500 OOPS: SSL: cannot load RSA private key vsftpd
I'm configuring vsfptd on debian 7.3, I'm trying to use ssl. I generate the certficates using this command:
openssl req -x509 -nodes -days 1925 -newkey rsa:2048 -keyout /etc/vsftpd/private/vsftpd2.key -out /etc/vsftpd/certificado/vsfptd3.pem
And my vsftpd.conf is this:
listen=YES
anonymous_enable=YES
local_enable=YES
write_enable=YES
#anon_upload_enable=YES
anon_mkdir_write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=NO
#chown_uploads=YES
#chown_username=whoever
#
chroot_local_user=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=ftp-ssl
rsa_cert_file=/etc/vsftpd/certificado/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/private/vsftpd2.key
anon_root=/srv/ftp/anonimo
chown_upload_mode=757
anon_upload_enable=YES
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
listen_port=990
ssl_ciphers=HIGH
require_ssl_reuse=NO
But every time I try to start vsftpd I get this error message:
500 OOPS: SSL: cannot load RSA private key
I've checked the permissions are well configured, I don`t know what to do to fix this. Any help, please?
Solution 1:
I had a similar problem today on a NetScaler (BSD-based networking appliance with an older version of openssl than I created the key on), although not with vsftpd, and I can say that mysql also suffers from it.
Your private key format is perhaps in a different format than expected. Try the following:
mv /etc/vsftpd/private/vsftpd2.key{,.old}
openssl rsa -in /etc/vsftpd/private/vsftpd2.key.old -out /etc/vsftpd/private/vsftpd2.key
diff /etc/vsftpd/private/vsftpd2.key{.old,}
You may find that the first and last lines are noticably different (eg. BEGIN RSA PRIVATE KEY may change to something like BEGIN RSA KEY or similar).
Other similar things to check (for other pieces of software)
- Do you have native line-endings in your private key file?
- Do you perhaps need to remove the trailing newline?
Another common fault (quite applicable to you perhaps) is that vsftpd may change user after starting; some software will read the key after this happens (eg. mysql), while others will read it before (eg. httpd). Strace can be very informative here if you want to really dig into it.
Solution 2:
It seems I have found the root of the issue
I have run strace with your config
stat("/etc/vsftpd/vsftpd.conf", {st_mode=S_IFREG|0600, st_size=791, ...}) = 0
getuid() = 0
getuid() = 0
open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 3
fstat(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
poll([{fd=3, events=POLLIN}], 1, 10) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\225\f\312\271\276\215\201=\200\237A\337u7\237\201\2001GC\352\371\363\334GT\36/\37\f\33\257"..., 48) = 48
close(3) = 0
getuid() = 0
open("/etc/vsftpd/certificado/vsftpd.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
fcntl(0, F_GETFL) = 0x8402 (flags O_RDWR|O_APPEND|O_LARGEFILE)
fcntl(0, F_SETFL, O_RDWR|O_APPEND|O_NONBLOCK|O_LARGEFILE) = 0
write(0, "500 OOPS: ", 10500 OOPS: ) = 10
write(0, "SSL: cannot load RSA certificate", 32SSL: cannot load RSA certificate) = 32
write(0, "\r\n", 2
) = 2
exit_group(1) = ?
+++ exited with 1 +++
As you can see vsftpd can't found ssl certificate - /etc/vsftpd/certificado/vsftpd.pem.
open("/etc/vsftpd/certificado/vsftpd.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
It's because when the certificate was generated you have used a different name
-out /etc/vsftpd/certificado/vsfptd3.pem
Correct file name for certificate (rsa_cert_file) in your vsftpd.conf
500 OOPS: SSL: cannot load RSA private key
Also check path and name to you private key
P.S. you can always debug vsftpd with strace utility
# strace /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf