Help with HTTPS/SSL apache configuration -- URL only working internally -- external clients timeout/dns error ?

Hi All -- Hope someone can see something obvious I've missed ?

* I've configured a self-signed certificate (using openssl package) and deployed it on an apache web sever in our company.
I closely followed these instructions -- for our internal clients -- everything is working as expected.
http://raibledesigns.com/wiki/Wiki.jsp?page=ApacheSSL

* This server is in a DMZ -- and can be seen by external -- as well as our internal/intranet clients.
* Have not registered a domain name for this server -- we will after testing -- migrate an existing domain to this machine.
* Apache is setup using IP based virtual hosts -- and accessed from browsers by specifying the server's IP address.
   Have tried to hard code IP/internal hostname in some external client c:/winnt/system32...../hosts files -- no difference.
* I am using mod_rewrite -- to force several pages to HTTPS/SSL (i.e. somePage2.html)

From Internal/Intranet Client:
http://216.94.xxx.xxx/somePage1.html  <-Working OK
https://216.94.xxx.xxx/somePage2.html<-Working OK -- prompted for "untrusted" certificate - self signed - no matching domain

From External Client:
http://216.94.xxx.xxx/somePage1.html    <-Working OK
https://216.94.xxx.xxx/somePage2.html  <-  FAILS --  IE error Cannot find server (DNS error) -- Netscape error -- timeout

Can anyone suggest any reason why the external clients are failing to find the page ? I'm never prompted for the certificate -- and the page just timesout....
I'm not sure if this is an Apache error -- or a DNS error ?  Is there something "picky" about SSL/HTTPS that requires reverse name resolution to work ?  I thought I should at least get prompted for an untrusted certificate download -- like the intranet clients ?  Not sure why my interal clients are working great -- but the external clients are failing.....

Here are the technical details -- and the apache configuration file.....
Really Hope someone can help me out.....  with thoughts, suggestion, explanation about what I might be seeing here ?

Thanks...

Apache Server Version:  2.0.53
OS System:                   Windows 2000 SP3
Clients Tested:               MSIEv6.0.2800.1106  & Netscape 7.2
SSL:                              Self Signed Certificate -- Created on server hosting the apache machine

Relevant Apache Configuration Files Snippets:
=================================================
HTTP.CONF
=================================================
LoadModule ssl_module modules/mod_ssl.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

## Tried many combinations of following
ServerName 216.94.xxx.xxx:80
UseCanonicalName Off
HostnameLookups Off

<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>

<VirtualHost 216.94.xxx.xxx:80>
     ServerName www.xxx.com
     ServerPath "E:/xxx/Apache2/sites/xxx"
     DocumentRoot "E:/xxx/Apache2/sites/xxx"
     DirectoryIndex index.htm index.html index.html.var
     ServerAdmin xxx@xxx.com
     ErrorLog "E:/xxx/Apache2/sites/xxx/logs/error.log"
     TransferLog "E:/xxx/Apache2/sites/xxx/logs/trace.log"
               RewriteEngine on
               RewriteCond %{SERVER_PORT} !^443$
               RewriteRule ^/(xxxDemo)(.*) https://%{SERVER_NAME}/$1$2
               RewriteRule ^/(xxxSys)(.*) https://%{SERVER_NAME}/$1$2
               RewriteRule ^/(.*)(enrol.htm$) https://%{SERVER_NAME}/$1$2
               RewriteRule ^/(.*)(transfer.htm$) https://%{SERVER_NAME}/$1$2
               RewriteRule ^/(.*)(orderrefill.htm$) https://%{SERVER_NAME}/$1$2
               RewriteLog E:/xxx/Apache2/logs/httpd_rewrite_log
               RewriteLogLevel 0
</VirtualHost>

<VirtualHost 216.94.xxx.xxx:443>
           ServerName www.xxx.com
           DocumentRoot "E:/xxx/Apache2/sites/xxx/xxx"
           DirectoryIndex index.htm index.html index.html.var
           ServerAdmin fmisa@pharmassist.ca
           ErrorLog "E:/xxx/Apache2/sites/xxx/logs/error.log"
           TransferLog "E:/xxx/Apache2/sites/xxx/logs/trace.log"
           SSLEngine on
           SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
           SSLCertificateFile "E:/xxx/Apache2/conf/ssl/server.crt"
           SSLCertificateKeyFile "E:/xxx/Apache2/conf/ssl/server.key"

      <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                 SSLOptions +StdEnvVars
      </Files>
      <Directory "E:/xxx/Apache2/cgi">
                 SSLOptions +StdEnvVars
      </Directory>
      SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0
      CustomLog logs/ssl_request_log \
                 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

=================================================
SSL.CONF
=================================================
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

Listen 216.94.xxx.xxx:443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLSessionCache         dbm:logs/ssl_scache
SSLSessionCacheTimeout  300

SSLMutex default
SSLRandomSeed startup builtin
SSLSessionCache none

LogLevel info
ErrorLog logs/ssl.log
fmisaAsked:
Who is Participating?
 
periwinkleCommented:
You can have multiple SSL certs as long as you use IP-based virtual hosts.

In regard to the outside world not being able to access the SSL server -- Are you using a router or firewall that is blocking port 443 - i.e. have you allowed access to that port?
0
 
fmisaAuthor Commented:
Not even one response ?
Please let me know if the question is unclear ? or if I need to supply more information ?
I was hoping this would be easy -- for someone with more real-world apache experience ?

Hope to hear from someone soon.....

Thanks
0
 
jericotolentinoCommented:
Hi,

I don't know the answer to your question, but maybe you'll have a better chance of getting some information if you posted this in the Web Servers category (also under Web Dev) or in the Apache section of the Web Servers category. Just ask post a message in CS asking a moderator to move the question for you.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
fmisaAuthor Commented:
Thanks for the suggestion....
I'll try that .....
0
 
ahoffmannCommented:
have you tried following?

<VirtualHost _default_:443>
0
 
ahoffmannCommented:
oops, another question:
  is your cert based on the name or the IP?
0
 
JackOfAll1Commented:
Next question:

Are there any errors in the logs?
0
 
fmisaAuthor Commented:
Thanks very much for replying.....
After reading some of your suggestions.... and checking the logs -- again -- I think perhaps I should regenerate the cert ?
Any thoughts on the following.....

>><VirtualHost _default_:443>
I'm using IP based naming for my virutal hosts.  Wouldn't this definition respond to all IPs ?
What are your thoughts ?

>> is your cert based on the name or the IP
I tried both -- not sure which is installed right now.... I believe it's based on IP.
I did this because the hostname is internal -- only -- and cannot be resolved by external DNS
Again -- this is just temporary...... I've already applied for a verisign certificate -- and we will be migrating an exisiting domain over to our own server soon.   So eventually the cert will be verisign -- and therefore based on a real domain name FQDN.

I just want SSL to work (even if it prompts with untrusted dialog/warning) with a self-signed certificate for my external clients -- the same way it currently works for my internal clients -- just for testing purposes.....  the clients will of course need to access by server IP only -- so I think I based the cert on the same IP as well.

>>Are there any errors in the logs
The following are the comments of interest in the error log for the virtual domain in question:
Note: transfer.htm  -- see last line -- would have been the page I requested via SSL....
[info] Loading certificate & private key of SSL-aware server
[info] Configuring server for SSL protocol
[warn] RSA server certificate CommonName (CN) `Administrator' does NOT match server name!?
[info] Loading certificate & private key of SSL-aware server
[info] Configuring server for SSL protocol
[warn] RSA server certificate CommonName (CN) `Administrator' does NOT match server name!?
[info] Loading certificate & private key of SSL-aware server
[info] Configuring server for SSL protocol
[warn] RSA server certificate CommonName (CN) `Administrator' does NOT match server name!?
[info] Loading certificate & private key of SSL-aware server
[info] Configuring server for SSL protocol
[warn] RSA server certificate CommonName (CN) `Administrator' does NOT match server name!?
[error] [client 144.1.4.128] File does not exist: E:/xxx/Apache2/sites/xxx/images/main_xxx_bg.jpg, referer: http://216.94.xxx.xxx/index_flash.htm
[info] Connection to child 249 established (server www.xxx.com:443, client 144.1.4.128)
[info] Seeding PRNG with 136 bytes of entropy
[info] (70014)End of file found: SSL input filter read failed.
[info] Connection to child 249 closed with standard shutdown(server www.xxx.com:443, client 144.1.4.128)
[info] Connection to child 249 established (server www.xxx.com:443, client 144.1.4.128)
[info] Seeding PRNG with 136 bytes of entropy
[info] Initial (No.1) HTTPS request received for child 249 (server www.xxx.com:443)
[info] Connection to child 249 closed with unclean shutdown(server www.xxx.com:443, client 144.1.4.128)
[info] Connection to child 247 established (server www.xxx.com:443, client 144.1.4.128)
[info] Connection to child 246 established (server www.xxx.com:443, client 144.1.4.128)
[info] Connection to child 245 established (server www.xxx.com:443, client 144.1.4.128)
[info] Connection to child 248 established (server www.xxx.com:443, client 144.1.4.128)
[info] Seeding PRNG with 136 bytes of entropy
[info] Seeding PRNG with 136 bytes of entropy
[info] Seeding PRNG with 136 bytes of entropy
[info] Initial (No.1) HTTPS request received for child 246 (server www.xxx.com:443)
[info] Initial (No.1) HTTPS request received for child 248 (server www.xxx.com:443)
[error] [client 144.1.4.128] File does not exist: E:/xxx/Apache2/sites/xxx/layout.css, referer: https://216.94.xxx.xxx/transfer.htm
0
 
ahoffmannCommented:
> I did this because the hostname is internal -- only -- and cannot be resolved by external DNS
think that's your problem if you have name-based virtual host and/or name in the cert

> Wouldn't this definition respond to all IPs ?
yes but see http://httpd.apache.org/docs/mod/core.html#virtualhost
and keep in mind that you only can have *one* SSL as virtual host
0
 
fmisaAuthor Commented:
>> if you have name-based virtual host and/or name in the cert
I'll regenerate cert again with IP based -- should that fix the issue for the short-term.....
Untill FQDN is valid -- and we go with issued cert ?

Please confirm -- what I'm trying to do -- with a self-signed certificate..... is possible right ?
You get a warning dialog -- but the pages should still resolve ?

>>keep in mind that you only can have *one* SSL as virtual host
I thought has long as the  IP:PORT conbination is unique -- then it's OK.....
As long as the "Listen" directive is also IP:PORT specific -- i.e. No blanket 443 or 80......

So -- for eample
Listen xxx.xxx.xxx.111:443
Listen xxx.xxx.xxx.222:443
<virtualhost xxx.xxx.xxx.111:443>....
<virtualhost xxx.xxx.xxx.222:443>....

Please confirm..... isn't that the main advantage of using IPbased virtual host.....
I'll read over the docs/link you sent.....

Thanks
0
 
ahoffmannCommented:
> .. You get a warning dialog -- but the pages should still resolve ?
yes, that's ok

> As long as the "Listen" directive is also IP:PORT specific -- i.e. No blanket 443 or 80......
ok, if IP-based it should work, but they need to have their own name and you should have configured your httpd.conf in that way that httpd finds the IP-name mapping
0
 
fmisaAuthor Commented:
Sorry about the delay.....
I've been totally swamped at work....
I'll assign points right away....
0
 
fmisaAuthor Commented:
I'm sorry ahoffmann......
You made good points about the ServerName and other possible DNS/IP resolving issues......
I really appreciate your help......

I don't think serving the certificate -- signed with a different IP/name -- would prevent a client from seeing it ?
However,  the client is prompted with a warning that the certificate is "untrusted" or name/ip don't match.

In any case -- my issue was firewall related !!!
I made the wrong assumption about firewall rules being setup correctly for me.....

I should have checked here first.....

Thanks


0
 
ahoffmannCommented:
no worries, grading goes to the comments which helped you most, EE is not a contest ;-)
0
 
periwinkleCommented:
fmisa - I'm glad to have helped.  Ahoffmann is absolutely right - this site is about helping, not about being a contest - glad to have assisted you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.