Jemand zu Hause?![[twitter]](/battie/theme/default/icons/twitter.gif){kind=icon}
![[gelöst]](/battie/theme/default/icons/tick.png "gelöst"){kind=icon}
+41 replies
Crypt::LE: der Apache meldet zu den erzeugten Dateien:QuoteAH02565: Certificate and private key meinedomain:443:0 from xxxxxx.pem and xxxxx.key do not match
+21 replies![[Homepage]](/battie/theme/default/homepage.gif)
+20 replies
2018-05-17T08:55:07 GwenDragonPrüfst du denn ob das Erzeugen der SSL-Zertifikate geklappt hat?
1 2 3
if ($le->request_certificate() == Crypt::LE::OK()) { $zert_datei_content = $le->certificate(); }
2018-05-17T08:55:07 GwenDragonVielleicht sind in den Dateien ja Fehlermeldungen anstatt der Schlüssel.
Hast du mal geschaut was in den Schlüssel-Dateien drin ist?
+19 replies
+18 replies
2018-05-17T10:09:00 GwenDragonMeine LetsEncrypt-Zertifikate auf dem Apache sind aber alle PEM-kodiert, also Text, nicht binär.
2018-05-17T10:09:00 GwenDragonWas zeigt denn file DATEINAME in der Shell bei der Datei für einen Dateityp?
+17 replies
+16 replies
+15 replies
+11 replies
2018-05-17T17:33:54 GwenDragonAh, also Zertifikate?
2018-05-17T17:33:54 GwenDragonWenn dann oben drin steht sowas wie
-----BEGIN CERTIFICATE-----
...
(einige BASE64-kodierte Zeilen)
...
-----END CERTIFICATE-----
drin ist.
2018-05-17T17:33:54 GwenDragonOder zusätzlich
-----BEGIN CERTIFICATE REQUEST-----
...
...
2018-05-17T17:33:54 GwenDragon-----BEGIN PRIVATE KEY-----
2018-05-17T17:33:54 GwenDragonWenn du schauen willst was da im Zert definiert ist:
openssl x509 -in Zertifikatsdatei -text -noout
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
fa:a0:84:13:9f:ec:81:32:91:d7:a9:2b:aa:62:bd:d9:78:87
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Fake LE Intermediate X1
Validity
Not Before: May 17 07:06:06 2018 GMT
Not After : Aug 15 07:06:06 2018 GMT
Subject: CN=meine.domain.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d8:a4:6f:00:41:04:b4:74:29:b2:ee:d5:49:e8:
4c:42:67:13:07:2e:95:84:de:af:d0:0b:ce:b4:95:
03:ec:82:b8:f0:c9:68:ef:5b:61:6c:de:38:8b:63:
.
.
.
91:44:b0:e5:cd:b7:8d:ee:b3:9f:d3:15:c1:5e:de:
3a:f4:44:25:2f:f3:ff:70:db:70:aa:4c:ee:ce:67:
25:c3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
A3:FD:D1:67:33:19:B2:62:68:C2:26:BC:51:8C:D7:20:50:97:A9:F4
X509v3 Authority Key Identifier:
keyid:C0:CC:03:46:B9:58:20:CC:5C:72:70:F3:E1:2E:CB:20:A6:F5:68:3A
Authority Information Access:
OCSP - URI:http://ocsp.stg-int-x1.letsencrypt.org
CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:meine.domain.net
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Log ID : B0:CC:83:E5:A5:F9:7D:6B:AF:7C:09:CC:28:49:04:87:
2A:C7:E8:8B:13:2C:63:50:B7:C6:FD:26:E1:6C:6C:77
Timestamp : May 17 08:06:06.370 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:27:C7:BC:B5:25:EE:65:66:E0:34:5F:61:
7B:6C:06:FF:BC:80:55:AF:CE:90:7B:5D:A1:44:2A:71:
95:F8:48:17:02:21:00:97:DA:C0:53:45:0A:B4:13:EE:
B7:E7:E6:02:0F:6B:98:96:11:67:D4:36:C9:3A:8F:B8:
A8:C1:A7:9A:C7:85:00
Signed Certificate Timestamp:
Version : v1(0)
Log ID : DD:99:34:FC:A5:E7:24:80:C9:56:68:7D:81:34:99:08:
49:B2:49:F7:B5:69:D8:C7:BC:AB:3F:5C:C1:F3:6E:64
Timestamp : May 17 08:06:08.274 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:18:02:ED:C6:C0:78:76:69:7D:B5:D6:FD:
FC:BA:56:52:01:CC:FE:C6:09:E8:6F:1A:2C:69:0E:80:
6F:FE:02:55:02:21:00:FF:62:4D:48:E6:6C:A1:37:8D:
C0:2F:C3:04:8A:25:8D:00:18:F8:97:A8:FA:F4:3F:E4:
04:56:A5:8F:0D:D1:AD
Signature Algorithm: sha256WithRSAEncryption
c7:ba:99:03:df:82:f2:88:5c:4e:8a:12:e5:25:b6:36:51:30:
ff:7f:34:cd:b0:48:34:f8:14:56:cc:9a:f1:98:63:df:68:29:
.
.
.
35:fa:72:45:77:5d:3a:9b:81:57:aa:3d:f5:65:b1:5c:37:d0:
4e:ef:5a:b4:04:bd:d7:35:5e:9a:2b:47:32:a2:27:e5:7d:8d:
74:93:11:ab
+10 replies
2018-05-17T18:26:49 GwenDragonBist du sicher, dass du den Private Key in eine .key-Datei und Domain+Zwischen-Zertifikate nacheinander in eine .pem-Datei?
+8 replies
2018-05-17T18:26:49 GwenDragonSoweit ich das aber sehen kann, ist das Intermediate Zertifikate seltsam.
Habe ich nicht bei meinen LE-Zertifikaten.
CN=Fake LE Intermediate X1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:4b:f6:3e:8a:2c:b8:ed:b0:f0:6d:75:43:37:d7:3b:b3:69
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: May 18 06:31:07 2018 GMT
Not After : Aug 16 06:31:07 2018 GMT
Subject: CN=meine.domain.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:df:16:91:e7:f1:a1:e9:1e:4f:88:ba:3c:be:8c:
...
01:03:59:5e:8e:7c:07:7e:fa:0d:61:55:7c:63:19:
7f:0d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
EB:81:BB:1C:2A:2D:15:71:B3:D3:5E:C4:E1:F0:CF:87:8F:A6:DD:A0
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:meine.domain.net
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Log ID : DB:74:AF:EE:CB:29:EC:B1:FE:CA:3E:71:6D:2C:E5:B9:
AA:BB:36:F7:84:71:83:C7:5D:9D:4F:37:B6:1F:BF:64
Timestamp : May 18 07:31:07.910 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:93:CD:1A:BD:D4:02:C0:A0:53:17:CA:
...
A0:B3:C8:93:61:A6:E8:11:84:53:3C:AE:A2:A9:41:09:
AD:82:B3:5C:80:60:A0:AC
Signed Certificate Timestamp:
Version : v1(0)
Log ID : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
Timestamp : May 18 07:31:07.924 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:04:F8:54:E3:7E:3B:BA:F5:39:D0:5B:BD:
...
63:CD:24:E5:7E:5F:7B:20:18:44:8B:0A:6D:9B:24:09:
DB:C8:69:CD:81:DC
Signature Algorithm: sha256WithRSAEncryption
4a:89:b0:83:f7:00:44:49:1d:d6:da:22:74:23:28:5f:2a:ef:
...
83:ec:4b:9c:0a:7a:31:a4:28:5f:e0:35:f6:fa:ac:95:b6:6d:
97:6c:1e:65
+7 replies
+6 replies
+5 replies
+4 replies
+3 replies
+2 replies
+3 replies
+2 replies
+18 replies
QuoteBedeutet, dass der Private Schlüssel nicht zu dem Domain Zertifikat mit Zertifikatskette (DOmainzertifikat, CSR, Intermediate CA, CA) passt.AH02565: Certificate and private key meinedomain:443:0 from xxxxxx.pem and xxxxx.key do not match
+9 replies
+8 replies
+7 replies
2018-05-19T11:08:31 GwenDragonDer MD5-Hash dient dir zum Vergleich ob die Dateien zueinander passen/gehören.
+6 replies
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
echo. > %_CD%\certsums.tmp
for /R %%i in (*.pem) do (
openssl x509 -noout -modulus -in %%i | openssl md5 >> %_CD%\certsums.tmp
echo. %%i >> %_CD%\certsums.tmp
)
for /R %%i in (*.key) do (
openssl rsa -noout -modulus -in %%i | openssl md5 >> %_CD%\certsums.tmp
echo. %%i >> %_CD%\certsums.tmp
)
for /R %%i in (*.csr) do (
openssl req -noout -modulus -in %%i | openssl md5 >> %_CD%\certsums.tmp
echo. %%i >> %_CD%\certsums.tmp
)
sort < %_CD%\certsums.tmp > %_CD%\certsums.md5
type certsums.md5
+5 replies
Crypt::LE die Zertifikatsdateien erstelle, wieso sollten diese anschließend nicht zueinander passen? Ob das Modul einen Bug hat?
+4 replies
+3 replies
2018-05-22T08:04:34 GwenDragonIch dachte, du hast Zertifikatsdateien, die nicht zueinander passen oder durcheinander kamen.
2018-05-22T08:04:34 GwenDragonDafür war mein Tipp mit den Prüfsummen. Wenn csr, key und pem dieselbe MD5 haben, sollten sie zusammengehören.
+2 replies
+8 replies
+7 replies
2018-05-26T09:49:54 GwenDragon?Zertififikatskette, die dir LE zurücklieferte
+2 replies
+2 replies
+2 replies
QuoteIm Client Browser ist jetzt alles gut. ABER [mod]I...
Schrift
Wie installiert man ein Modul?
Blog
Einstellungen![[feed]](/battie/theme/default/icons/feed.png){kind=icon}
Tags:
![[Powered by Battie]](/battie/img/powered.png)
