httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rex Brooks <r...@starbourne.com>
Subject Re: [users@httpd] Correction & Question: SSLCertificateFile: RedHat (RHEL4) apache startup failure: ebxml-registry-repository on tomcat on port 6480, with Mambo LAMP Portal on port 8080: Despite Self-Signed Cert: [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]
Date Sat, 13 May 2006 19:35:49 GMT
Thanks again, Richard,

I missed this message due to a series of 12-hour days during last 
week's  OASIS Symposium.

I apologize. I'm still working my way out of the backup. I appreciate 
your follow-through very much,

Answers inline.


At 11:46 AM -0700 5/9/06, Richard de Vries wrote:
>Are you using a seperate configuration file for your
>SSL instance?
>
>Let's start with a couple of basic things.
>
>1) Do you have the SSL configuration between <IfModule
>XXXX> tags?. If so, what is your XXXX set to in this
>case?

There is no SSL configuration between<IfModule XXXX>  tags.  I have 
Apache2.0 in RHEL 4, so I have an ssl.conf file in directory 
/etc/httpd/conf.d.

>2) SSLCertificateFile and SSLCertificateKeyFile point
>to valid files right? Can you do a ls -al on that file
>location?

Yes.

>3) Sometimes, some programs refuse to enable SSL if
>the certificates are publicly readable. How are your
>permissions on these files?

[root@XXXX ssl.crt]# ls -al
total 40
drwx------  2 root root 4096 May 13 08:06 .
drwxr-xr-x  7 root root 4096 May 13 08:23 ..
-rw-r--r--  1 root root 1773 May  8 17:22 cacert.pem
-rw-r--r--  1 root root 1522 Feb 28  2005 Makefile.crt
-rw-------  1 root root 1497 May  8 21:27 server.crt
[root@XXX ssl.crt]# cd ..
[root@@XXX conf]# cd ssl.key
[root@XXX ssl.key]# ls -al
total 48
drwx------  2 root root 4096 Feb 28  2005 .
drwxr-xr-x  7 root root 4096 May 13 08:23 ..
-rw-r--r--  1 root root 1751 May  8 17:18 privkey.pem
-rw-------  1 root root  963 May  8 21:23 server.key
[root@XXX ssl.key]#

>
>Let's start with these steps, then work ourselves thru
>your configuration. I don't think re-installing apache
>would necesarrily fix anything.

There are the permissions. You're right, re-installing wouldn't 
change this. ????

Thanks again,
Rex

>   Richard
>--- Rex Brooks <rexb@starbourne.com> wrote:
>
>>  Thanks Richard,
>>
>>  I appreciate that you took the time to answer. So
>>  far you are the
>>  only one. This installation is on RedHat Enterprise
>>  Linux4 and
>>  Apache2.0 and I have tried the Key-Certificate
>>  generation
>>  instructions detailed in the System Administration
>>  Guide Ch.
>>  26.6-26.8,
>>
>>  I tried the freebsd instructions at the url you
>>  advised, and what
>>  happened was that the certificate signing request
>>  could not open the
>>  key. I have also downloaded and tried with
>>  openssl-0.9.8b. I was able
>>  to generate the server.key and server.crt but httpd
>>  still does not
>>  start.
>>
>>  The Admin Guide instructions also result in what
>>  ought to be a valid
>>  server key in the ssl.key directory and a server.crt
>>  in the ssl.crt
>>  directory as specified in the ssl.conf file in the
>>  /etc/httpd/conf
>>  directory, but httpd still does not start
>>
>>  Here is the terminal output when attempting to start
>>  httpd:
>>
>>  [root@c-xxx-xxx-xxx-xxx ~]# service httpd start
>>  Starting httpd: [Mon May 08 06:20:21 2006] [warn]
>>  The Alias directive
>>  in /etc/httpd/conf/httpd.conf at line 557 will
>>  probably never match
>>  because it overlaps an earlier AliasMatch.
>>  Warning: DocumentRoot
>>  [/home/xxx/jakarta-tomcat-5.0.28] does not exist
>>                                                    
>>         [FAILED]
>>  [root@c-xxx-xxx-xxx-xxx ~]#
>>
>>  Here is the httpd error_log for that sequence:
>>
>>  [Mon May 08 06:20:21 2006] [notice] core dump file
>>  size limit raised
>>  to 4294967295 bytes
>>  [Mon May 08 06:20:22 2006] [notice] suEXEC mechanism
>>  enabled
>>  (wrapper: /usr/sbin/suexec)
>>  [Mon May 08 06:20:22 2006] [error] Server should be
>>  SSL-aware but has
>>  no certificate configured [Hint: SSLCertificateFile]
>>
>>  It's beginning to look like I will have to reinstall
>>  apache.
>>
>>  Regards,
>>  Rex
>>
>>  >what error are you getting?
>>  >
>>  >Try following the instructions at this URL. They've
>  > >always worked for me:
>>  >
>>
>>http://www.corserv.com/freebsd/apache-ssl-howto.html
>>  >
>>  >--- Rex Brooks <rexb@starbourne.com> wrote:
>>  >
>>  >>  Please see my previous post for details.
>>  >>
>>  >>  I said that mod_ssl was not installed, but a
>>  double
>>  >>  check showed that it is.
>>  >>
>>  >>  My question is only about filenames for
>>  >>  SSLCertificateFile and/or
>>  >>  SSLCertificateKeyFile.
>>  >>
>>  >>  ApacheSSL Documentation says at
>>  >>
>>
>>http://www.apache-ssl.org/docs.html#SSLCertificateFile:
>>  >>
>>  >>  This is your PEM-encoded server certificate
>>  >>  (strictly, it is what
>>  >>  SSLeay calls PEM, which isn't really).
>>  >>
>>  >>  Example:
>>  >>
>>  >>  SSLCertificateFile
>>  >>  /usr/local/apache/certs/my.server.pem
>>  >>
>>  >>  What the process described in RedHat Sys. Admin.
>>  >>  Guide Ch. 26.6-26.8
>>  >>  produces in the file ssl.conf located in
>>  >>  /etc/httpd/conf.d/ used to
>>  >>  configure SSL support is:
>>  >>
>>  >>  SSLCertificateFile
>>  >>  /etc/httpd/conf/ssl.crt/server.crt
>>  >>
>>  >>  and
>>  >>
>>  >>  SSLCertificateKeyFile
>>  >>  /etc/httpd/conf/ssl.key/server.key
>>  >>
>>  >>  There is a file named server.crt in the
>>  specified
>>  >>  location, and an
>>  >>  server.key file in its corresponding location.
>>  Could
>>  >>  this lack of a
>>  >>  PEM-encoded server certificate, however it is
>>  >>  produced, the root
>>  >>  cause of httpd start failure?
>>  >>
>>  >>  I have downloaded and installed openssl-0.9.8b
>>  and I
>>  >>  have also now
>>  >>  generated a privkey.pem and a cacert.pem and I
>>  have
>>  >>  put them in the
>>  >>  same directories as the ssl.conf file specified,
>>  and
>>  >>  edited that file
>>  >>  to reflect that, rebooted and httpd still fails
>>  to
>>  >>  start.
>>  >>
>>  >>
>>  >>  Regards,
>>  >>  Rex Brooks
>>  >>
>>  >>
>>  >>  --
>>  >>  Rex Brooks
>>  >>  President, CEO
>>  >>  Starbourne Communications Design
>>  >>  GeoAddress: 1361-A Addison
>>  >>  Berkeley, CA 94702
>>  >>  Tel: 510-849-2309
>>  >>
>>  >>
>>
>>---------------------------------------------------------------------
>>  >>  The official User-To-User support forum of the
>>  >>  Apache HTTP Server Project.
>>  >>  See <URL:http://httpd.apache.org/userslist.html>
>>  for
>>  >>  more info.
>>  >>  To unsubscribe, e-mail:
>>  >  > users-unsubscribe@httpd.apache.org
>>  >>     "   from the digest:
>>  >>  users-digest-unsubscribe@httpd.apache.org
>>  >>  For additional commands, e-mail:
>>  >>  users-help@httpd.apache.org
>>  >>
>>  >>
>>  >
>>  >
>>  >__________________________________________________
>>  >Do You Yahoo!?
>>  >Tired of spam?  Yahoo! Mail has the best spam
>>  protection around
>>  >http://mail.yahoo.com
>>
>>
>>  --
>>  Rex Brooks
>>  President, CEO
>>  Starbourne Communications Design
>>  GeoAddress: 1361-A Addison
>>  Berkeley, CA 94702
>>  Tel: 510-849-2309
>>
>>
>---------------------------------------------------------------------
>>  The official User-To-User support forum of the
>>  Apache HTTP Server Project.
>>  See <URL:http://httpd.apache.org/userslist.html> for
>>  more info.
>>  To unsubscribe, e-mail:
>>  users-unsubscribe@httpd.apache.org
>>     "   from the digest:
>>  users-digest-unsubscribe@httpd.apache.org
>>  For additional commands, e-mail:
>>  users-help@httpd.apache.org
>>
>>
>
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org


-- 
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-849-2309

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message