Troubleshooting Custom Digital Certificate Problems
There are a number of warnings or errors that can come up when accessing Web pages by means of SSL. Your SSL digital
certificate is configured to use a very specific domain name, which must match exactly to avoid an error. For example,
if your certificate is for the domain www.my-domain.name, and you type https://my-domain.name into the browser, you
will get this warning. Likewise, if your certificate is for my-domain.name and you enter https://www.my-domain.name
into your browser, you will get the same warning. To avoid this warning, verify the exact domain name on the
certificate when making links to secure pages. Following are suggestions to use as you troubleshoot for digital
certificate problems:
- When you make links or include images in pages, the URL is an absolute link and includes the protocol, domain,
and path to a file. If you include an image in a page using an absolute URL, see an error when the page is viewed
using a different protocol than the one indicated in the image URL. For example, include an image as follows:
http://www.my-domain.name/images/myimage.gif
When you access this page through secure protocol such as HTTP over SSL (HTTPS), you will see a warning that the
page has encrypted as well as unencrypted content. The easiest way to avoid this error is to use relative paths,
as in the following example:
/images/myimage.gif
- Many older Web browsers only support 40 or 52 bit encryption. Because modern SSL certificates use 128 bit
encryption, older browsers may not be able to view pages securely. If many of your customers are likely to be
using older browsers, you must acquire a special low-encryption certificate. Several current browsers are
available free of charge. Encourage any users having problems with your SSL certificate to upgrade to a current
browser.
- When you install a custom signed digital certificate, there are a number of possible mistakes or errors that
can cause problems. In most cases, the Apache HTTP server will not start up when one of these errors occurs. If
your site will not load in a browser, check if there are any HTTPS processes running on your private server.
Connect to your private server by means of SSH and issue the following command:
# top
Restart Apache and try loading the page again even if there are HTTPS processes running. If restarting the Apache
does not cause HTTPS processes to start on your private server, it is possible your custom certificate is not
installed properly.
- Verify the account's private key is not decrypted. View the file; if the key file includes the following
lines, the key is still encrypted:
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,BCC23A5E16582F3D
To decrypt your private server's private key, issue the following command from the SSH command prompt:
% openssl rsa -in /etc/ssl.pk -out /etc/ssl.pk
When prompted, type the PEM Passphrase, after which the key is decrypted.
- Verify you uploaded the certificate using an ASCII format. Check if your certificate was uploaded properly by
reviewing it in a text editor. If each line includes character which indicate it was uploaded the file in a binary
format (^M), you must upload the file again using ASCII format.
- Verify that the certificate and private key match. For example, if you have multiple accounts which utilize SSL,
verify you are using the private key which was generated at the same time as the CSR for the domain of the account
you are configuring.
- Verify if you ordered a certificate that is correct for your private server. For example, if you are transferring
your certificate from a previous account, verify that the previous account uses Apache with SSL as the Web server
software.
- Verify your certificate or key are complete. Check that the certificate or key is complete, that the beginning and
ending lines of the key or certificate are present. Both the certificate and private key begin and end with specific
as in the following example:
-----BEGIN RSA PRIVATE KEY.
|
