httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Shcherbakov <sergey.shcherba...@gmail.com>
Subject Re: [users] Can't start httpd 2.4.9 with simplest SSL config
Date Wed, 04 Jun 2014 12:26:20 GMT
Sorry, I see now, where the ca.crt/ca.key are coming from. That was my
copy/paste error in the initial email.
The config I've been testing at the beginning is:

Listen 443
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
<VirtualHost *:443>
    DocumentRoot "/usr/local/apache2/htdocs"
    ServerName 192.168.9.128
    ServerAdmin mymail@mail.com
    ErrorLog "/usr/local/apache2/logs/error_log"
    TransferLog "/usr/local/apache2/logs/access_log"
    SSLEngine on
    SSLCertificateFile "/usr/local/apache2/conf/server.crt"
    SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/usr/local/apache2/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog "/usr/local/apache2/logs/ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>


All that doesn't fix the problem: I cannot start httpd 2.4.9 with basic SSL
support.


Sergey

On Wed, Jun 4, 2014 at 2:20 PM, Sergey Shcherbakov <
sergey.shcherbakov@gmail.com> wrote:

> Haven't seen any mention of ca.crt/ca.key yet. Where do these come from?
>
> Alright, I see now. The ssl.crt and ssl.key are preexisting folders in the
> example.
> I don't have them created after installing the httpd. So I left the
> generated server.crt and server.key in the /usr/local/apache2/conf folder
> and referenced them from the conf/extra/httpd-ssl.conf as in my initial
> example:
>
> SSLCertificateFile "/usr/local/apache2/conf/server.crt"
> SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
>
> (that was the case in the very beginning, I have made a error when copying
> over the config into the original email)
> The error message after generating the certificate following the steps in
> the article in log remains the same:
>
> At first about missing parameters:
>
> [Wed Jun 04 08:53:25.139183 2014] [ssl:info] [pid 25632:tid
> 140624693806848] AH01887: Init: Initializing (virtual) servers f
> or SSL
> [Wed Jun 04 08:53:25.139281 2014] [ssl:info] [pid 25632:tid
> 140624693806848] AH01914: Configuring server 192.168.9.128:443 f
> or SSL protocol
> [Wed Jun 04 08:53:25.139443 2014] [ssl:debug] [pid 25632:tid
> 140624693806848] ssl_engine_init.c(312): AH01893: Configuring T
> LS extension handling
> [Wed Jun 04 08:53:25.139789 2014] [ssl:debug] [pid 25632:tid
> 140624693806848] ssl_util_ssl.c(343): AH02412: [192.168.9.128:4
> 43] Cert matches for name '192.168.9.128' [subject: emailAddress=
> sshcherbakov@gopivotal.com,CN=192.168.9.128,OU=PSO,O=Pivota
> l,L=Cologne,ST=NRW,C=DE / issuer: emailAddress=sshcherbakov@gopivotal.com
> ,CN=192.168.9.128,OU=PSO,O=Pivotal,L=Cologne,ST=NRW
> ,C=DE / serial: DC21155C099C4F91 / notbefore: Jun  4 06:52:34 2014 GMT /
> notafter: Jun  4 06:52:34 2015 GMT]
> [Wed Jun 04 08:53:25.139802 2014] [ssl:info] [pid 25632:tid
> 140624693806848] AH02568: Certificate and private key 192.168.9.
> 128:443:0 configured from /usr/local/apache2/conf/server.crt and
> /usr/local/apache2/conf/server.key
> [Wed Jun 04 08:53:25.139971 2014] [ssl:info] [pid 25632:tid
> 140624693806848] AH01914: Configuring server 192.168.9.128:443 f
> or SSL protocol
> [Wed Jun 04 08:53:25.140044 2014] [ssl:debug] [pid 25632:tid
> 140624693806848] ssl_engine_init.c(312): AH01893: Configuring T
> LS extension handling
> [Wed Jun 04 08:53:25.140059 2014] [ssl:emerg] [pid 25632:tid
> 140624693806848] AH02572: Failed to configure at least one cert
> ificate and key for 192.168.9.128:443
> [Wed Jun 04 08:53:25.140066 2014] [ssl:emerg] [pid 25632:tid
> 140624693806848] SSL Library Error: error:0906D06C:PEM routines
> :PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file
> contents or format - or even just a forgotten SSLCertific
> ateKeyFile?
> [Wed Jun 04 08:53:25.140103 2014] [ssl:emerg] [pid 25632:tid
> 140624693806848] SSL Library Error: error:0906D06C:PEM routines
> :PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file
> contents or format - or even just a forgotten SSLCertific
> ateKeyFile?
> [Wed Jun 04 08:53:25.140117 2014] [ssl:emerg] [pid 25632:tid
> 140624693806848] SSL Library Error: error:140A80B1:SSL routines
> :SSL_CTX_check_private_key:no certificate assigned
> [Wed Jun 04 08:53:25.140119 2014] [ssl:emerg] [pid 25632:tid
> 140624693806848] AH02312: Fatal error initialising mod_ssl, exi
> ting.
> AH00016: Configuration Failed
>
>
> And then about "no certificate assigned":
>
>
> [Wed Jun 04 12:40:06.290076 2014] [ssl:info] [pid 28856:tid
> 139884664497920] AH01887: Init: Initializing (virtual) servers for SSL
> [Wed Jun 04 12:40:06.290128 2014] [ssl:info] [pid 28856:tid
> 139884664497920] AH01914: Configuring server 192.168.9.128:443 for SSL
> protocol
> [Wed Jun 04 12:40:06.290254 2014] [ssl:debug] [pid 28856:tid
> 139884664497920] ssl_engine_init.c(312): AH01893: Configuring TLS extension
> handling
> [Wed Jun 04 12:40:06.290434 2014] [ssl:debug] [pid 28856:tid
> 139884664497920] ssl_util_ssl.c(343): AH02412: [192.168.9.128:443] Cert
> matches for name '192.168.9.128' [subject:
> emailAddress=asdfasdfasdf,CN=192.168.9.128,OU=PSO,O=Pivotal,L=Cologne,ST=NRW,C=DE
> / issuer:
> emailAddress=asdfasdfasdf,CN=192.168.9.128,OU=PSO,O=Pivotal,L=Cologne,ST=NRW,C=DE
> / serial: FA9224BF3448F91B / notbefore: Jun  4 10:36:48 2014 GMT /
> notafter: Jun  4 10:36:48 2015 GMT]
> [Wed Jun 04 12:40:06.290445 2014] [ssl:info] [pid 28856:tid
> 139884664497920] AH02568: Certificate and private key 192.168.9.128:443:0
> configured from /usr/local/apache2/conf/server.crt and
> /usr/local/apache2/conf/server.key
> [Wed Jun 04 12:40:06.291154 2014] [ssl:debug] [pid 28856:tid
> 139884664497920] ssl_engine_init.c(1016): AH02540: Custom DH parameters
> (2048 bits) for 192.168.9.128:443 loaded from
> /usr/local/apache2/conf/server.crt
> [Wed Jun 04 12:40:06.291246 2014] [ssl:debug] [pid 28856:tid
> 139884664497920] ssl_engine_init.c(1030): AH02541: ECDH curve prime256v1
> for 192.168.9.128:443 specified in /usr/local/apache2/conf/server.crt
> [Wed Jun 04 12:40:06.291253 2014] [ssl:info] [pid 28856:tid
> 139884664497920] AH01914: Configuring server 192.168.9.128:443 for SSL
> protocol
> [Wed Jun 04 12:40:06.291321 2014] [ssl:debug] [pid 28856:tid
> 139884664497920] ssl_engine_init.c(312): AH01893: Configuring TLS extension
> handling
> [Wed Jun 04 12:40:06.291336 2014] [ssl:emerg] [pid 28856:tid
> 139884664497920] AH02572: Failed to configure at least one certificate and
> key for 192.168.9.128:443
> [Wed Jun 04 12:40:06.291347 2014] [ssl:emerg] [pid 28856:tid
> 139884664497920] SSL Library Error: error:140A80B1:SSL
> routines:SSL_CTX_check_private_key:no certificate assigned
> [Wed Jun 04 12:40:06.291352 2014] [ssl:emerg] [pid 28856:tid
> 139884664497920] AH02312: Fatal error initialising mod_ssl, exiting.
> AH00016: Configuration Failed
>
>
>
> As you can see from the log, the /usr/local/apache2/conf/server.crt and
> /usr/local/apache2/conf/server.key files get recognized as expected
>
>
> Regards,
> Sergey
>
> On Wed, Jun 4, 2014 at 12:57 PM, Balaji Katika <balaji.katika@gmail.com>
> wrote:
>
>> server.crt/server.key in your case translates to ca.crt/ca.key
>> Btw, ssl.crt and ssl.key are the names of the folder/directory here.
>>
>> The author did refer to the newly copied files through step 6 in the
>> article.
>> Btw, I hope you have updated the names of the crt/key files accordingly
>> before starting the httpd server again (i.e., after generating new
>> certificate/key using the article mentioned by me).
>>
>> Can you paste the contents of the latest log ?
>>
>>
>>
>> On Wed, Jun 4, 2014 at 4:18 PM, Sergey Shcherbakov <
>> sergey.shcherbakov@gmail.com> wrote:
>>
>>> Hello Balaji!
>>>
>>> Thanks for your comments!
>>> The SSLPassPhraseDialog is present in my config.
>>> I've followed the steps in your article and still get the same errors as
>>> above. I don't think that your steps are much different than those
>>> specified on CentOs HowTo and httpd docs pages (except that there is a
>>> shorter way to generate a passwordless certificate and a key: openssl
>>> req -new -x509 -nodes -out server.crt -keyout server.key -days 365.
>>> I've also tried to use the password protected key. The httpd asks for it on
>>> startup as expected and fails with the same error afterwards :(
>>> I also didn't get the point of copying the server.crt and server.key to
>>> the ssl.crt and ssl.key and not referencing the new files from the config.
>>> Do I miss something here?
>>>
>>>
>>> Thanks again!
>>> Sergey
>>>
>>>
>>> On Wed, Jun 4, 2014 at 11:03 AM, Balaji Katika <balaji.katika@gmail.com>
>>> wrote:
>>>
>>>> HI Sergey,
>>>>
>>>> The issue seems to be with the certificate you've generated. Looks like
>>>> you've forgotten/skipped some steps.
>>>> I think you've specified some passphrase for the certificate and apache
>>>> is unable to locate that. Passphrase could be specified through
>>>> SSLPassPhraseDialog which is missing in your configuration file.
>>>>
>>>> Alternately, you could avoid this passphrase by stripping it from the
>>>> certificate while generating certificate.
>>>> I had succesfully generated a self signed certificate by following
>>>> steps at http://www.akadia.com/services/ssh_test_certificate.html
>>>>
>>>>
>>>> I would suggest to regenerate a new certificate using the instructions
>>>> mentioned at the above link and test it again....
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Jun 4, 2014 at 1:54 PM, Sergey Shcherbakov <
>>>> sergey.shcherbakov@gmail.com> wrote:
>>>>
>>>>>  Hello all,
>>>>>
>>>>> I cannot start the httpd 2.4.9 (tried 2.4.x too) on CentOS 6.5 with
>>>>> the simplest SSL config possible. The openssl version installed on the
>>>>> machine is OpenSSL 1.0.1e-fips 11 Feb 2013 (I've upgraded it using
>>>>> 'yum update' to the latest patched version as well)
>>>>>
>>>>> I have compiled and installed the httpd 2.4.9 using the following
>>>>> commands:
>>>>>
>>>>> ./configure --enable-ssl --with-ssl=/usr/local/ssl/ --enable-proxy=shared
--enable-proxy_wstunnel=shared --with-apr=apr-1.5.1/ --with-apr-util=apr-util-1.5.3/
>>>>> make
>>>>> make install
>>>>>
>>>>> Now I'm generating the default self-signed certificate as described in
>>>>> the CentOS HowTo:
>>>>>
>>>>> openssl genrsa -out ca.key 2048
>>>>> openssl req -new -key ca.key -out ca.csr
>>>>> openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
>>>>> cp ca.crt /etc/pki/tls/certs
>>>>> cp ca.key /etc/pki/tls/private/ca.key
>>>>> cp ca.csr /etc/pki/tls/private/ca.csr
>>>>>
>>>>> Here is my httpd-ssl.conf file:
>>>>>
>>>>> Listen 443
>>>>> SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
>>>>> SSLPassPhraseDialog  builtin
>>>>> SSLSessionCache        "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
>>>>> SSLSessionCacheTimeout  300
>>>>> <VirtualHost *:443>
>>>>>     SSLEngine on
>>>>>     SSLCertificateFile /etc/pki/tls/certs/ca.crt
>>>>>     SSLCertificateKeyFile /etc/pki/tls/private/ca.key
>>>>>     <FilesMatch "\.(cgi|shtml|phtml|php)$">
>>>>>         SSLOptions +StdEnvVars
>>>>>     </FilesMatch>
>>>>>     <Directory "/usr/local/apache2/cgi-bin">
>>>>>     SSLOptions +StdEnvVars
>>>>> </Directory>
>>>>> BrowserMatch "MSIE [2-5]" \
>>>>>          nokeepalive ssl-unclean-shutdown \
>>>>>          downgrade-1.0 force-response-1.0
>>>>> CustomLog "/usr/local/apache2/logs/ssl_request_log" \
>>>>>           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>>>>> </VirtualHost>
>>>>>
>>>>> when I start httpd using bin/apachectl -k start I get following
>>>>> errors in the error_log:
>>>>>
>>>>> Wed Jun 04 00:29:27.995654 2014] [ssl:info] [pid 24021:tid 139640404293376]
AH01887: Init: Initializing (virtual) servers for SSL
>>>>> [Wed Jun 04 00:29:27.995726 2014] [ssl:info] [pid 24021:tid 139640404293376]
AH01914: Configuring server 192.168.9.128:443 for SSL protocol
>>>>> [Wed Jun 04 00:29:27.995863 2014] [ssl:debug] [pid 24021:tid 139640404293376]
ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
>>>>> [Wed Jun 04 00:29:27.996111 2014] [ssl:debug] [pid 24021:tid 139640404293376]
ssl_util_ssl.c(343): AH02412: [192.168.9.128:443] Cert matches for name '192.168.9.128' [subject:
CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / issuer: CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE
/ serial: AF04AF31799B7695 / notbefore: Jun  3 22:26:45 2014 GMT / notafter: Jun  3 22:26:45
2015 GMT]
>>>>> [Wed Jun 04 00:29:27.996122 2014] [ssl:info] [pid 24021:tid 139640404293376]
AH02568: Certificate and private key 192.168.9.128:443:0 configured from /etc/pki/tls/certs/ca.crt
and /etc/pki/tls/private/ca.key
>>>>> [Wed Jun 04 00:29:27.996209 2014] [ssl:info] [pid 24021:tid 139640404293376]
AH01914: Configuring server 192.168.9.128:443 for SSL protocol
>>>>> [Wed Jun 04 00:29:27.996280 2014] [ssl:debug] [pid 24021:tid 139640404293376]
ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
>>>>> [Wed Jun 04 00:29:27.996295 2014] [ssl:emerg] [pid 24021:tid 139640404293376]
AH02572: Failed to configure at least one certificate and key for 192.168.9.128:443
>>>>> [Wed Jun 04 00:29:27.996303 2014] [ssl:emerg] [pid 24021:tid 139640404293376]
SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS)
-- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
>>>>> [Wed Jun 04 00:29:27.996308 2014] [ssl:emerg] [pid 24021:tid 139640404293376]
SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS)
-- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
>>>>> [Wed Jun 04 00:29:27.996318 2014] [ssl:emerg] [pid 24021:tid 139640404293376]
SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
>>>>> [Wed Jun 04 00:29:27.996321 2014] [ssl:emerg] [pid 24021:tid 139640404293376]
AH02312: Fatal error initialising mod_ssl, exiting.
>>>>> AH00016: Configuration Failed
>>>>>
>>>>> I then try to generate missing DH PARAMETERS and EC PARAMETERS:
>>>>>
>>>>> openssl dhparam -outform PEM -out dhparam.pem 2048
>>>>> openssl ecparam -out ec_param.pem -name prime256v1
>>>>> cat dhparam.pem ec_param.pem >> /etc/pki/tls/certs/ca.crt
>>>>>
>>>>> And it mitigates the error but the next comes out:
>>>>>
>>>>> [Wed Jun 04 00:34:05.021438 2014] [ssl:info] [pid 24089:tid 140719371077376]
AH01887: Init: Initializing (virtual) servers for SSL
>>>>> [Wed Jun 04 00:34:05.021487 2014] [ssl:info] [pid 24089:tid 140719371077376]
AH01914: Configuring server 192.168.9.128:443 for SSL protocol
>>>>> [Wed Jun 04 00:34:05.021874 2014] [ssl:debug] [pid 24089:tid 140719371077376]
ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
>>>>> [Wed Jun 04 00:34:05.022050 2014] [ssl:debug] [pid 24089:tid 140719371077376]
ssl_util_ssl.c(343): AH02412: [192.168.9.128:443] Cert matches for name '192.168.9.128' [subject:
CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / issuer: CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE
/ serial: AF04AF31799B7695 / notbefore: Jun  3 22:26:45 2014 GMT / notafter: Jun  3 22:26:45
2015 GMT]
>>>>> [Wed Jun 04 00:34:05.022066 2014] [ssl:info] [pid 24089:tid 140719371077376]
AH02568: Certificate and private key 192.168.9.128:443:0 configured from /etc/pki/tls/certs/ca.crt
and /etc/pki/tls/private/ca.key
>>>>> [Wed Jun 04 00:34:05.022285 2014] [ssl:debug] [pid 24089:tid 140719371077376]
ssl_engine_init.c(1016): AH02540: Custom DH parameters (2048 bits) for 192.168.9.128:443 loaded
from /etc/pki/tls/certs/ca.crt
>>>>> [Wed Jun 04 00:34:05.022389 2014] [ssl:debug] [pid 24089:tid 140719371077376]
ssl_engine_init.c(1030): AH02541: ECDH curve prime256v1 for 192.168.9.128:443 specified in
/etc/pki/tls/certs/ca.crt
>>>>> [Wed Jun 04 00:34:05.022397 2014] [ssl:info] [pid 24089:tid 140719371077376]
AH01914: Configuring server 192.168.9.128:443 for SSL protocol
>>>>> [Wed Jun 04 00:34:05.022464 2014] [ssl:debug] [pid 24089:tid 140719371077376]
ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
>>>>> [Wed Jun 04 00:34:05.022478 2014] [ssl:emerg] [pid 24089:tid 140719371077376]
AH02572: Failed to configure at least one certificate and key for 192.168.9.128:443
>>>>> [Wed Jun 04 00:34:05.022488 2014] [ssl:emerg] [pid 24089:tid 140719371077376]
SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
>>>>> [Wed Jun 04 00:34:05.022491 2014] [ssl:emerg] [pid 24089:tid 140719371077376]
AH02312: Fatal error initialising mod_ssl, exiting.
>>>>>
>>>>> AH00016: Configuration Failed
>>>>>
>>>>> I have tried to generate the simple certificate/key pair exactly as
>>>>> described in the httpd docs
>>>>> <http://httpd.apache.org/docs/2.4/ssl/ssl_faq.html#selfcert>
>>>>>
>>>>> Unfortunately, I still get exact same errors as above.
>>>>>
>>>>> I've seen a bug report with the similar issue:
>>>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=56410
>>>>>
>>>>> But the openssl version I have is reported as working there. I've also
>>>>> tried to apply the patch from the report as well as build the latest
2.4.x
>>>>> branch with no success, I get the same errors as above.
>>>>>
>>>>> I have also tried to create a short chain of certificates and set the
>>>>> root CA certificate using SSLCertificateChainFile directive. That didn't
>>>>> help either, I get exact same errors as above.
>>>>>
>>>>> I'm not interested in setting up hardened security, etc. The only
>>>>> thing I need is to start httpd with the simplest SSL config possible
to
>>>>> continue testing proxy config for the mod_proxy_wstunnel
>>>>>
>>>>> Had anybody encountered and solved this issue?
>>>>>
>>>>> Is my sequence for creating a self-signed certificate incorrect?
>>>>>
>>>>> I'd appreciate any help very much!
>>>>>
>>>>>
>>>>> Sergey
>>>>>
>>>>
>>>>
>>>
>>
>

Mime
View raw message