Namecheap SSL Reissue bug

daniel —Tue, 04/08/2014 - 11:41am

Security

Due to the Heartbleed bug in OpenSsl, I wanted to regenerate my ssl keys.
I did so in the normal fashion by using:
openssl genrsa -des3 -out bowerstudios.com.key 2048
Next I created the csr:
openssl req -new -key bowerstudios.com.key -out bowerstudios.com.csr

I verified they matched with:
openssl req -noout -modulus -in bowerstudios.com.csr | openssl md5
openssl rsa -noout -modulus -in bowerstudios.com.key | openssl md5

I created the reissue request and approved it through the rapid ssl flow.

When I received the new cert, Apache failed to startup. Checking the md5 of the new cert showed it did not match.
openssl x509 -noout -modulus -in bowerstudios.com.cert | openssl md5

Thinking I mistyped something, I went through the entire process again, and encountered the same error.

However, I noticed the md5 of the certificate from the second attempt, matched the md5 of the priv key and csr from the first attempt. When I matched the 3 with the same md5 from both attempts, my server started up successfully.

Finally, you should check into revoking the other certs.

Comments

More Research

Submitted by daniel on Tue, 04/08/2014 - 1:34pm

After looking at the issue a little more, I wonder if it is an issue with the SSL reseller Namecheap, as I experienced the same error with a Thawte certificate.