New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

It is an error to the SSL connection #456

Open
negima1976 opened this Issue Aug 24, 2015 · 2 comments

Comments

Projects
None yet
2 participants
@negima1976

negima1976 commented Aug 24, 2015

■Environment

OS: CentOS 6.7(x86_64)
kernel: 2.6.32-573.3.1.el6.x86_64
h2o: 1.4.4
openssl: 1.0.1e

■h2o cmake option

cmake -DWITH_BUNDLED_SSL=on

■h2o config

user: nobody
listen:
port: 80
host: 0.0.0.0

listen:
port: 443
host: 0.0.0.0
ssl:
key-file: /etc/pki/tls/private/server.key
certificate-file: /etc/pki/tls/certs/server.pem

max-connections: 1024

file.index: ['index.php', 'index.html']
file.send-gzip: ON
file.etag: OFF
expires: 1 day

hosts:
"hogehoge.com:80":
paths:
/:
redirect: https://hogehoge.com/

"hogehoge.com:443":
paths:
/:
file.dir: /path/wordpress
file.dirlisting: OFF
redirect:
url: /index.php/
internal: YES
status: 307

file.custom-handler:
extension: .php
fastcgi.connect:
port: /var/run/php-fpm/php-fpm.sock
type: unix

access-log: "| exec rotatelogs /var/log/h2o/access.log.%Y%m%d 86400"
error-log: "| exec rotatelogs /var/log/h2o/error.log.%Y%m%d 86400"
pid-file: /var/run/h2o.pid
http2-reprioritize-blocking-assets: ON

header.unset: "X-Powered-By"
header.set: "X-Content-Type-Options: nosniff"

■ configration test

h2o -c /etc/h2o/h2ossl.conf -t
Enter PEM pass phrase:
[OCSP Stapling] testing for certificate file:/etc/pki/tls/certs/server.pem
fetch-ocsp-response (using OpenSSL 1.0.1e-fips 11 Feb 2013)
sending OCSP request to http://gv.symcd.com
/etc/pki/tls/certs/server.pem: good
    This Update: Aug 19 01:02:14 2015 GMT
    Next Update: Aug 26 01:02:14 2015 GMT
verifying the response signature
verify OK (used: -VAfile /tmp/MLclhcdAt8/issuer.crt)
[OCSP Stapling] stapling works for file:/etc/pki/tls/certs/server.pem
Enter PEM pass phrase:
[OCSP Stapling] testing for certificate file:/etc/pki/tls/certs/server.pem
fetch-ocsp-response (using OpenSSL 1.0.1e-fips 11 Feb 2013)
sending OCSP request to http://gv.symcd.com
/etc/pki/tls/certs/server.pem: good
    This Update: Aug 19 01:02:14 2015 GMT
    Next Update: Aug 26 01:02:14 2015 GMT
verifying the response signature
verify OK (used: -VAfile /tmp/U_ABtoqx2R/issuer.crt)
[OCSP Stapling] stapling works for file:/etc/pki/tls/certs/server.pem
configuration OK

■h2o error.log

starting new worker 11524
Enter PEM pass phrase:
[/etc/h2o/h2ossl.conf:10] in command listen, failed to load private key file:/etc/pki/tls/private/server.key

139901539391392:error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem/pem_lib.c:116:
139901539391392:error:0906A068:PEM routines:PEM_do_header:bad password read:pem/pem_lib.c:467:
139901539391392:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:613:
new worker 11524 seems to have failed to start, exit status:19968
starting new worker 11525
Enter PEM pass phrase:
[/etc/h2o/h2ossl.conf:10] in command listen, failed to load private key file:/etc/pki/tls/private/server.key

140023512741792:error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem/pem_lib.c:116:
140023512741792:error:0906A068:PEM routines:PEM_do_header:bad password read:pem/pem_lib.c:467:
140023512741792:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:613:
new worker 11525 seems to have failed to start, exit status:19968
starting new worker 11527
Enter PEM pass phrase:
[/etc/h2o/h2ossl.conf:10] in command listen, failed to load private key file:/etc/pki/tls/private/server.key

139798662301600:error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem/pem_lib.c:116:
139798662301600:error:0906A068:PEM routines:PEM_do_header:bad password read:pem/pem_lib.c:467:
139798662301600:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:613:
new worker 11527 seems to have failed to start, exit status:19968
starting new worker 11536
Enter PEM pass phrase:
[/etc/h2o/h2ossl.conf:10] in command listen, failed to load private key file:/etc/pki/tls/private/server.key

140685311305632:error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem/pem_lib.c:116:
140685311305632:error:0906A068:PEM routines:PEM_do_header:bad password read:pem/pem_lib.c:467:
140685311305632:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:613:
new worker 11536 seems to have failed to start, exit status:19968
starting new worker 11537
Enter PEM pass phrase:

The nginx 's and is working without problems .

@kazuho

This comment has been minimized.

Member

kazuho commented Aug 25, 2015

You must not use a password-protected private key file. They offer basically no advantage (on hiding the private key), while making it hard to administer the servers.

Assuming that you are a Japanese, a good guide to remove the password can be found https://www.digicert.ne.jp/howto/basis/decrypt_key.html.

@negima1976

This comment has been minimized.

negima1976 commented Aug 25, 2015

very thanks @kauho

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment