?
Solved

Help with HTTPS/SSL apache configuration -- URL only working internally -- external clients timeout/dns error ?

Posted on 2005-04-11
16
Medium Priority
?
15,499 Views
Last Modified: 2008-01-09
Hi All -- Hope someone can see something obvious I've missed ?

* I've configured a self-signed certificate (using openssl package) and deployed it on an apache web sever in our company.
I closely followed these instructions -- for our internal clients -- everything is working as expected.
http://raibledesigns.com/wiki/Wiki.jsp?page=ApacheSSL

* This server is in a DMZ -- and can be seen by external -- as well as our internal/intranet clients.
* Have not registered a domain name for this server -- we will after testing -- migrate an existing domain to this machine.
* Apache is setup using IP based virtual hosts -- and accessed from browsers by specifying the server's IP address.
   Have tried to hard code IP/internal hostname in some external client c:/winnt/system32...../hosts files -- no difference.
* I am using mod_rewrite -- to force several pages to HTTPS/SSL (i.e. somePage2.html)

From Internal/Intranet Client:
http://216.94.xxx.xxx/somePage1.html  <-Working OK
https://216.94.xxx.xxx/somePage2.html<-Working OK -- prompted for "untrusted" certificate - self signed - no matching domain

From External Client:
http://216.94.xxx.xxx/somePage1.html    <-Working OK
https://216.94.xxx.xxx/somePage2.html  <-  FAILS --  IE error Cannot find server (DNS error) -- Netscape error -- timeout

Can anyone suggest any reason why the external clients are failing to find the page ? I'm never prompted for the certificate -- and the page just timesout....
I'm not sure if this is an Apache error -- or a DNS error ?  Is there something "picky" about SSL/HTTPS that requires reverse name resolution to work ?  I thought I should at least get prompted for an untrusted certificate download -- like the intranet clients ?  Not sure why my interal clients are working great -- but the external clients are failing.....

Here are the technical details -- and the apache configuration file.....
Really Hope someone can help me out.....  with thoughts, suggestion, explanation about what I might be seeing here ?

Thanks...

Apache Server Version:  2.0.53
OS System:                   Windows 2000 SP3
Clients Tested:               MSIEv6.0.2800.1106  & Netscape 7.2
SSL:                              Self Signed Certificate -- Created on server hosting the apache machine

Relevant Apache Configuration Files Snippets:
=================================================
HTTP.CONF
=================================================
LoadModule ssl_module modules/mod_ssl.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

## Tried many combinations of following
ServerName 216.94.xxx.xxx:80
UseCanonicalName Off
HostnameLookups Off

<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>

<VirtualHost 216.94.xxx.xxx:80>
     ServerName www.xxx.com
     ServerPath "E:/xxx/Apache2/sites/xxx"
     DocumentRoot "E:/xxx/Apache2/sites/xxx"
     DirectoryIndex index.htm index.html index.html.var
     ServerAdmin xxx@xxx.com
     ErrorLog "E:/xxx/Apache2/sites/xxx/logs/error.log"
     TransferLog "E:/xxx/Apache2/sites/xxx/logs/trace.log"
               RewriteEngine on
               RewriteCond %{SERVER_PORT} !^443$
               RewriteRule ^/(xxxDemo)(.*) https://%{SERVER_NAME}/$1$2
               RewriteRule ^/(xxxSys)(.*) https://%{SERVER_NAME}/$1$2
               RewriteRule ^/(.*)(enrol.htm$) https://%{SERVER_NAME}/$1$2
               RewriteRule ^/(.*)(transfer.htm$) https://%{SERVER_NAME}/$1$2
               RewriteRule ^/(.*)(orderrefill.htm$) https://%{SERVER_NAME}/$1$2
               RewriteLog E:/xxx/Apache2/logs/httpd_rewrite_log
               RewriteLogLevel 0
</VirtualHost>

<VirtualHost 216.94.xxx.xxx:443>
           ServerName www.xxx.com
           DocumentRoot "E:/xxx/Apache2/sites/xxx/xxx"
           DirectoryIndex index.htm index.html index.html.var
           ServerAdmin fmisa@pharmassist.ca
           ErrorLog "E:/xxx/Apache2/sites/xxx/logs/error.log"
           TransferLog "E:/xxx/Apache2/sites/xxx/logs/trace.log"
           SSLEngine on
           SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
           SSLCertificateFile "E:/xxx/Apache2/conf/ssl/server.crt"
           SSLCertificateKeyFile "E:/xxx/Apache2/conf/ssl/server.key"

      <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                 SSLOptions +StdEnvVars
      </Files>
      <Directory "E:/xxx/Apache2/cgi">
                 SSLOptions +StdEnvVars
      </Directory>
      SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0
      CustomLog logs/ssl_request_log \
                 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

=================================================
SSL.CONF
=================================================
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

Listen 216.94.xxx.xxx:443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLSessionCache         dbm:logs/ssl_scache
SSLSessionCacheTimeout  300

SSLMutex default
SSLRandomSeed startup builtin
SSLSessionCache none

LogLevel info
ErrorLog logs/ssl.log
0
Comment
Question by:fmisa
  • 6
  • 5
  • 2
  • +2
15 Comments
 

Author Comment

by:fmisa
ID: 13758639
Not even one response ?
Please let me know if the question is unclear ? or if I need to supply more information ?
I was hoping this would be easy -- for someone with more real-world apache experience ?

Hope to hear from someone soon.....

Thanks
0
 
LVL 5

Expert Comment

by:jericotolentino
ID: 13759536
Hi,

I don't know the answer to your question, but maybe you'll have a better chance of getting some information if you posted this in the Web Servers category (also under Web Dev) or in the Apache section of the Web Servers category. Just ask post a message in CS asking a moderator to move the question for you.
0
 

Author Comment

by:fmisa
ID: 13759728
Thanks for the suggestion....
I'll try that .....
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 51

Expert Comment

by:ahoffmann
ID: 13765976
have you tried following?

<VirtualHost _default_:443>
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13766063
oops, another question:
  is your cert based on the name or the IP?
0
 
LVL 2

Expert Comment

by:JackOfAll1
ID: 13767023
Next question:

Are there any errors in the logs?
0
 

Author Comment

by:fmisa
ID: 13768804
Thanks very much for replying.....
After reading some of your suggestions.... and checking the logs -- again -- I think perhaps I should regenerate the cert ?
Any thoughts on the following.....

>><VirtualHost _default_:443>
I'm using IP based naming for my virutal hosts.  Wouldn't this definition respond to all IPs ?
What are your thoughts ?

>> is your cert based on the name or the IP
I tried both -- not sure which is installed right now.... I believe it's based on IP.
I did this because the hostname is internal -- only -- and cannot be resolved by external DNS
Again -- this is just temporary...... I've already applied for a verisign certificate -- and we will be migrating an exisiting domain over to our own server soon.   So eventually the cert will be verisign -- and therefore based on a real domain name FQDN.

I just want SSL to work (even if it prompts with untrusted dialog/warning) with a self-signed certificate for my external clients -- the same way it currently works for my internal clients -- just for testing purposes.....  the clients will of course need to access by server IP only -- so I think I based the cert on the same IP as well.

>>Are there any errors in the logs
The following are the comments of interest in the error log for the virtual domain in question:
Note: transfer.htm  -- see last line -- would have been the page I requested via SSL....
[info] Loading certificate & private key of SSL-aware server
[info] Configuring server for SSL protocol
[warn] RSA server certificate CommonName (CN) `Administrator' does NOT match server name!?
[info] Loading certificate & private key of SSL-aware server
[info] Configuring server for SSL protocol
[warn] RSA server certificate CommonName (CN) `Administrator' does NOT match server name!?
[info] Loading certificate & private key of SSL-aware server
[info] Configuring server for SSL protocol
[warn] RSA server certificate CommonName (CN) `Administrator' does NOT match server name!?
[info] Loading certificate & private key of SSL-aware server
[info] Configuring server for SSL protocol
[warn] RSA server certificate CommonName (CN) `Administrator' does NOT match server name!?
[error] [client 144.1.4.128] File does not exist: E:/xxx/Apache2/sites/xxx/images/main_xxx_bg.jpg, referer: http://216.94.xxx.xxx/index_flash.htm
[info] Connection to child 249 established (server www.xxx.com:443, client 144.1.4.128)
[info] Seeding PRNG with 136 bytes of entropy
[info] (70014)End of file found: SSL input filter read failed.
[info] Connection to child 249 closed with standard shutdown(server www.xxx.com:443, client 144.1.4.128)
[info] Connection to child 249 established (server www.xxx.com:443, client 144.1.4.128)
[info] Seeding PRNG with 136 bytes of entropy
[info] Initial (No.1) HTTPS request received for child 249 (server www.xxx.com:443)
[info] Connection to child 249 closed with unclean shutdown(server www.xxx.com:443, client 144.1.4.128)
[info] Connection to child 247 established (server www.xxx.com:443, client 144.1.4.128)
[info] Connection to child 246 established (server www.xxx.com:443, client 144.1.4.128)
[info] Connection to child 245 established (server www.xxx.com:443, client 144.1.4.128)
[info] Connection to child 248 established (server www.xxx.com:443, client 144.1.4.128)
[info] Seeding PRNG with 136 bytes of entropy
[info] Seeding PRNG with 136 bytes of entropy
[info] Seeding PRNG with 136 bytes of entropy
[info] Initial (No.1) HTTPS request received for child 246 (server www.xxx.com:443)
[info] Initial (No.1) HTTPS request received for child 248 (server www.xxx.com:443)
[error] [client 144.1.4.128] File does not exist: E:/xxx/Apache2/sites/xxx/layout.css, referer: https://216.94.xxx.xxx/transfer.htm
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13769723
> I did this because the hostname is internal -- only -- and cannot be resolved by external DNS
think that's your problem if you have name-based virtual host and/or name in the cert

> Wouldn't this definition respond to all IPs ?
yes but see http://httpd.apache.org/docs/mod/core.html#virtualhost
and keep in mind that you only can have *one* SSL as virtual host
0
 

Author Comment

by:fmisa
ID: 13772402
>> if you have name-based virtual host and/or name in the cert
I'll regenerate cert again with IP based -- should that fix the issue for the short-term.....
Untill FQDN is valid -- and we go with issued cert ?

Please confirm -- what I'm trying to do -- with a self-signed certificate..... is possible right ?
You get a warning dialog -- but the pages should still resolve ?

>>keep in mind that you only can have *one* SSL as virtual host
I thought has long as the  IP:PORT conbination is unique -- then it's OK.....
As long as the "Listen" directive is also IP:PORT specific -- i.e. No blanket 443 or 80......

So -- for eample
Listen xxx.xxx.xxx.111:443
Listen xxx.xxx.xxx.222:443
<virtualhost xxx.xxx.xxx.111:443>....
<virtualhost xxx.xxx.xxx.222:443>....

Please confirm..... isn't that the main advantage of using IPbased virtual host.....
I'll read over the docs/link you sent.....

Thanks
0
 
LVL 15

Accepted Solution

by:
periwinkle earned 900 total points
ID: 13772782
You can have multiple SSL certs as long as you use IP-based virtual hosts.

In regard to the outside world not being able to access the SSL server -- Are you using a router or firewall that is blocking port 443 - i.e. have you allowed access to that port?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13772815
> .. You get a warning dialog -- but the pages should still resolve ?
yes, that's ok

> As long as the "Listen" directive is also IP:PORT specific -- i.e. No blanket 443 or 80......
ok, if IP-based it should work, but they need to have their own name and you should have configured your httpd.conf in that way that httpd finds the IP-name mapping
0
 

Author Comment

by:fmisa
ID: 13950769
Sorry about the delay.....
I've been totally swamped at work....
I'll assign points right away....
0
 

Author Comment

by:fmisa
ID: 13950794
I'm sorry ahoffmann......
You made good points about the ServerName and other possible DNS/IP resolving issues......
I really appreciate your help......

I don't think serving the certificate -- signed with a different IP/name -- would prevent a client from seeing it ?
However,  the client is prompted with a warning that the certificate is "untrusted" or name/ip don't match.

In any case -- my issue was firewall related !!!
I made the wrong assumption about firewall rules being setup correctly for me.....

I should have checked here first.....

Thanks


0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13950855
no worries, grading goes to the comments which helped you most, EE is not a contest ;-)
0
 
LVL 15

Expert Comment

by:periwinkle
ID: 13951157
fmisa - I'm glad to have helped.  Ahoffmann is absolutely right - this site is about helping, not about being a contest - glad to have assisted you.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When the s#!t hits the fan, you don’t have time to look up who’s on call, draft emails, call collaborators, or send text messages. An instant chat window is definitely the way to go, especially one like HipChat. HipChat is a true business app. An…
No other job is as rewarding and demanding as building an iPhone app is. It is not really in the hands of the developer for the success of an iPhone app. Many factors operate jointly for every iOS application's success in the market.
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question