httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From J Tom Moon 79 <jtm.moon.forum.u...@gmail.com>
Subject [users@httpd] Re: apache 2.4 enable SSL for simple VirtualHost *:8843
Date Wed, 17 Dec 2014 01:01:26 GMT
Also, the RSA key files were generated with the following command:

  $ sudo openssl req -x509 -nodes -days 730 -newkey "rsa:512" -subj
'/C=US/ST=WA/L=Sea/O=Company Inc/OU=my-team' -keyout
/etc/ssl/private/test1.cert.key -out /etc/ssl/certs/test1.cert.pem

There were no apparent problems.

On Tue, Dec 16, 2014 at 4:55 PM, J Tom Moon 79 <
jtm.moon.forum.user@gmail.com> wrote:
>
> I'm unable to simply enable SSL for a VirtualHost using a very simple
> configuration.
>
> I'm recently upgraded Ubuntu 12 to Ubuntu 14.  apache was upgraded from
> 2.2 to 2.4.7 .  I've checked the 2.4 docs for 2.2.->2.4 changes and
> reviewed my configuration scripts in depth.
> I can create an unencrypted VirtualHost (http) but not one an encrypted
> one (https) on port 8843.  I can browse to the site just fine with
> http://server:8843 (I see the expected index.html file).  If I try
> https://server:8843 I get "ssl_error_rx_record_too_long" error (using
> Firefox 33).
>
> I've tried many options within the configuration files.  I haven't
> drastically changed any pre-configured apache configuration files.  The
> apache2 service does see my changes but just seems to not enable SSL.
> Here is a selected summary of all the related files.  Can anyone identify
> what I'm missing?
>
> ----
>
> __/etc/apache2/apache2.conf__
>   ...
>   ErrorLog ${APACHE_LOG_DIR}/error.log
>   LogLevel debug
>   IncludeOptional mods-enabled/*.load
>   IncludeOptional mods-enabled/*.conf
>   Include ports.conf
>   ...
>   IncludeOptional conf-enabled/*.conf
>   IncludeOptional sites-enabled/*.conf
>
> __/etc/apache2/mods-enabled/ssl.load__
>
>   # Depends: setenvif mime socache_shmcb
>   LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
>
>
> __/etc/apache2/mods-enabled/ssl.conf__
>   <IfModule ssl_module>
>   # I've tried both of the following sets for SSLRandomSeed
>   SSLRandomSeed startup builtin
>   SSLRandomSeed connect builtin
>   SSLRandomSeed startup file:/dev/urandom 512
>   SSLRandomSeed connect file:/dev/urandom 512
>
>   AddType application/x-x509-ca-cert .crt
>   AddType application/x-pkcs7-crl .crl
>
>   # tried with and without the next option
>   #SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
>
>   SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
>   SSLSessionCacheTimeout 300
>   SSLCipherSuite all
>   SSLProtocol all     # tried this as 'HIGH:!aNULL:!MD5'
>   SSLInsecureRenegotiation on   # tried this on and off
>   ErrorLog /var/log/apache2/mod_ssl.log
>   LogLevel debug
>   SSLStrictSNIVHostCheck Off
>   </IfModule>
>
> __/etc/apache2/sites-enabled/ssl-test__
>   # tried with and without each of the following
>   #LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
>   #LoadModule ssl_module modules/mod_ssl.so
>
>   Listen 8843
>   <VirtualHost *:8843>
>
>   ServerName myserver
>   SSLEngine on  # tried with this directive at the top and the bottom of
> this file
>   DocumentRoot /var/www/
>   <Directory "/var/www/">
>        Options Indexes FollowSymLinks MultiViews
>        AllowOverride None
>        Order allow,deny
>        allow from all
>        SSLRequireSSL  # tried with and without this directive
>   </Directory>
>   ErrorLog ${APACHE_LOG_DIR}/ssl-test.log
>   SSLCertificateFile /etc/ssl/certs/test1.cert.pem
>   SSLCertificateKeyFile /etc/ssl/private/test1.cert.key
>
>   # tried with and without all of the following directives
>   SSLCipherSuite HIGH:!aNULL:!MD5
>
>   #SSLCipherSuite HIGH
>
>   SSLProtocol -all +TLSv1 +SSLv3
>
>   #SSLProtocol all
>
>   SSLVerifyClient none
>   SSLProxyEngine off
>   SSLRequireSSL
>   SSLRandomSeed startup file:/dev/urandom 1024
>   SSLRandomSeed connect file:/dev/urandom 1024
>
>   </VirtualHost>
>
> __/etc/apache2/ports.conf__
>   <IfModule ssl_module>
>   Listen 8843
>   </IfModule>
>
> The user that runs apache2 is user www-data .
> I have tested that www-data and root can access the key files
> /etc/ssl/certs/test1.cert.pem /etc/ssl/private/test1.cert.key .
>
>   $ sudo -u www-data cp /etc/ssl/certs/test1.cert.pem
> /etc/ssl/private/test1.cert.key /tmp/
>
>
> I have checked that /usr/lib/apache2/modules/mod_ssl.so exists and is
> executable.
>
>   $ sudo -u www-data ls -l /usr/lib/apache2/modules/mod_ssl.so
>   -rwxr-xr-x 1 root root 211184 Jul 22 07:38
> /usr/lib/apache2/modules/mod_ssl.so
>
>
> I have tailed the relevant apache2 logs and checked for errors.  I see
> these SSL related message on startup. (including one skip message for
> 127.0.0.1:80, but then later there is a resuming message)
>
>   [ssl:info] [pid 21186:tid 139942871500672] AH01887: Init: Initializing
> (virtual) servers for SSL
>   [ssl:info] [pid 21186:tid 139942871500672] AH01876: mod_ssl/2.4.7
> compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
>   [auth_digest:notice] [pid 21187:tid 139942871500672] AH01757: generating
> secret for digest authentication ...
>   [auth_digest:debug] [pid 21187:tid 139942871500672]
> mod_auth_digest.c(250): AH01759: done
>   [ssl:debug] [pid 21297:tid 140596905265024] ssl_engine_pphrase.c(181):
> AH02199: SSL not enabled on vhost 127.0.1.1:80, skipping SSL setup
>   [socache_shmcb:debug] [pid 21297:tid 140596905265024]
> mod_socache_shmcb.c(389): AH00821: shmcb_init allocated 512000 bytes of
> shared memory
>   ...
>   [ssl:info] [pid 21297:tid 140596905265024] AH01887: Init: Initializing
> (virtual) servers for SSL
>   [ssl:info] [pid 21297:tid 140596905265024] AH01876: mod_ssl/2.4.7
> compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
>   [mpm_worker:notice] [pid 21297:tid 140596905265024] AH00292:
> Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f configured -- resuming normal
> operations
>   [mpm_worker:info] [pid 21297:tid 140596905265024] AH00293: Server built:
> Jul 22 2014 14:36:38
>   [core:notice] [pid 21297:tid 140596905265024] AH00094: Command line:
> '/usr/sbin/apache2'
>   [mpm_worker:debug] [pid 21297:tid 140596905265024] worker.c(1829):
> AH00294: Accept mutex: fcntl (default: sysvsem)
>
>
> The openssl binary runs and supports ciphers:
>
>   $ openssl ciphers
>   ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:...
>
>
> I check the apache2ctl binary compilations settings
>
>   $ apache2ctl -V
>   AH00558: apache2: Could not reliably determine the server's fully
> qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
> globally to suppress   this message
>   Server version: Apache/2.4.7 (Ubuntu)
>   Server built:   Jul 22 2014 14:36:38
>   Server's Module Magic Number: 20120211:27
>   Server loaded:  APR 1.5.1-dev, APR-UTIL 1.5.3
>   Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3
>   Architecture:   64-bit
>   Server MPM:     worker
>     threaded:     yes (fixed thread count)
>       forked:     yes (variable process count)
>   Server compiled with....
>    -D APR_HAS_SENDFILE
>    -D APR_HAS_MMAP
>    -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
>    -D APR_USE_SYSVSEM_SERIALIZE
>    -D APR_USE_PTHREAD_SERIALIZE
>    -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
>    -D APR_HAS_OTHER_CHILD
>    -D AP_HAVE_RELIABLE_PIPED_LOGS
>    -D DYNAMIC_MODULE_LIMIT=256
>    -D HTTPD_ROOT="/etc/apache2"
>    -D SUEXEC_BIN="/usr/lib/apache2/suexec"
>    -D DEFAULT_PIDLOG="/var/run/apache2.pid"
>    -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>    -D DEFAULT_ERRORLOG="logs/error_log"
>    -D AP_TYPES_CONFIG_FILE="mime.types"
>    -D SERVER_CONFIG_FILE="apache2.conf"
>
>
> I checked apache2ctl settings
>
>   $ apache2ctl -S
>   AH00558: apache2: Could not reliably determine the server's fully
> qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
> globally to suppress this message
>   VirtualHost configuration:
>   ServerRoot: "/etc/apache2"
>   Main DocumentRoot: "/var/www"
>   Main ErrorLog: "/var/log/apache2/mod_ssl.log"
>   Mutex authdigest-client: using_defaults
>   Mutex ssl-stapling: using_defaults
>   Mutex ssl-cache: using_defaults
>   Mutex default: dir="/var/lock/apache2" mechanism=fcntl
>   Mutex mpm-accept: using_defaults
>   Mutex authdigest-opaque: using_defaults
>   Mutex watchdog-callback: using_defaults
>   PidFile: "/var/run/apache2/apache2.pid"
>   Define: DUMP_VHOSTS
>   Define: DUMP_RUN_CFG
>   Define: ENABLE_USR_LIB_CGI_BIN
>   User: name="www-data" id=33
>   Group: name="www-data" id=33
>
>
> The apache2ctl syntax check is OK.
>
>   $ apache2ctl -t
>   AH00558: apache2: Could not reliably determine the server's fully
> qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
> globally to suppress this message
>   Syntax OK
>
>
> The file /etc/init.d/apache2 does start apache using /usr/sbin/apache2ctl
> (and not /usr/sbin/apache2 ).
>
>
> Any ideas on what I need to enable SSL for this VirtualHost ?
> Again, I can see HTTP response on 8443 but never HTTPS.
>
> --
> -JamesThomasMoon1979
>


-- 
-J Tom Moon 79

Mime
View raw message