Letsencrypt on corosync pacemaker

rgallo · April 3, 2019, 3:52pm

Hello,

Got two nodes with a failover ip.
The A record machine.domain.com points to that failover ip.
I have generated a letsencrypt-auto -d machine.domain.com certificate on the master node.
On the master node all is working well.
On the slave node I have SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch and apache doesn’t start.
keys and apache confs reside on a drbd volume shared between the two nodes.
If I disable ssl apache starts without problems.

Help please

schoen · April 3, 2019, 4:52pm

Hi @rgallo,

What did you share over from the master node to the slave node? Do you share all of /etc/letsencrypt and is it shared at the exact same location?

rgallo · April 4, 2019, 3:21am

yes and it is shared at the same location

schoen · April 4, 2019, 4:43am

Could you try running these two commands?

openssl x509 -modulus -noout -in /etc/letsencrypt/live/machine.domain.com/cert.pem
openssl rsa -modulus -noout -in /etc/letsencrypt/live/machine.domain.com/privkey.pem

The output of these two commands is not sensitive (although sharing it will allow someone to determine your domain name). The important question is whether the two commands give exactly the same output.

rgallo · April 4, 2019, 5:57am

openssl x509 -modulus -noout -in machine.domain.my.pem
Modulus=BFE5E865EB2A77C8749D4884A0CAD56591C73F7BA4C71B21F314EF78051DEA81CE297F2D043F705B265E846D51935740B4453CC37D15A0CE5426D37EE418ED97BB0F6675706CCE53ED10FBFF667173EE798AA87C7D02AD988C0B55C9BEB6756EE2B9DFBF8CCB425051D19A67B517C7F88CF2AB381F0432F2859FB86B8A00CD15053BAB0AC2FE6C703405AD9746C6A790A5726C1F46E216682DB2C794E3982E453FE7A767952DA5F3398C978F8A6ADAD5C466894B97A484646C1820BB0AD7BE18639A88DD20ABDE3836F3DA99384668D835DE69198064361902DACFE8A68190A7E5FC4451CFAE3AB1780AC179BFA6D1C3864C759B5D8F612E8670DB0BD5A4014FE5E67FD4022B4D7D9BEC9B2ED63CD26E3324997803C4501EA7D78E7A3C51B6869516AA78EDC737F79997B38826F1A1580265CF5D22C743997B07D0E7E26D19BA19B7091476F40FB14D5F815B933534CB162110772E8DAE733FEF9A98073365BA98925F83C723D2C5843542CCFC1E48F600CE0475E1398911FF35C67F7C4C70733D564F86297DBB331480136FC95B0618661F08B4B83C0862609A48355AD1822A6BE8E745FDB5BCBF68E1D87F7C8129F71349BB5CFD9935DCDB4FC41AF9521CCC4E3E5BF19233EF0BD407FCA5E5D95302022019F24087B2E60E64609FE3FD980773969841ACB4560E3F28CF56ECD7C043BF82714F41ED09B04167CD1FFF506FE3

openssl rsa -modulus -noout -in machine.domain.my.key
Modulus=BFE5E865EB2A77C8749D4884A0CAD56591C73F7BA4C71B21F314EF78051DEA81CE297F2D043F705B265E846D51935740B4453CC37D15A0CE5426D37EE418ED97BB0F6675706CCE53ED10FBFF667173EE798AA87C7D02AD988C0B55C9BEB6756EE2B9DFBF8CCB425051D19A67B517C7F88CF2AB381F0432F2859FB86B8A00CD15053BAB0AC2FE6C703405AD9746C6A790A5726C1F46E216682DB2C794E3982E453FE7A767952DA5F3398C978F8A6ADAD5C466894B97A484646C1820BB0AD7BE18639A88DD20ABDE3836F3DA99384668D835DE69198064361902DACFE8A68190A7E5FC4451CFAE3AB1780AC179BFA6D1C3864C759B5D8F612E8670DB0BD5A4014FE5E67FD4022B4D7D9BEC9B2ED63CD26E3324997803C4501EA7D78E7A3C51B6869516AA78EDC737F79997B38826F1A1580265CF5D22C743997B07D0E7E26D19BA19B7091476F40FB14D5F815B933534CB162110772E8DAE733FEF9A98073365BA98925F83C723D2C5843542CCFC1E48F600CE0475E1398911FF35C67F7C4C70733D564F86297DBB331480136FC95B0618661F08B4B83C0862609A48355AD1822A6BE8E745FDB5BCBF68E1D87F7C8129F71349BB5CFD9935DCDB4FC41AF9521CCC4E3E5BF19233EF0BD407FCA5E5D95302022019F24087B2E60E64609FE3FD980773969841ACB4560E3F28CF56ECD7C043BF82714F41ED09B04167CD1FFF506FE3

schoen · April 4, 2019, 11:10pm

OK, that looks good—how does your Apache configuration refer to these files?

rgallo · April 5, 2019, 3:28am

I wander why everything works perfectly on the master and breaks on the slave while all conf files of apache and certs are on the common shared drbd volume

schoen · April 5, 2019, 4:01am

Could you run sudo apachectl -t -D DUMP_VHOSTS on both servers and see whether the output is identical?

rgallo · April 5, 2019, 6:44am

since all configuration files are on the shared drbd yes but I checked and I can confirm that

schoen · April 5, 2019, 4:09pm

Could you show the the output of this from both machines?

grep -r SSLCertificate /etc/apache2

rgallo · April 8, 2019, 4:41am

those are equal since the configuration files reside on the drbd volume

schoen · April 8, 2019, 4:48pm

Could you post that output here?

rgallo · April 16, 2019, 6:41am

on the master
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/asterisk/keys/VERY.secret-machine.name.crt
/etc/httpd/conf.d/ssl.conf:#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/asterisk/keys/VERY.secret-machine.name.key
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateChainFile at a file containing the
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf.d/ssl.conf:#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateChainFile /etc/asterisk/keys/VERY.secret-machine.name.pem

on the slave

grep -r SSLCertificate /etc/httpd/
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/asterisk/keys/VERY.secret-machine.name.crt
/etc/httpd/conf.d/ssl.conf:#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/asterisk/keys/VERY.secret-machine.name.key
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateChainFile at a file containing the
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf.d/ssl.conf:#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateChainFile /etc/asterisk/keys/VERY.secret-machine.name.pem

rgallo · April 18, 2019, 7:02am

clues anyone ? No answers in awhile

rgallo · April 18, 2019, 7:25am

found that in /etc/httpd/conf.d/schmoozecom.conf the names for the http virtualhosts are the ones of the main node... how can I do so that those are equal to the https one?

schoen · April 22, 2019, 7:20pm

I’m sorry to say that I don’t really have any other suggestions about how to make your configurations equivalent; I’m not familiar with this synchronization method but it looks like most of the relevant files are exactly the same. Is /etc/httpd not automatically synchronized in its entirety between the two machines?

rgallo · April 23, 2019, 10:06am

the problem was in /etc/hosts if you want that to work you must put all hostnames following 127.0.0.1

system · May 23, 2019, 10:06am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.