問題

Hipchat Server is inaccessible after applying an SSL certificate. The services restarted successfully but users cannot access the system. Restarting the server from the command line produces the same results. 

/var/log/hipchat/nginx.err.log に次のメッセージが出力される。

2017/05/30 04:21:13 [emerg] 16780#16780: PEM_read_bio_X509("/hipchat/certs/star_hipchat_com_chain.crt") failed (SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode)
2017/05/30 04:23:44 [emerg] 16811#16811: PEM_read_bio_X509("/hipchat/certs/star_hipchat_com_chain.crt") failed (SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode)
2017/05/30 04:26:15 [emerg] 16833#16833: PEM_read_bio_X509("/hipchat/certs/star_hipchat_com_chain.crt") failed (SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode)
2017/05/30 04:28:46 [emerg] 16870#16870: PEM_read_bio_X509("/hipchat/certs/star_hipchat_com_chain.crt") failed (SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode)
2017/05/30 04:31:17 [emerg] 16892#16892: PEM_read_bio_X509("/hipchat/certs/star_hipchat_com_chain.crt") failed (SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode)
2017/05/30 04:33:47 [emerg] 16900#16900: PEM_read_bio_X509("/hipchat/certs/star_hipchat_com_chain.crt") failed (SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode)
2017/05/30 04:36:18 [emerg] 16908#16908: PEM_read_bio_X509("/hipchat/certs/star_hipchat_com_chain.crt") failed (SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode)

診断

Use the following commands to generate an MD5 sum for the private key, certificate signing request (CSR), and certificate files:

openssl rsa -noout -modulus -in domain.key | openssl md5
openssl x509 -noout -modulus -in domain.crt | openssl md5
openssl req -noout -modulus -in domain.csr | openssl md5

Verify that the output string from each command is identical to verify that the files are matching. If the outputs are not identical OR identical but problem persists, proceed to the Resolution section.

原因

The line of certificate in the PEM file is not 64 characters wide.

ソリューション

1. SSH into the server through the terminal/command-line

2. Start with reconfiguring the server to use self-signed certificate:

   hipchat certificates --selfsign

    The server should be accessible again since it is reverted back to using self-signed certificate

3. Double check your SSL certificate formatting and make sure it is following this standard:

   -----BEGIN CERTIFICATE----- 
   (Primary SSL certificate: your_domain_name.crt) 
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE----- 
   (All required intermediate certificate files: intermediates.crt) 
   -----END CERTIFICATE----- 
   -----BEGIN RSA PRIVATE KEY----- 
   (The private key you generated: fqdn.key) 
   -----END RSA PRIVATE KEY-----
   

   Note: A .pem file is just a Base64-encoded .der file. Few things worth to note:

   • The file must contain:

     -----BEGIN CERTIFICATE-----
     

     on a separate line (i.e. it must be terminated with a newline).

   • Each line of certificate must be 64 characters wide.

   • The file must end with:

     -----END CERTIFICATE-----
     

     and also be terminated with a newline.

   • Don't save the cert text with Word. It must be in ASCII.
   • Don't mix DOS and UNIX style line terminations.

4. Next, after ensuring the above requirements are fulfilled, re-import the trusted SSL certificate into the server again through the server's terminal/command line or through the UI from Server admin > SSL. To import the certificate through the server's terminal/command line, run the followings:

   cat hipchat-example-com.crt > new_domain_name.pem
   cat hipchat-example-com.key >> new_domain_name.pem
   hipchat certificates --import new_domain_name.pem