apache ssl certificate issue on multi server environment
Hello team,
the following scenario:
- Conf1 server: ISPConfig3 to manage servers
- Web1 server: MAIN webserver
- Web2 server: BACKUP weberver (automated rsync)
- ... various other servers
Note: Web2 is set up as an mirror client
I go to Web Site -> Domains -> I choose the desired domain and click me an SSL certificate "create" (self signed certificate)
ISPConfig3 subsequently generated by random generator different keys on both machines
when I look at the certificate (in the ispconfig interface), we absolutely do not determine whether SSL Request / SSL Certificate appears from Web1 or Web2 ???
so I take the SSL Request, go to my CA and let sign this thing then I add it via ISPConfig web-interface again "Save" button shortly ...
i get an email: "Webserver1 is down"
I "cat" the error.log in / var / www / domain.tld / log on Web1:
16 01:56:04 2012] [error] Unable to configure RSA server private key
[Tue Oct 16 01:56:04 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Tue Oct 16 01:56:08 2012] [warn] RSA server certificate CommonName (CN) www.domain.tld' does NOT match server name!? [Tue Oct 16 01:56:08 2012] [error] Unable to configure RSA server private key [Tue Oct 16 01:56:08 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch [Tue Oct 16 02:03:31 2012] [warn] RSA server certificate CommonName (CN)
www.domain.tld' does NOT match server name!?
OK, all right, Web1 is down, however , Web2 works so i decided to copy the keys from Web2 to Web1 over ssh and restart the apache2 service ...
It seems so that: If ISPConfig3 - 3.0.4 works only as config server it pops up randomly (from the managed web servers) the SSL certificates in the interface, although Web2 ... clearly runs as slave / in client mirror mode
the generation of the different random keys at the web server can not be avoided, but ISPConfig 3 should clearly only take the information from the primary server, i think so ...
a customer could so easily with an malformed SSL Cert. Config paralyze the machine