleting the symlinks and renaming the original files back.
Nope, still won't connect.
Ok, I'll just restart the service:
[root@netgate conf.d]# service webconfig restart
Stopping webconfig: [ OK ]
Starting webconfig: [FAILED]Well, surely a reboot will fix it, right?
Nope, same result.
Maybe it has something to do with OpenVPN, I could uninstall that.
No difference.
[root@netgate conf.d]# service webconfig restart
Stopping webconfig: [ OK ]
Starting webconfig: [FAILED]OK, why won't it start?
I looked in /var/log/syswatch, nothing interesting there.
This is the entire content of /var/log/webconfig/error_log for today's date:
[Fri Nov 03 17:06:25 2017] [error] [client 192.168.0.47] File does not exist: /usr/clearos/themes/default/css/images/ui-bg_diagonals-thick_20_666666_40x40.png, referer: https://192.168.0.1:81/themes/default/css/jquery-ui-1.10.3.custom.css?v=6.5.0
[Fri Nov 03 17:06:25 2017] [error] [client 192.168.0.47] File does not exist: /usr/clearos/themes/default/css/images/ui-icons_ef8c08_256x240.png, referer: https://192.168.0.1:81/themes/default/css/jquery-ui-1.10.3.custom.css?v=6.5.0
[Fri Nov 03 17:10:04 2017] [notice] caught SIGTERM, shutting down
[Fri Nov 03 17:10:05 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 17:10:05 2017] [warn] RSA server certificate CommonName (CN) `netgate.gra-inc.com' does NOT match server name!?
[Fri Nov 03 17:10:05 2017] [warn] RSA server certificate CommonName (CN) `netgate.gra-inc.com' does NOT match server name!?
[Fri Nov 03 17:10:05 2017] [notice] Digest: generating secret for digest authentication ...
[Fri Nov 03 17:10:05 2017] [notice] Digest: done
[Fri Nov 03 17:10:05 2017] [warn] RSA server certificate CommonName (CN) `netgate.gra-inc.com' does NOT match server name!?
[Fri Nov 03 17:10:05 2017] [warn] RSA server certificate CommonName (CN) `netgate.gra-inc.com' does NOT match server name!?
[Fri Nov 03 17:10:05 2017] [notice] Apache/2.2.15 (Unix) DAV/2 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Fri Nov 03 17:30:37 2017] [error] [client 192.168.0.47] File does not exist: /usr/clearos/themes/default/css/images/ui-icons_ef8c08_256x240.png, referer: https://192.168.0.1:81/themes/default/css/jquery-ui-1.10.3.custom.css?v=6.5.0
[Fri Nov 03 17:37:48 2017] [notice] caught SIGTERM, shutting down
[Fri Nov 03 17:37:48 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 17:37:48 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 17:37:48 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 17:37:48 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 17:37:48 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 17:44:17 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 17:44:17 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 17:44:17 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 17:44:17 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 17:44:17 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 17:44:22 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 17:44:22 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 17:44:22 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 17:44:22 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 17:44:22 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 17:45:02 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 17:45:02 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 17:45:02 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 17:45:02 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 17:45:02 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 17:45:15 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 17:45:15 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 17:45:15 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 17:45:15 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 17:45:15 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 17:45:20 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 17:45:20 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 17:45:20 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 17:45:20 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 17:45:20 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 17:55:54 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 17:55:54 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 17:55:54 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 17:55:54 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 17:55:54 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 17:55:58 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 17:55:58 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 17:55:58 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 17:55:58 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 17:55:58 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 17:59:51 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 17:59:51 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 17:59:51 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 17:59:51 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 17:59:51 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 17:59:56 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 17:59:56 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 17:59:56 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 17:59:56 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 17:59:56 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 18:08:48 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 18:08:48 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 18:08:48 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 18:08:48 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 18:08:48 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 18:09:02 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 18:09:02 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 18:09:02 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 18:09:02 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 18:09:02 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 18:09:07 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 18:09:07 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 18:09:07 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 18:09:07 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 18:09:07 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 18:11:13 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 18:11:13 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 18:11:13 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 18:11:13 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 18:11:13 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 18:11:18 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 18:11:18 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 18:11:18 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 18:11:18 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 18:11:18 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 18:18:22 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 18:18:22 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 18:18:22 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 18:18:22 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 18:18:22 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 18:19:19 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 18:19:19 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 18:19:19 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 18:19:19 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 18:19:19 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 18:19:38 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 18:19:38 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 18:19:38 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 18:19:38 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 18:19:38 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 18:19:47 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 18:19:47 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 18:19:47 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 18:19:47 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 18:19:47 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 18:20:02 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 18:20:02 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 18:20:02 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 18:20:02 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 18:20:02 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 18:20:27 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 18:20:27 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 03 18:20:27 2017] [warn] RSA server certificate CommonName (CN) `netgate.lan' does NOT match server name!?
[Fri Nov 03 18:20:27 2017] [error] Unable to configure RSA server private key
[Fri Nov 03 18:20:27 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Nov 03 18:20:37 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 18:20:37 2017] [error] Init: Private key not found
[Fri Nov 03 18:20:37 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:20:37 2017] [error] SSL Library Error: 218640442 error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Fri Nov 03 18:20:37 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:20:37 2017] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri Nov 03 18:20:37 2017] [error] SSL Library Error: 67710980 error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Fri Nov 03 18:20:37 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:20:37 2017] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri Nov 03 18:20:39 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 18:20:39 2017] [error] Init: Private key not found
[Fri Nov 03 18:20:39 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:20:39 2017] [error] SSL Library Error: 218640442 error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Fri Nov 03 18:20:39 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:20:39 2017] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri Nov 03 18:20:39 2017] [error] SSL Library Error: 67710980 error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Fri Nov 03 18:20:39 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:20:39 2017] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri Nov 03 18:21:47 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 18:21:47 2017] [error] Init: Private key not found
[Fri Nov 03 18:21:47 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:21:47 2017] [error] SSL Library Error: 218640442 error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Fri Nov 03 18:21:47 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:21:47 2017] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri Nov 03 18:21:47 2017] [error] SSL Library Error: 67710980 error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Fri Nov 03 18:21:47 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:21:47 2017] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri Nov 03 18:21:57 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 18:21:57 2017] [error] Init: Private key not found
[Fri Nov 03 18:21:57 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:21:57 2017] [error] SSL Library Error: 218640442 error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Fri Nov 03 18:21:57 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:21:57 2017] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri Nov 03 18:21:57 2017] [error] SSL Library Error: 67710980 error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Fri Nov 03 18:21:57 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:21:57 2017] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri Nov 03 18:24:26 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 18:24:26 2017] [error] Init: Private key not found
[Fri Nov 03 18:24:26 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:24:26 2017] [error] SSL Library Error: 218640442 error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Fri Nov 03 18:24:26 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:24:26 2017] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri Nov 03 18:24:26 2017] [error] SSL Library Error: 67710980 error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Fri Nov 03 18:24:26 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:24:26 2017] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri Nov 03 18:47:20 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/clearos/sandbox/usr/sbin/suexec)
[Fri Nov 03 18:47:20 2017] [error] Init: Private key not found
[Fri Nov 03 18:47:20 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:47:20 2017] [error] SSL Library Error: 218640442 error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Fri Nov 03 18:47:20 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:47:20 2017] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri Nov 03 18:47:20 2017] [error] SSL Library Error: 67710980 error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Fri Nov 03 18:47:20 2017] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 03 18:47:20 2017] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 errorWould these things prevent webconfig from starting? What would I do at this point? Without any idea why webconfig won't start I have no clue what to do.
I thought of trying:
yum history rollback 8
with 8 being the transaction where OpenVPN was installed, but yum wants to remove 140 packages.
Share this post:
Accepted Answer
I was unclear when I responded.
Once I looked at this error again and searched online for it, I decided to simply try changing the host name to the name on the certificate. Once I did that and restarted httpd and webconfig, I was able to access webconfig again. I then went into webconfig and changed the name of the host back to what I wanted it to be ("[servername].[ourdomain].lan") and everything was ok.
So, something as small as changing the hostname to match the certificate fixed the problem. I guess when you change the hostname in the webconfig interface it has a way of handling that change with the certificate. Based on what you wrote, I would be curious if you just executed:
on a running ClearOS 6 system, whether webconfig would continue to work. And whether it would continue to work if you restarted webconfig.
Thank you very much for your help on this issue!
I am still interested in getting us VPN access to our LAN, and am wondering whether I should try the ClearOS 7 system instead, and which VPN app I should use.
Once I looked at this error again and searched online for it, I decided to simply try changing the host name to the name on the certificate. Once I did that and restarted httpd and webconfig, I was able to access webconfig again. I then went into webconfig and changed the name of the host back to what I wanted it to be ("[servername].[ourdomain].lan") and everything was ok.
So, something as small as changing the hostname to match the certificate fixed the problem. I guess when you change the hostname in the webconfig interface it has a way of handling that change with the certificate. Based on what you wrote, I would be curious if you just executed:
hostname foobaron a running ClearOS 6 system, whether webconfig would continue to work. And whether it would continue to work if you restarted webconfig.
Thank you very much for your help on this issue!
I am still interested in getting us VPN access to our LAN, and am wondering whether I should try the ClearOS 7 system instead, and which VPN app I should use.
Responses (10)
-
Accepted Answer
Might not be related at all but I know that there are Webconfig problems that can exist if Webconfig is in debug mode during the latest update. To fix that problem, remove /etc/clearos/webconfig.debug and try restarting Webconfig.
Probably not the solution but it is worth looking at since I know that debug mode can cause problems on the update. -
Accepted Answer
Thanks for the idea! Unfortunately there is no webconfig.debug in /etc/clearos on the machine.
[root@netgate clearos]# uname -r
2.6.32-696.10.3.v6.x86_64
[root@netgate clearos]# pwd
/etc/clearos
[root@netgate clearos]# ll
total 108
drwxr-xr-x. 2 root root 4096 Sep 6 16:17 base.d
drwxr-xr-x. 2 root root 4096 Nov 3 21:30 certificate_manager.d
-rw-r--r-- 1 root root 21 Nov 13 2014 content_filter.conf
-rw-r--r-- 1 root root 31 Aug 28 2013 date.conf
-rw-r----- 1 root squid 346 Jun 24 2014 ecap-adapter.conf
-rw-r--r-- 1 webconfig webconfig 80 Jan 20 2016 file_scan.conf
-rw-r--r-- 1 webconfig webconfig 0 May 5 2015 file_scan.conf.rpmnew
-rw-r--r-- 1 root root 3513 Nov 3 15:28 firewall.conf
drwxr-xr-x. 2 root root 4096 Mar 18 2016 firewall.d
-rw-r--r-- 1 root root 21 Apr 24 2014 intrusion_detection.conf
-rw-r--r-- 1 root root 21 Aug 28 2013 intrusion_prevention.conf
-rw-r--r-- 1 root root 15 Dec 19 2012 language.conf
-rw------- 1 root root 118 Mar 15 2016 mail_notification.conf
-rw-r--r-- 1 webconfig webconfig 49 Jan 6 2015 marketplace.conf
-rw-r--r-- 1 root root 65 Aug 19 2015 multiwan.conf
-rw-r--r-- 1 root root 36 Jul 15 2015 multiwan.conf.rpmnew
-rw-r--r-- 1 root root 234 Oct 19 13:57 network.conf
drwxr-xr-x. 2 root root 4096 May 25 2015 network.d
-rw-r--r-- 1 root root 83 Apr 18 2012 organization.conf
-rw-r--r-- 1 root root 37 Apr 15 2013 performance_tuning.conf
-rw-r--r-- 1 root root 103 Nov 3 05:00 raid.conf
-rw-r--r-- 1 root root 19 May 13 2016 raid.conf.rpmnew
-rw-r--r-- 1 root root 0 Aug 12 2015 registration.conf
-rw-r--r-- 1 root root 21 Jan 3 2017 samba_common.conf
-rw-r--r-- 1 root root 21 Oct 17 2014 software_updates.conf
-rw-r--r-- 1 root root 83 Jul 17 2013 storage.conf
drwxr-xr-x. 2 root root 4096 Aug 19 2015 storage.d
-rw-r--r-- 1 root root 0 Jan 10 2014 web_proxy.conf
-rw-r--r-- 1 root root 21 Nov 12 2014 web_proxy.conf.rpmnew
drwxr-xr-x 2 root root 4096 Jan 6 2015 web_proxy.d
I am kicking myself, I have a VM of this exact server I created just days ago. If I thought I was doing anything risky I'd have done it on the VM first. -
Accepted Answer
Hi Greg,
Can you remind me which version of ClearOS you are running? ClearOS7 now has a neat way or importing certificates for the Webconfig and Web Server.
At a guess you have replaced the certificates in /etc/PKI rather than point the Webconfig (and web server?) config files to the new certificates. Can you give the files you imported theie own file names and leave the ones you generated in place.
Create a file /usr/clearos/sandbox/etc/httpd/conf.d/certs.conf and in it put your equivalent of mine:
Obviously point it at your certificates. You may have one, two or three files as sometimes the files are combined. If you have a combined chain/intermediate and certificate file, just specify the SSLCertificateFile only and leave out the SSLCertificateChainFile setting.SSLCertificateFile /etc/letsencrypt/live/www.howitts.co.uk/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.howitts.co.uk/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.howitts.co.uk/chain.pem
-
Accepted Answer
Nick,
This is ClearOS6 Professional, updated to the latest possible state (6.9 I think). We do have a different machine that's ClearOS 7 (7 wasn't released yet when I set this one up).
I had already tried changing the names of the files in /usr/clearos/sandbox/etc/httpd/conf.d/framework.conf
but it had no apparent effect. I did try restoring the previous framework.conf and then adding a certs.conf as you suggested, with lines:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/certs/ca-bundle.crt
But that also appears to do nothing...the webconfig service refuses to start. So, it appears that whatever is causing it to refuse to start is not those certificate files.
As I wrote earlier, I do know that those certificate files work, because they're in use by a web-enabled third-party application using Apache. I never before went through the effort of finding out how to enable our purchased certs for webconfig because only I and the other IT guy in the company use webconfig, while everyone uses the other application and having a cert that doesn't trigger the self-signed cert warning was important.
What else could I do to try to find why webconfig service won't start? -
Accepted Answer
Investigating a bit further on 6.9, certificates are specified in /usr/clearos/sandbox/etc/httpd/conf.d/framework.conf, but it only specifies the Certificate and Key file so I am not sure where it is reading its CA certificate from. What I am trying to do is get you a clean set of certificates from any source which may let your webconfig start.
What you did won't work as you have not specified the key file and, potentially, the chain/intermediate file. Please can you specify them as well? You may get away without the chain/intermediate file if it is part of your certificate, but opening the certificate file in a text editor will show you that.
Alternatively, go back to the start and delete *both* the Certificate Authority and the Default Certificate and regenerate them. If you did not delete both of them you will have to anyway as OpenVPN won't work properly. Also remove or hide the file you've just added. With luck, it will work but I'd love to know where the CA is specified.
If this last method works, you will need to delete any OpenVPN certificates you've generated by logging on as the user and deleting and regenerating them. -
Accepted Answer
I had to think a bit because without webconfig running I could not regenerate certificates (well, I know it's possible, I've done it from the cli before but I'm not sure they'd be done the same way as webconfig does them, or put in the same place.)
I realized that I had made an image of the machine only a few weeks before, and there had been no config changes of the production server since the image was made (other than the stated installation of OpenVPN, which I reversed).
I have the image running in VMWare and webconfig works fine on it. So, on the production machine, I created a backup of /etc/pki as /etc/pki-BAK and copied over /etc/pki from the image. I realized there would also be changes to the framework.conf file you mentioned, so I moved /usr/clearos/sandbox/etc/httpd to /usr/clearos/sandbox/etc/httpd-BAK and copied over /usr/clearos/sandbox/etc/httpd from the image.
I don't know whether you consider this good technique or poor. I know I've got a perfectly-working clone of my machine and it seems to me if I can only restore whatever happened when I installed OpenVPN I'll be back in business.
I restarted httpd and then, crossing my fingers, I restarted webconfig:
[root@netgate httpd]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@netgate httpd]# service webconfig restart
Stopping webconfig: [ OK ]
Starting webconfig: [ OK ]
I was very excited for about 10 seconds until I found I still get the same message in the browser:
Unable to connect
If webconfig is running and I still can't connect, is there a way to diagnose that? Is it possible that directories other than /etc/pki and /usr/clearos/sandbox/etc/httpd need to be restored from the image? Or, if you feel my approach in copying over the directories was wrong, I can copy the previous ones back. At this point I don't even care about OpenVPN, I just want to get webconfig back without disrupting anything else on this server. -
Accepted Answer
How long ago did you make the changes for OpenVPN? Can you try a config restore from one of the backups in /var/clearos/configuration_backup? I would guess that you can just untar the file with the right command then reboot as I've no idea what services need to be restarted, but this is purely a guess. It looks like it would need to be untarred into root, preserving file ownership.
In terms of the sandbox, all that would recover is the httpd server cert and key so I am not sure if that would help.
Does the webconfig remain running? Are there any errors in /var/log/webconfig? -
Accepted Answer
Does the webconfig remain running? Are there any errors in /var/log/webconfig?
Yes, the webconfig stayed up.
/var/log/webconfig contained the errors:
[Fri Nov 17 19:21:02 2017] [warn] RSA server certificate CommonName (CN) `[name]' does NOT match server name!?
Repeated over and over, every 5 minutes or so.
When I installed OpenVPN, it triggered Certificate Manager. Certificate Manager had me create a new certificate. It does not ask you the server name to use, it just took it from the system.
Unfortunately, it only took part of it: our server is "[servername].[ourdomain].lan", but it created a certificate with a server name of just "[servername]".
Apparently, if these two don't match, httpd and webconfig will be running but will never serve up a webpage.
This sounds like a bug to me.
I am wondering whether we should use our other server, which is ClearOS7, as an OpenVPN gateway instead, if I'm even going to try this at all. My concern is that I have our "real"/commercial certificate installed in multiple locations on that machine, for email, webmail and FTP. I do not want any of those functions disrupted by forced generation of a new certificate I don't want. You say 7 has a better certificates tool? -
Accepted Answer
I've just recreated my certificates as a test (delete the Default Certificate first). When recreating them it uses the Internet Host name in Webconfig > Network > IP Settings for the CN. I've also tried changing the server name in Webconfig > Server > Web Server to match the Internet Host Name. It looks like the errors have gone away but it did not matter in so much as I could always get to the webconfig.
I am not totally sure where your problem is now. You must be able to get into the Webconfig to do what you've done, so which web page will it not serve? Also, I've always had the RSA warning in the webconfig error log up to now and it has not stopped the webconfig from running or serving pages.
Did you try deleting the Default Certificate and Certificate Authority (in that order) to recreate them?
The certificate management is better in 7.x for web serving but I am not sure for FTP/e-mail (probably not).
What does your /usr/clearos/sandbox/etc/httpd/conf.d/framework.conf look like now? Also which certificates does it point to? Your own or the new ones you generated when deleting the system certificates? -
Accepted Answer
For VPN's there are three ClearOS choices:
IPsec - ClearOS only supports LAN-LAN, but if you go under the hood you can do roadwarrior connections, but for the effort involved I don't recommend it.
PPTP - This is supported by most OS's natively but even Micro$oft (who created it) recommend you don't use it as it is relatively insecure these days.
OpenVPN - This is fairly easy to set up, secure and works well. Clients are available for iOS, Android and Windoze which are all free. Note that depending on your Internet Hostname you may have to edit the "remote" line in the .ovpn file you download to point to something which resolves to you WAN interface (perhaps your poweredbyclear.com sub-domain if you don't own your own)
There is no real difference between ClearOS6 and 7 OpenVPN functionality. The main issue for you is that if you have regenerated your sys-0-cert and ca-cert then you need to regenerate any OpenVPN certificates already created. If you have replaced your sys-0-cert and ca-cert with your own certificates then you will probably fail. If you have just edited the webconfig and apache files to look at different files for your certificates then you will probably succeed.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »