0

This is the error:

AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file C:/wamp/bin/apache/apache2.4.33/conf/key/certificate.crt)
AH02564: Failed to configure encrypted (?) private key localhost:443:0, check C:/wamp/bin/apache/apache2.4.33/conf/key/certificate.crt
SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSA)
SSL Library Error: error:04093004:rsa routines:old_rsa_priv_decode:RSA lib
SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)

Here is what I have done:

Create Key (without passphrase) & Certificate and placed these in the Apache conf folder in a folder called key

openssl req -config config.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout private.key -days 365 -out certificate.crt

Contents of config.conf:

[ req ]
default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
#   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
countryName         = Country Name (2 letter code)
countryName_default     = GB

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = GB

localityName            = Locality Name (eg, city)
localityName_default        = Cardiff

organizationName         = Organization Name (eg, company)
organizationName_default    = Company

# Use a friendly name here because its presented to the user. The server's DNS
#   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
#   by both IETF and CA/Browser Forums. If you place a DNS name here, then you 
#   must include the DNS name in the SAN too (otherwise, Chrome and others that
#   strictly follow the CA/Browser Baseline Requirements will fail).
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = Example Company

emailAddress            = Email Address
emailAddress_default        = test@example.com

# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]

subjectKeyIdentifier        = hash
authorityKeyIdentifier  = keyid,issuer

# You only need digitalSignature below. *If* you don't allow
#   RSA Key transport (i.e., you use ephemeral cipher suites), then
#   omit keyEncipherment because that's key transport.
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
#   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
#   In either case, you probably only need serverAuth.
# extendedKeyUsage  = serverAuth, clientAuth

# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]

subjectKeyIdentifier        = hash

basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
#   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
#   In either case, you probably only need serverAuth.
# extendedKeyUsage  = serverAuth, clientAuth

[ alternate_names ]

DNS.1       = site.local
DNS.2       = www.site.local
DNS.3       = admin.site.local

# Add these if you need them. But usually you don't want them or
#   need them in production. You may need them for development.
DNS.4       = localhost
DNS.5       = localhost.localdomain
DNS.6       = 127.0.0.1

# IPv6 localhost
DNS.7     = ::1

Activate Apache SSL by uncommenting these lines in httpd.conf

LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

Set up SSL in httpd-ssl.conf by configuring these entries inside <VirtualHost _default_:443>

DocumentRoot "${INSTALL_DIR}/www"
ServerName localhost:443
ServerAdmin admin@example.com
ErrorLog "${APACHE_DIR}/logs/error.log"
TransferLog "${APACHE_DIR}/logs/access.log"
SSLCertificateFile "${APACHE_DIR}/conf/key/certificate.crt"
SSLCertificateFile "${APACHE_DIR}/conf/key/private.key"

And commenting out this line

SSLPassPhraseDialog  builtin

Here are the references I've used to try and get this sorted,

I'm ready to give up so I hope someone has some ideas.

AntG
  • 1,291
  • 2
  • 19
  • 29
  • What does your `config.conf` contain? – Nic3500 Dec 06 '18 at 16:49
  • @Nic3500 I've edited the question to include this, thanks. – AntG Dec 06 '18 at 17:02
  • Nothing wrong here. Check this: https://serverfault.com/questions/748243/apache-webserver-ssl-certificate-not-understood. – Nic3500 Dec 06 '18 at 17:09
  • If I open the certificate directly with vscode then it looks clean with just the BEGIN CERTIFICATE and END CERTIFICATE – AntG Dec 06 '18 at 17:18
  • If I inspect using `openssl x509 -in certificate.crt -text -noout` then I get all sorts of other meta data – AntG Dec 06 '18 at 17:20
  • Is your Apache compiled to use the same openssl has the one you used to create the certificate? Win32 might use an older one that does not support later versions. – Nic3500 Dec 06 '18 at 17:34
  • Its the same one. So I installed WAMP Server, I'm then going to `wamp/bin/apache/apache2.4.33/bin` to run openssl – AntG Dec 07 '18 at 13:33

0 Answers0