The Consolidated B&EC "Quick Question" Thread.

Discussion in 'Business & Enterprise Computing' started by looktall, Jun 6, 2015.

  1. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,829
    Location:
    Brisbane
    I'm 99.999% I know the answer to this but I just want to confirm it first.

    When installing a wildcard SSL certificate you generate a CSR before doing so correct? You cant have a Generic wildcard SSL to install on multiple servers?

    Head office have sent over a wildcard certificate and a intermediate certificate and when comparing a MD5 hash of the public key for the wildcard I get a mismatch:

    CERT: (stdin)= 233918fe403cd5acc3f3277a3b7a8de3
    Server Key (stdin)= 1601c3c9e99514ac5ea169145e3ef3ea

    It came over as a .P7B file and I converted it to a PEM file using the following command:

    I'm then using this cert in my httpd_VHOST config in Apache. I plan on having multi sites on this server all using the wild card cert, is there a way to make a blanket config change to secure the sites using the one cert or must I comment in the SSL config for each VHOST?
     
    Last edited: May 20, 2016
  2. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,304
    Location:
    Canberra
    i'd just export the full cert (private+public) and apply it to multiple servers.

    its a wildcard so you don't give a fuck anyway.
     
  3. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,829
    Location:
    Brisbane
    So head office can export the wild card certificate as well as the intermediate certificate and I don't have to supply a CSR for it?

    They sent over a .P7B file that when opening on a windows machine contained the wildcard and intermediate. I've tried various ways to get this working:

    Extracting each cert out individually and using the following code in the VHOST:
    Code:
    SSLEngine on
       SSLCertificateFile "D:\Administrative\Digital Certificates\Production certificate\Extracted\wildcard.cer"
       SSLCACertificateFile "D:\Administrative\Digital Certificates\Production certificate\Extracted\intermediate.cer"
       SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    This fails with error:
    Code:
    Fri May 20 15:46:59.985466 2016] [ssl:emerg] [pid 1228:tid 376] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file D:/Administrative/Digital Certificates/Production certificate/Extracted/wildcard.cer)
    [Fri May 20 15:46:59.985466 2016] [ssl:emerg] [pid 1228:tid 376] AH02312: Fatal error initialising mod_ssl, exiting.
    [Fri May 20 15:46:59.985466 2016] [ssl:emerg] [pid 1228:tid 376] AH02564: Failed to configure encrypted (?) private key [I]site.domain.com[/I]:443:0, check D:/Administrative/Digital Certificates/Production certificate/Extracted/wildcard.cer
    [Fri May 20 15:46:59.985466 2016] [ssl:emerg] [pid 1228:tid 376] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
    [Fri May 20 15:46:59.985466 2016] [ssl:emerg] [pid 1228:tid 376] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
    [Fri May 20 15:46:59.985466 2016] [ssl:emerg] [pid 1228:tid 376] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
    [Fri May 20 15:46:59.985466 2016] [ssl:emerg] [pid 1228:tid 376] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
    [Fri May 20 15:46:59.985466 2016] [ssl:emerg] [pid 1228:tid 376] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
    [Fri May 20 15:46:59.985466 2016] [ssl:emerg] [pid 1228:tid 376] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
    [Fri May 20 15:46:59.985466 2016] [ssl:emerg] [pid 1228:tid 376] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
    AH00016: Configuration Failed
    If I use the PEM file that I generated as described above I get this error:

    Code:
    SSLEngine on
       SSLCertificateChainFile "D:/Administrative/Digital Certificates/Production certificate/PEM/applied.pem"
       SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    Code:
    [Fri May 20 15:54:48.048615 2016] [ssl:emerg] [pid 1424:tid 372] AH02572: Failed to configure at least one certificate and key for [I]site.domain.com[/I]:443
    [Fri May 20 15:54:48.048615 2016] [ssl:emerg] [pid 1424:tid 372] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
    [Fri May 20 15:54:48.048615 2016] [ssl:emerg] [pid 1424:tid 372] AH02312: Fatal error initialising mod_ssl, exiting.
    AH00016: Configuration Failed
    This makes me feel the public\privet keys have a mismatch but not key file was given to me.
     
  4. Wynne

    Wynne Member

    Joined:
    Sep 22, 2003
    Messages:
    270
    Location:
    sydney.au
    The CSR is just used to create the full certificate with both Private and Public keys.

    Just quickly off the top of my head this is the general process and will explain why you don't need the CSR..

    1. No certificate
    2. Certificate request performed, private key created locally, CSR created
    3. CSR supplied to CA which creates the Public key and supplies it back to you
    4. Public key imported into machine which created the request and had the private key and now both private and public keys are married into a 'complete' and full certificate.
    5. Full certificate with both priv/pub keys can now be exported in whatever format the system supports.

    So at 2. the csr is formulated so that the CA can create the public part of the certificate that is mathematically related to the Private keys generated by the requesting system.

    Number 4 is where people sometimes make a mistake, they import the public half of the cert from the CA into a machine which didn't create the request and therefore doesn't have the private key, this results in a 'faulty' half formed certificate. There are ways to export the private key from the requesting machine and import to another machine before importing the public key from the CA to avoid this, but just finish the process on your first machine :)

    So really as long as you got a fully formed cert that was exported at step 5 you can import wherever. If however you got an export of a half formed cert as mentioned in the previous paragrah then you're never going to get anywhere. You should never have to create or use a CSR for an existing cert, only if you're requesting or creating a new certificate.

    The exported certificate can or cannot contain the intermediary certificates depending on the format used or whether that option was selected. If they're not included in the export you can always go get them individually from the CA, they're almost always available to the public.

    Some apps will want the intermediates in the same key file, some want them in a separate key file, its looks like yours is the latter.

    <Pragmatic Edit>
    The errors looks like the priv key is missing, if I was you i would import the original P7b file you were given on a client machine, windows or OSX, and confirm it has both. Troubleshooting the cert setup when its broken into three PEMs (priv, pub, CA) is usually more difficult.
     
    Last edited: May 20, 2016
  5. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,829
    Location:
    Brisbane
    Sooooooo, I got the wrong cert diverted to me. They sent through the right cert, popped it in and all working
     
  6. tin

    tin Member

    Joined:
    Jul 31, 2001
    Messages:
    6,420
    Location:
    Narrabri NSW
    Quick question: Is there some sort of "guide to the NBN for technical people who have never seen an NBN connection but get asked why XYZ isn't working"?

    I keep getting people assume that I know why some NBN thing or other isn't working. But my grand total experiences with NBN are:
    * Not being on the map.
    * Getting a rude reply from NBNCo when I asked a question.
    * Seeing a VDSL2+ modem sitting on the floor at my grandmother's house (unknown web interface password, so I didn't even get to see the settings).

    Yet somehow I am expected by people to know what lights mean on the satellite modems, how the PtP wireless connections are set up, etc.
     
  7. j3ll0

    j3ll0 Member

    Joined:
    Jul 13, 2005
    Messages:
    4,794
    Anyone played the game of an existing Commvault Compliance Archive corpus and index in an on-prem environment that you're considering migrating to O365? Doable? Worthwhile?

    I imagine getting it all out and reingesting will be a pain in the arse. How does the licensing work? Anyone got a Readers Digest version of the greatest hits of the process?

    .
     
  8. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,304
    Location:
    Canberra
    I wish you well on your journey into the abyss.
     
  9. OP
    OP
    looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    26,591
    anyone come across this before?

    server 2012 r2.
    member server used for MDT and WSUS.

    log into profile (either domain or local) and most of the start menu apps have disappeared.
    occasionally you can log in and if you're quick enough get to the start menu and see the apps vanish.

    try to go into administrative tools and an error comes up:
    "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools is unavailable. If the location is on this PC... etc .etc."


    sounds virus like to me, but could be something else.

    can't see anything helpful in event logs.
    doesn't look to be a GPO getting applied.
    anyone got any ideas?
     
  10. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,304
    Location:
    Canberra
    start menu's etc are just lnk files.

    Can you browse them in cli?
     
  11. OP
    OP
    looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    26,591
    browse to what?
    the applications or to the start menu location?

    the applications appear to be present, it's the shortcuts that are missing.


    i ran sfc over it and it restored a chunk of start menu shortcuts.
    mainly the built in windows ones such as administrative tools, so that's good, but none of the actual application shortcuts though.
     
  12. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    10,792
    Location:
    elsewhere
    Start menu location. He's asking if the shortcut files themselves are still there.
     
  13. OP
    OP
    looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    26,591
    oh right. yeah i wasn't sure what he was asking.

    no, they weren't there.

    the only shortcuts there were for the few shortcuts that were still in the start menu.

    i've restored a chunk of them by copying from another server, but i still don't know why they disappeared in the first place or if they will disappear again.
     
  14. tin

    tin Member

    Joined:
    Jul 31, 2001
    Messages:
    6,420
    Location:
    Narrabri NSW
    Well there were some virus-like things getting around about 5 years ago that moved all the Start Menu contents into %temp%... But I mean that was 5 years ago. And it died off again within months of it becoming cool.
     
  15. OP
    OP
    looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    26,591
    the site where this server is located got hit with a crypto virus last week.
    There doesnt seem to be anything like thst going on with this server, but it did cause me to wonder if it wasnt somehow related.
     
  16. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    10,792
    Location:
    elsewhere
    Does it happen if you log on to a new profile, something you haven't used before? Or even if you trash an existing one and start over?
     
  17. OP
    OP
    looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    26,591
    Yes in both cases.
     
  18. wazza

    wazza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,713
    Location:
    NSW
    When you log on quick enough to see the apps vanish, is this on a new profile, or do the shortcuts seem to come back temporarily?

    I'd run Process Monitor on the server* and watch what happens when you log in - this should show you what is happening to the files (moving/deleting/encrypting) and what process is doing this.

    * I'm assuming that you can still run programs on the server, so you could log in to one account to run the program then rdp in to another account to trigger the shortcut fuckery.
     
  19. OP
    OP
    looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    26,591
    I saw them vanish once and another person saw them vanish once.
    Havent been able to replicate it.
    It happened on existing accounts.

    I only tried running a few applications but they all seemed to work ok.

    I've copied most of the shortcuts back from another server now, so i would need to see if they start disappearing again.
     
  20. Smokin Whale

    Smokin Whale Member

    Joined:
    Nov 29, 2006
    Messages:
    5,184
    Location:
    Pacific Ocean off SC
    Got a typical situation with a run of the mill crappy vintage CNC machine. Motherboard is dead. Weirdly enough, this particular CNC machine requires DUAL serial, which goes into some sort of board, which outputs to some sort of strange custom made LTP connector.

    Looking at replacing it with something more modern. Still need to run WinXP AFAIK. Does anyone know of anything new that can run XP and dual serial? Or should I just get a couple of refurb Core2Duo ex-lease boxes with a USB/PCIe adapter? I know you can get cheap bay-trail china mini PCs with dual serial pretty cheap, but I don't think they'll run WinXP.
     

Share This Page

Advertisement: