httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From J Tom Moon 79 <jtm.moon.forum.u...@gmail.com>
Subject [users@httpd] apache 2.4 enable SSL for simple VirtualHost *:8843
Date Wed, 17 Dec 2014 00:55:21 GMT
I'm unable to simply enable SSL for a VirtualHost using a very simple
configuration.

I'm recently upgraded Ubuntu 12 to Ubuntu 14.  apache was upgraded from 2.2
to 2.4.7 .  I've checked the 2.4 docs for 2.2.->2.4 changes and reviewed my
configuration scripts in depth.
I can create an unencrypted VirtualHost (http) but not one an encrypted one
(https) on port 8843.  I can browse to the site just fine with
http://server:8843 (I see the expected index.html file).  If I try
https://server:8843 I get "ssl_error_rx_record_too_long" error (using
Firefox 33).

I've tried many options within the configuration files.  I haven't
drastically changed any pre-configured apache configuration files.  The
apache2 service does see my changes but just seems to not enable SSL.
Here is a selected summary of all the related files.  Can anyone identify
what I'm missing?

----

__/etc/apache2/apache2.conf__
  ...
  ErrorLog ${APACHE_LOG_DIR}/error.log
  LogLevel debug
  IncludeOptional mods-enabled/*.load
  IncludeOptional mods-enabled/*.conf
  Include ports.conf
  ...
  IncludeOptional conf-enabled/*.conf
  IncludeOptional sites-enabled/*.conf

__/etc/apache2/mods-enabled/ssl.load__

  # Depends: setenvif mime socache_shmcb
  LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so


__/etc/apache2/mods-enabled/ssl.conf__
  <IfModule ssl_module>
  # I've tried both of the following sets for SSLRandomSeed
  SSLRandomSeed startup builtin
  SSLRandomSeed connect builtin
  SSLRandomSeed startup file:/dev/urandom 512
  SSLRandomSeed connect file:/dev/urandom 512

  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl .crl

  # tried with and without the next option
  #SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase

  SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
  SSLSessionCacheTimeout 300
  SSLCipherSuite all
  SSLProtocol all     # tried this as 'HIGH:!aNULL:!MD5'
  SSLInsecureRenegotiation on   # tried this on and off
  ErrorLog /var/log/apache2/mod_ssl.log
  LogLevel debug
  SSLStrictSNIVHostCheck Off
  </IfModule>

__/etc/apache2/sites-enabled/ssl-test__
  # tried with and without each of the following
  #LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
  #LoadModule ssl_module modules/mod_ssl.so

  Listen 8843
  <VirtualHost *:8843>

  ServerName myserver
  SSLEngine on  # tried with this directive at the top and the bottom of
this file
  DocumentRoot /var/www/
  <Directory "/var/www/">
       Options Indexes FollowSymLinks MultiViews
       AllowOverride None
       Order allow,deny
       allow from all
       SSLRequireSSL  # tried with and without this directive
  </Directory>
  ErrorLog ${APACHE_LOG_DIR}/ssl-test.log
  SSLCertificateFile /etc/ssl/certs/test1.cert.pem
  SSLCertificateKeyFile /etc/ssl/private/test1.cert.key

  # tried with and without all of the following directives
  SSLCipherSuite HIGH:!aNULL:!MD5

  #SSLCipherSuite HIGH

  SSLProtocol -all +TLSv1 +SSLv3

  #SSLProtocol all

  SSLVerifyClient none
  SSLProxyEngine off
  SSLRequireSSL
  SSLRandomSeed startup file:/dev/urandom 1024
  SSLRandomSeed connect file:/dev/urandom 1024

  </VirtualHost>

__/etc/apache2/ports.conf__
  <IfModule ssl_module>
  Listen 8843
  </IfModule>

The user that runs apache2 is user www-data .
I have tested that www-data and root can access the key files
/etc/ssl/certs/test1.cert.pem /etc/ssl/private/test1.cert.key .

  $ sudo -u www-data cp /etc/ssl/certs/test1.cert.pem
/etc/ssl/private/test1.cert.key /tmp/


I have checked that /usr/lib/apache2/modules/mod_ssl.so exists and is
executable.

  $ sudo -u www-data ls -l /usr/lib/apache2/modules/mod_ssl.so
  -rwxr-xr-x 1 root root 211184 Jul 22 07:38
/usr/lib/apache2/modules/mod_ssl.so


I have tailed the relevant apache2 logs and checked for errors.  I see
these SSL related message on startup. (including one skip message for
127.0.0.1:80, but then later there is a resuming message)

  [ssl:info] [pid 21186:tid 139942871500672] AH01887: Init: Initializing
(virtual) servers for SSL
  [ssl:info] [pid 21186:tid 139942871500672] AH01876: mod_ssl/2.4.7
compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
  [auth_digest:notice] [pid 21187:tid 139942871500672] AH01757: generating
secret for digest authentication ...
  [auth_digest:debug] [pid 21187:tid 139942871500672]
mod_auth_digest.c(250): AH01759: done
  [ssl:debug] [pid 21297:tid 140596905265024] ssl_engine_pphrase.c(181):
AH02199: SSL not enabled on vhost 127.0.1.1:80, skipping SSL setup
  [socache_shmcb:debug] [pid 21297:tid 140596905265024]
mod_socache_shmcb.c(389): AH00821: shmcb_init allocated 512000 bytes of
shared memory
  ...
  [ssl:info] [pid 21297:tid 140596905265024] AH01887: Init: Initializing
(virtual) servers for SSL
  [ssl:info] [pid 21297:tid 140596905265024] AH01876: mod_ssl/2.4.7
compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
  [mpm_worker:notice] [pid 21297:tid 140596905265024] AH00292: Apache/2.4.7
(Ubuntu) OpenSSL/1.0.1f configured -- resuming normal operations
  [mpm_worker:info] [pid 21297:tid 140596905265024] AH00293: Server built:
Jul 22 2014 14:36:38
  [core:notice] [pid 21297:tid 140596905265024] AH00094: Command line:
'/usr/sbin/apache2'
  [mpm_worker:debug] [pid 21297:tid 140596905265024] worker.c(1829):
AH00294: Accept mutex: fcntl (default: sysvsem)


The openssl binary runs and supports ciphers:

  $ openssl ciphers
  ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:...


I check the apache2ctl binary compilations settings

  $ apache2ctl -V
  AH00558: apache2: Could not reliably determine the server's fully
qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
globally to suppress   this message
  Server version: Apache/2.4.7 (Ubuntu)
  Server built:   Jul 22 2014 14:36:38
  Server's Module Magic Number: 20120211:27
  Server loaded:  APR 1.5.1-dev, APR-UTIL 1.5.3
  Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3
  Architecture:   64-bit
  Server MPM:     worker
    threaded:     yes (fixed thread count)
      forked:     yes (variable process count)
  Server compiled with....
   -D APR_HAS_SENDFILE
   -D APR_HAS_MMAP
   -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
   -D APR_USE_SYSVSEM_SERIALIZE
   -D APR_USE_PTHREAD_SERIALIZE
   -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
   -D APR_HAS_OTHER_CHILD
   -D AP_HAVE_RELIABLE_PIPED_LOGS
   -D DYNAMIC_MODULE_LIMIT=256
   -D HTTPD_ROOT="/etc/apache2"
   -D SUEXEC_BIN="/usr/lib/apache2/suexec"
   -D DEFAULT_PIDLOG="/var/run/apache2.pid"
   -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
   -D DEFAULT_ERRORLOG="logs/error_log"
   -D AP_TYPES_CONFIG_FILE="mime.types"
   -D SERVER_CONFIG_FILE="apache2.conf"


I checked apache2ctl settings

  $ apache2ctl -S
  AH00558: apache2: Could not reliably determine the server's fully
qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
globally to suppress this message
  VirtualHost configuration:
  ServerRoot: "/etc/apache2"
  Main DocumentRoot: "/var/www"
  Main ErrorLog: "/var/log/apache2/mod_ssl.log"
  Mutex authdigest-client: using_defaults
  Mutex ssl-stapling: using_defaults
  Mutex ssl-cache: using_defaults
  Mutex default: dir="/var/lock/apache2" mechanism=fcntl
  Mutex mpm-accept: using_defaults
  Mutex authdigest-opaque: using_defaults
  Mutex watchdog-callback: using_defaults
  PidFile: "/var/run/apache2/apache2.pid"
  Define: DUMP_VHOSTS
  Define: DUMP_RUN_CFG
  Define: ENABLE_USR_LIB_CGI_BIN
  User: name="www-data" id=33
  Group: name="www-data" id=33


The apache2ctl syntax check is OK.

  $ apache2ctl -t
  AH00558: apache2: Could not reliably determine the server's fully
qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
globally to suppress this message
  Syntax OK


The file /etc/init.d/apache2 does start apache using /usr/sbin/apache2ctl
(and not /usr/sbin/apache2 ).


Any ideas on what I need to enable SSL for this VirtualHost ?
Again, I can see HTTP response on 8443 but never HTTPS.

--
-JamesThomasMoon1979

Mime
View raw message