httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel <dferra...@gmail.com>
Subject Re: [users@httpd] Re: apache 2.4 enable SSL for simple VirtualHost *:8843
Date Wed, 17 Dec 2014 15:04:24 GMT
"simple configuration you say"?

I would certainly try to simplify it much more. You have many Ifmodules and
repeated directives and many directives you don't even need, as well as
dated ones, so to try to make it work better start by removing all
unnecessary stuff.

I would simply delete ALL that and try something simpler like this:

# Listen to force ipv4 and make sure this isn't your issue
Listen 0.0.0.0:8443


# Now Basic secure ssl config for 2.4 with all the stuff you will probably
need in most cases
# (don't try insecurerenegotiation again), I tried to make this directives
based on your previous paths:

## SSL Server config
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
LoadModule
socache_shmcb_module /usr/lib/apache2/modules/mod_socache_shmcb.so
SSLProtocol all -SSLv3 -SSLv2
SSLCompression off
SSLCipherSuite TLSv1.2:HIGH:!MEDIUM:!LOW:!SSLv2:!aNULL:!EXP:!eNULL:!PSK
SSLHonorCipherOrder on
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLSessionCache shmcb:${APACHE_LOG_DIR}/ssl_gcache_data(512000)


###
# and now the SSL virtualhost
# SSLPassPhrase and all that will be needed IF your key is encrypted.
<VirtualHost *:8443>
    ServerName myserver
    DocumentRoot /var/www
    CustomLog ${APACHE_LOG_DIR}/myserver-ssl.log
    ErrorLog ${APACHE_LOG_DIR}/myserver-ssl-error.log

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/test1.cert.pem
    SSLCertificateKeyFile /etc/ssl/private/test1.cert.key

    # last but not least use the 2.4 access directives with "Require"
           <Directory /var/www>
          Options Indexes FollowSymLinks MultiViews
     AllowOverride None
     Require all granted
</Directory>
</VirtualHost>

Once you have all this set up make sure the virtualhost shows up in
"apachectl -S" otherwise it is probably your config not loading the
virtualhost even though you may think it is doing so. At least the logs you
showed only mention  127.0.1.1:80 <http://127.0.1.1/>

IMHO, It is always better to resort to one single configuration file for
everything if the server is just a couple of virtualhosts.

Regards



2014-12-17 2:01 GMT+01:00 J Tom Moon 79 <jtm.moon.forum.user@gmail.com>:
>
> Also, the RSA key files were generated with the following command:
>
>   $ sudo openssl req -x509 -nodes -days 730 -newkey "rsa:512" -subj
> '/C=US/ST=WA/L=Sea/O=Company Inc/OU=my-team' -keyout
> /etc/ssl/private/test1.cert.key -out /etc/ssl/certs/test1.cert.pem
>
> There were no apparent problems.
>
> On Tue, Dec 16, 2014 at 4:55 PM, J Tom Moon 79 <
> jtm.moon.forum.user@gmail.com> wrote:
>>
>> I'm unable to simply enable SSL for a VirtualHost using a very simple
>> configuration.
>>
>> I'm recently upgraded Ubuntu 12 to Ubuntu 14.  apache was upgraded from
>> 2.2 to 2.4.7 .  I've checked the 2.4 docs for 2.2.->2.4 changes and
>> reviewed my configuration scripts in depth.
>> I can create an unencrypted VirtualHost (http) but not one an encrypted
>> one (https) on port 8843.  I can browse to the site just fine with
>> http://server:8843 (I see the expected index.html file).  If I try
>> https://server:8843 I get "ssl_error_rx_record_too_long" error (using
>> Firefox 33).
>>
>> I've tried many options within the configuration files.  I haven't
>> drastically changed any pre-configured apache configuration files.  The
>> apache2 service does see my changes but just seems to not enable SSL.
>> Here is a selected summary of all the related files.  Can anyone identify
>> what I'm missing?
>>
>> ----
>>
>> __/etc/apache2/apache2.conf__
>>   ...
>>   ErrorLog ${APACHE_LOG_DIR}/error.log
>>   LogLevel debug
>>   IncludeOptional mods-enabled/*.load
>>   IncludeOptional mods-enabled/*.conf
>>   Include ports.conf
>>   ...
>>   IncludeOptional conf-enabled/*.conf
>>   IncludeOptional sites-enabled/*.conf
>>
>> __/etc/apache2/mods-enabled/ssl.load__
>>
>>   # Depends: setenvif mime socache_shmcb
>>   LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
>>
>>
>> __/etc/apache2/mods-enabled/ssl.conf__
>>   <IfModule ssl_module>
>>   # I've tried both of the following sets for SSLRandomSeed
>>   SSLRandomSeed startup builtin
>>   SSLRandomSeed connect builtin
>>   SSLRandomSeed startup file:/dev/urandom 512
>>   SSLRandomSeed connect file:/dev/urandom 512
>>
>>   AddType application/x-x509-ca-cert .crt
>>   AddType application/x-pkcs7-crl .crl
>>
>>   # tried with and without the next option
>>   #SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
>>
>>   SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
>>   SSLSessionCacheTimeout 300
>>   SSLCipherSuite all
>>   SSLProtocol all     # tried this as 'HIGH:!aNULL:!MD5'
>>   SSLInsecureRenegotiation on   # tried this on and off
>>   ErrorLog /var/log/apache2/mod_ssl.log
>>   LogLevel debug
>>   SSLStrictSNIVHostCheck Off
>>   </IfModule>
>>
>> __/etc/apache2/sites-enabled/ssl-test__
>>   # tried with and without each of the following
>>   #LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
>>   #LoadModule ssl_module modules/mod_ssl.so
>>
>>   Listen 8843
>>   <VirtualHost *:8843>
>>
>>   ServerName myserver
>>   SSLEngine on  # tried with this directive at the top and the bottom of
>> this file
>>   DocumentRoot /var/www/
>>   <Directory "/var/www/">
>>        Options Indexes FollowSymLinks MultiViews
>>        AllowOverride None
>>        Order allow,deny
>>        allow from all
>>        SSLRequireSSL  # tried with and without this directive
>>   </Directory>
>>   ErrorLog ${APACHE_LOG_DIR}/ssl-test.log
>>   SSLCertificateFile /etc/ssl/certs/test1.cert.pem
>>   SSLCertificateKeyFile /etc/ssl/private/test1.cert.key
>>
>>   # tried with and without all of the following directives
>>   SSLCipherSuite HIGH:!aNULL:!MD5
>>
>>   #SSLCipherSuite HIGH
>>
>>   SSLProtocol -all +TLSv1 +SSLv3
>>
>>   #SSLProtocol all
>>
>>   SSLVerifyClient none
>>   SSLProxyEngine off
>>   SSLRequireSSL
>>   SSLRandomSeed startup file:/dev/urandom 1024
>>   SSLRandomSeed connect file:/dev/urandom 1024
>>
>>   </VirtualHost>
>>
>> __/etc/apache2/ports.conf__
>>   <IfModule ssl_module>
>>   Listen 8843
>>   </IfModule>
>>
>> The user that runs apache2 is user www-data .
>> I have tested that www-data and root can access the key files
>> /etc/ssl/certs/test1.cert.pem /etc/ssl/private/test1.cert.key .
>>
>>   $ sudo -u www-data cp /etc/ssl/certs/test1.cert.pem
>> /etc/ssl/private/test1.cert.key /tmp/
>>
>>
>> I have checked that /usr/lib/apache2/modules/mod_ssl.so exists and is
>> executable.
>>
>>   $ sudo -u www-data ls -l /usr/lib/apache2/modules/mod_ssl.so
>>   -rwxr-xr-x 1 root root 211184 Jul 22 07:38
>> /usr/lib/apache2/modules/mod_ssl.so
>>
>>
>> I have tailed the relevant apache2 logs and checked for errors.  I see
>> these SSL related message on startup. (including one skip message for
>> 127.0.0.1:80, but then later there is a resuming message)
>>
>>   [ssl:info] [pid 21186:tid 139942871500672] AH01887: Init: Initializing
>> (virtual) servers for SSL
>>   [ssl:info] [pid 21186:tid 139942871500672] AH01876: mod_ssl/2.4.7
>> compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
>>   [auth_digest:notice] [pid 21187:tid 139942871500672] AH01757:
>> generating secret for digest authentication ...
>>   [auth_digest:debug] [pid 21187:tid 139942871500672]
>> mod_auth_digest.c(250): AH01759: done
>>   [ssl:debug] [pid 21297:tid 140596905265024] ssl_engine_pphrase.c(181):
>> AH02199: SSL not enabled on vhost 127.0.1.1:80, skipping SSL setup
>>   [socache_shmcb:debug] [pid 21297:tid 140596905265024]
>> mod_socache_shmcb.c(389): AH00821: shmcb_init allocated 512000 bytes of
>> shared memory
>>   ...
>>   [ssl:info] [pid 21297:tid 140596905265024] AH01887: Init: Initializing
>> (virtual) servers for SSL
>>   [ssl:info] [pid 21297:tid 140596905265024] AH01876: mod_ssl/2.4.7
>> compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
>>   [mpm_worker:notice] [pid 21297:tid 140596905265024] AH00292:
>> Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f configured -- resuming normal
>> operations
>>   [mpm_worker:info] [pid 21297:tid 140596905265024] AH00293: Server
>> built: Jul 22 2014 14:36:38
>>   [core:notice] [pid 21297:tid 140596905265024] AH00094: Command line:
>> '/usr/sbin/apache2'
>>   [mpm_worker:debug] [pid 21297:tid 140596905265024] worker.c(1829):
>> AH00294: Accept mutex: fcntl (default: sysvsem)
>>
>>
>> The openssl binary runs and supports ciphers:
>>
>>   $ openssl ciphers
>>   ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:...
>>
>>
>> I check the apache2ctl binary compilations settings
>>
>>   $ apache2ctl -V
>>   AH00558: apache2: Could not reliably determine the server's fully
>> qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
>> globally to suppress   this message
>>   Server version: Apache/2.4.7 (Ubuntu)
>>   Server built:   Jul 22 2014 14:36:38
>>   Server's Module Magic Number: 20120211:27
>>   Server loaded:  APR 1.5.1-dev, APR-UTIL 1.5.3
>>   Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3
>>   Architecture:   64-bit
>>   Server MPM:     worker
>>     threaded:     yes (fixed thread count)
>>       forked:     yes (variable process count)
>>   Server compiled with....
>>    -D APR_HAS_SENDFILE
>>    -D APR_HAS_MMAP
>>    -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
>>    -D APR_USE_SYSVSEM_SERIALIZE
>>    -D APR_USE_PTHREAD_SERIALIZE
>>    -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
>>    -D APR_HAS_OTHER_CHILD
>>    -D AP_HAVE_RELIABLE_PIPED_LOGS
>>    -D DYNAMIC_MODULE_LIMIT=256
>>    -D HTTPD_ROOT="/etc/apache2"
>>    -D SUEXEC_BIN="/usr/lib/apache2/suexec"
>>    -D DEFAULT_PIDLOG="/var/run/apache2.pid"
>>    -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>>    -D DEFAULT_ERRORLOG="logs/error_log"
>>    -D AP_TYPES_CONFIG_FILE="mime.types"
>>    -D SERVER_CONFIG_FILE="apache2.conf"
>>
>>
>> I checked apache2ctl settings
>>
>>   $ apache2ctl -S
>>   AH00558: apache2: Could not reliably determine the server's fully
>> qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
>> globally to suppress this message
>>   VirtualHost configuration:
>>   ServerRoot: "/etc/apache2"
>>   Main DocumentRoot: "/var/www"
>>   Main ErrorLog: "/var/log/apache2/mod_ssl.log"
>>   Mutex authdigest-client: using_defaults
>>   Mutex ssl-stapling: using_defaults
>>   Mutex ssl-cache: using_defaults
>>   Mutex default: dir="/var/lock/apache2" mechanism=fcntl
>>   Mutex mpm-accept: using_defaults
>>   Mutex authdigest-opaque: using_defaults
>>   Mutex watchdog-callback: using_defaults
>>   PidFile: "/var/run/apache2/apache2.pid"
>>   Define: DUMP_VHOSTS
>>   Define: DUMP_RUN_CFG
>>   Define: ENABLE_USR_LIB_CGI_BIN
>>   User: name="www-data" id=33
>>   Group: name="www-data" id=33
>>
>>
>> The apache2ctl syntax check is OK.
>>
>>   $ apache2ctl -t
>>   AH00558: apache2: Could not reliably determine the server's fully
>> qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
>> globally to suppress this message
>>   Syntax OK
>>
>>
>> The file /etc/init.d/apache2 does start apache using /usr/sbin/apache2ctl
>> (and not /usr/sbin/apache2 ).
>>
>>
>> Any ideas on what I need to enable SSL for this VirtualHost ?
>> Again, I can see HTTP response on 8443 but never HTTPS.
>>
>> --
>> -JamesThomasMoon1979
>>
>
>
> --
> -J Tom Moon 79
>

Mime
View raw message