httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Balaji Katika <balaji.kat...@gmail.com>
Subject Re: [users] Can't start httpd 2.4.9 with simplest SSL config
Date Wed, 04 Jun 2014 10:57:10 GMT
server.crt/server.key in your case translates to ca.crt/ca.key
Btw, ssl.crt and ssl.key are the names of the folder/directory here.

The author did refer to the newly copied files through step 6 in the
article.
Btw, I hope you have updated the names of the crt/key files accordingly
before starting the httpd server again (i.e., after generating new
certificate/key using the article mentioned by me).

Can you paste the contents of the latest log ?



On Wed, Jun 4, 2014 at 4:18 PM, Sergey Shcherbakov <
sergey.shcherbakov@gmail.com> wrote:

> Hello Balaji!
>
> Thanks for your comments!
> The SSLPassPhraseDialog is present in my config.
> I've followed the steps in your article and still get the same errors as
> above. I don't think that your steps are much different than those
> specified on CentOs HowTo and httpd docs pages (except that there is a
> shorter way to generate a passwordless certificate and a key: openssl req
> -new -x509 -nodes -out server.crt -keyout server.key -days 365. I've also
> tried to use the password protected key. The httpd asks for it on startup
> as expected and fails with the same error afterwards :(
> I also didn't get the point of copying the server.crt and server.key to
> the ssl.crt and ssl.key and not referencing the new files from the config.
> Do I miss something here?
>
>
> Thanks again!
> Sergey
>
>
> On Wed, Jun 4, 2014 at 11:03 AM, Balaji Katika <balaji.katika@gmail.com>
> wrote:
>
>> HI Sergey,
>>
>> The issue seems to be with the certificate you've generated. Looks like
>> you've forgotten/skipped some steps.
>> I think you've specified some passphrase for the certificate and apache
>> is unable to locate that. Passphrase could be specified through
>> SSLPassPhraseDialog which is missing in your configuration file.
>>
>> Alternately, you could avoid this passphrase by stripping it from the
>> certificate while generating certificate.
>> I had succesfully generated a self signed certificate by following steps
>> at http://www.akadia.com/services/ssh_test_certificate.html
>>
>>
>> I would suggest to regenerate a new certificate using the instructions
>> mentioned at the above link and test it again....
>>
>>
>>
>>
>>
>> On Wed, Jun 4, 2014 at 1:54 PM, Sergey Shcherbakov <
>> sergey.shcherbakov@gmail.com> wrote:
>>
>>>  Hello all,
>>>
>>> I cannot start the httpd 2.4.9 (tried 2.4.x too) on CentOS 6.5 with the
>>> simplest SSL config possible. The openssl version installed on the machine
>>> is OpenSSL 1.0.1e-fips 11 Feb 2013 (I've upgraded it using 'yum update'
>>> to the latest patched version as well)
>>>
>>> I have compiled and installed the httpd 2.4.9 using the following
>>> commands:
>>>
>>> ./configure --enable-ssl --with-ssl=/usr/local/ssl/ --enable-proxy=shared --enable-proxy_wstunnel=shared
--with-apr=apr-1.5.1/ --with-apr-util=apr-util-1.5.3/
>>> make
>>> make install
>>>
>>> Now I'm generating the default self-signed certificate as described in
>>> the CentOS HowTo:
>>>
>>> openssl genrsa -out ca.key 2048
>>> openssl req -new -key ca.key -out ca.csr
>>> openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
>>> cp ca.crt /etc/pki/tls/certs
>>> cp ca.key /etc/pki/tls/private/ca.key
>>> cp ca.csr /etc/pki/tls/private/ca.csr
>>>
>>> Here is my httpd-ssl.conf file:
>>>
>>> Listen 443
>>> SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
>>> SSLPassPhraseDialog  builtin
>>> SSLSessionCache        "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
>>> SSLSessionCacheTimeout  300
>>> <VirtualHost *:443>
>>>     SSLEngine on
>>>     SSLCertificateFile /etc/pki/tls/certs/ca.crt
>>>     SSLCertificateKeyFile /etc/pki/tls/private/ca.key
>>>     <FilesMatch "\.(cgi|shtml|phtml|php)$">
>>>         SSLOptions +StdEnvVars
>>>     </FilesMatch>
>>>     <Directory "/usr/local/apache2/cgi-bin">
>>>     SSLOptions +StdEnvVars
>>> </Directory>
>>> BrowserMatch "MSIE [2-5]" \
>>>          nokeepalive ssl-unclean-shutdown \
>>>          downgrade-1.0 force-response-1.0
>>> CustomLog "/usr/local/apache2/logs/ssl_request_log" \
>>>           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>>> </VirtualHost>
>>>
>>> when I start httpd using bin/apachectl -k start I get following errors
>>> in the error_log:
>>>
>>> Wed Jun 04 00:29:27.995654 2014] [ssl:info] [pid 24021:tid 139640404293376] AH01887:
Init: Initializing (virtual) servers for SSL
>>> [Wed Jun 04 00:29:27.995726 2014] [ssl:info] [pid 24021:tid 139640404293376]
AH01914: Configuring server 192.168.9.128:443 for SSL protocol
>>> [Wed Jun 04 00:29:27.995863 2014] [ssl:debug] [pid 24021:tid 139640404293376]
ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
>>> [Wed Jun 04 00:29:27.996111 2014] [ssl:debug] [pid 24021:tid 139640404293376]
ssl_util_ssl.c(343): AH02412: [192.168.9.128:443] Cert matches for name '192.168.9.128' [subject:
CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / issuer: CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE
/ serial: AF04AF31799B7695 / notbefore: Jun  3 22:26:45 2014 GMT / notafter: Jun  3 22:26:45
2015 GMT]
>>> [Wed Jun 04 00:29:27.996122 2014] [ssl:info] [pid 24021:tid 139640404293376]
AH02568: Certificate and private key 192.168.9.128:443:0 configured from /etc/pki/tls/certs/ca.crt
and /etc/pki/tls/private/ca.key
>>> [Wed Jun 04 00:29:27.996209 2014] [ssl:info] [pid 24021:tid 139640404293376]
AH01914: Configuring server 192.168.9.128:443 for SSL protocol
>>> [Wed Jun 04 00:29:27.996280 2014] [ssl:debug] [pid 24021:tid 139640404293376]
ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
>>> [Wed Jun 04 00:29:27.996295 2014] [ssl:emerg] [pid 24021:tid 139640404293376]
AH02572: Failed to configure at least one certificate and key for 192.168.9.128:443
>>> [Wed Jun 04 00:29:27.996303 2014] [ssl:emerg] [pid 24021:tid 139640404293376]
SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS)
-- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
>>> [Wed Jun 04 00:29:27.996308 2014] [ssl:emerg] [pid 24021:tid 139640404293376]
SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS)
-- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
>>> [Wed Jun 04 00:29:27.996318 2014] [ssl:emerg] [pid 24021:tid 139640404293376]
SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
>>> [Wed Jun 04 00:29:27.996321 2014] [ssl:emerg] [pid 24021:tid 139640404293376]
AH02312: Fatal error initialising mod_ssl, exiting.
>>> AH00016: Configuration Failed
>>>
>>> I then try to generate missing DH PARAMETERS and EC PARAMETERS:
>>>
>>> openssl dhparam -outform PEM -out dhparam.pem 2048
>>> openssl ecparam -out ec_param.pem -name prime256v1
>>> cat dhparam.pem ec_param.pem >> /etc/pki/tls/certs/ca.crt
>>>
>>> And it mitigates the error but the next comes out:
>>>
>>> [Wed Jun 04 00:34:05.021438 2014] [ssl:info] [pid 24089:tid 140719371077376]
AH01887: Init: Initializing (virtual) servers for SSL
>>> [Wed Jun 04 00:34:05.021487 2014] [ssl:info] [pid 24089:tid 140719371077376]
AH01914: Configuring server 192.168.9.128:443 for SSL protocol
>>> [Wed Jun 04 00:34:05.021874 2014] [ssl:debug] [pid 24089:tid 140719371077376]
ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
>>> [Wed Jun 04 00:34:05.022050 2014] [ssl:debug] [pid 24089:tid 140719371077376]
ssl_util_ssl.c(343): AH02412: [192.168.9.128:443] Cert matches for name '192.168.9.128' [subject:
CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / issuer: CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE
/ serial: AF04AF31799B7695 / notbefore: Jun  3 22:26:45 2014 GMT / notafter: Jun  3 22:26:45
2015 GMT]
>>> [Wed Jun 04 00:34:05.022066 2014] [ssl:info] [pid 24089:tid 140719371077376]
AH02568: Certificate and private key 192.168.9.128:443:0 configured from /etc/pki/tls/certs/ca.crt
and /etc/pki/tls/private/ca.key
>>> [Wed Jun 04 00:34:05.022285 2014] [ssl:debug] [pid 24089:tid 140719371077376]
ssl_engine_init.c(1016): AH02540: Custom DH parameters (2048 bits) for 192.168.9.128:443 loaded
from /etc/pki/tls/certs/ca.crt
>>> [Wed Jun 04 00:34:05.022389 2014] [ssl:debug] [pid 24089:tid 140719371077376]
ssl_engine_init.c(1030): AH02541: ECDH curve prime256v1 for 192.168.9.128:443 specified in
/etc/pki/tls/certs/ca.crt
>>> [Wed Jun 04 00:34:05.022397 2014] [ssl:info] [pid 24089:tid 140719371077376]
AH01914: Configuring server 192.168.9.128:443 for SSL protocol
>>> [Wed Jun 04 00:34:05.022464 2014] [ssl:debug] [pid 24089:tid 140719371077376]
ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
>>> [Wed Jun 04 00:34:05.022478 2014] [ssl:emerg] [pid 24089:tid 140719371077376]
AH02572: Failed to configure at least one certificate and key for 192.168.9.128:443
>>> [Wed Jun 04 00:34:05.022488 2014] [ssl:emerg] [pid 24089:tid 140719371077376]
SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
>>> [Wed Jun 04 00:34:05.022491 2014] [ssl:emerg] [pid 24089:tid 140719371077376]
AH02312: Fatal error initialising mod_ssl, exiting.
>>>
>>> AH00016: Configuration Failed
>>>
>>> I have tried to generate the simple certificate/key pair exactly as
>>> described in the httpd docs
>>> <http://httpd.apache.org/docs/2.4/ssl/ssl_faq.html#selfcert>
>>>
>>> Unfortunately, I still get exact same errors as above.
>>>
>>> I've seen a bug report with the similar issue:
>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=56410
>>>
>>> But the openssl version I have is reported as working there. I've also
>>> tried to apply the patch from the report as well as build the latest 2.4.x
>>> branch with no success, I get the same errors as above.
>>>
>>> I have also tried to create a short chain of certificates and set the
>>> root CA certificate using SSLCertificateChainFile directive. That didn't
>>> help either, I get exact same errors as above.
>>>
>>> I'm not interested in setting up hardened security, etc. The only thing
>>> I need is to start httpd with the simplest SSL config possible to continue
>>> testing proxy config for the mod_proxy_wstunnel
>>>
>>> Had anybody encountered and solved this issue?
>>>
>>> Is my sequence for creating a self-signed certificate incorrect?
>>>
>>> I'd appreciate any help very much!
>>>
>>>
>>> Sergey
>>>
>>
>>
>

Mime
View raw message