Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SSL on Apache; close but not quite running

Posted on 2006-03-29
19
Medium Priority
?
202 Views
Last Modified: 2010-03-04
I have Apache and OpenSSL and followed the instructions on this site: http://tldp.org/HOWTO/SSL-RedHat-HOWTO-3.html

I ran these commands:

openssl genrsa -des3 -out filename.key 1024
openssl req -new -key filename.key -out filename.csr

I sent GeoTrust the csr and got my key back from them. I put the key in a file here:
/usr/local/apache2/conf/ssl.crt/filename.crt

My httpd.conf file has the following line:

<IfModule mod_ssl.c>
  Include conf/ssl.conf
</IfModule>

So I checked and modified (where necessary) the ssl.conf file so that it has the entries mentioned in this post: http://www.experts-exchange.com/Web/Web_Servers/Apache/Q_21597022.html?query=httpd.conf+ssl+%3Cvirtualhost&topics=110

Stoped and started the server by running:

httpd stop
httpd startssl
httpd restart

When I go to https://my.domain.com it gives me the "page cannot be displayed" error yet http://my.domain.com works fine.

Ideas?
0
Comment
Question by:bfilipek
17 Comments
 
LVL 19

Expert Comment

by:ramazanyich
ID: 16329942
first check error.log file: what does it say ? send it here
0
 

Author Comment

by:bfilipek
ID: 16332768
I can't find error.log. I did a "locate error.log" and it came back with nothing.
0
 
LVL 19

Expert Comment

by:ramazanyich
ID: 16335013
usually it is in /usr/local/apache2/logs directory
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:bfilipek
ID: 16335064
[root@SRVWEB logs]# cat error_log
[Tue Dec 28 18:01:25 2004] [notice] Apache/2.0.52 (Unix) configured -- resuming normal operations
[Tue Dec 28 18:03:29 2004] [notice] caught SIGTERM, shutting down
[Tue Dec 28 18:03:33 2004] [notice] Apache/2.0.52 (Unix) configured -- resuming normal operations
[Tue Jan 04 10:51:52 2005] [notice] caught SIGTERM, shutting down
0
 
LVL 19

Expert Comment

by:ramazanyich
ID: 16335574
could you also send ssl.conf file content
0
 

Author Comment

by:bfilipek
ID: 16335726
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<IfDefine SSL>
Listen 443
AddType application/filename.crt
AddType application/filename.crl
SSLPassPhraseDialog  builtin
SSLSessionCache         dbm:/usr/local/apache2/logs/ssl_scache
SSLSessionCacheTimeout  300
SSLMutex  file:/usr/local/apache2/logs/ssl_mutex
<VirtualHost _default_:443>
DocumentRoot "/usr/local/apache2/htdocs"
ServerName myweb.mydomain.com:443
ServerAdmin webmaster@somewhere.com
ErrorLog /usr/local/apache2/logs/error_log
TransferLog /usr/local/apache2/logs/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/filename.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/filename.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache2/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache2/logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
0
 
LVL 23

Expert Comment

by:rama_krishna580
ID: 16344345
0
 

Author Comment

by:bfilipek
ID: 16383943
So what is wrong with my ssl.conf file?
0
 
LVL 19

Expert Comment

by:ramazanyich
ID: 16387092
In your first mail you said that ou followed the faq from tldp.org. But if you check that faq then you should see that the config file is a little bit different.
in your config file you have
<VirtualHost _default_:443>

replace _default_  by your server's IP address. Eg.:
<VirtualHost xxx.xxx.xxx.xx:443>

Also remove :443 from ServerName directive:
ServerName myweb.mydomain.com
Also you don't have
SSLCACertificateFile  directive which point to CA bundle file.
As it is mentioned in faq which you used: "The directives that are the most important for SSL are the SSLEngine on, SSLCertificateFile, SSLCertificateKeyFile, and in many cases SSLCACertificateFile directives."
0
 

Author Comment

by:bfilipek
ID: 16391920
ramazanyich,

- I changed the <VirtualHost _default_:443> to my IP as you suggested <VirtualHost 111.222.333.444:443>
- I removed :443 from the ServerName directive.
- I ran: apachectl stop, apachectl startssl, apachectl restart

And it still does not work.

Is the SSLCACertificateFile required? I did not recieve anything like that from GeoTrust when I purchased the SSL cert.

Thanks for sticking with me on this, I must be very close to getting it to work.


ps thanks administrator.
0
 
LVL 19

Expert Comment

by:ramazanyich
ID: 16409218
Is your the received cerificate is PEM encoded ? could yo send it to personal mailox ?
0
 
LVL 19

Expert Comment

by:ramazanyich
ID: 16409233
coulf you also send the resukt of execution of following command:
>httpd -V
it will show all modules that are compiled for your apache installation
0
 

Author Comment

by:bfilipek
ID: 16430548
Not sure how to tell if it is PEM encoded. I am going to guess not.

I ran httpd -V and all it gave me was "service ver. 0.91"
0
 
LVL 19

Expert Comment

by:ramazanyich
ID: 16431599
It seems that during startup SSL variable is not defined.
Try to run:
>/usr/local/apache2/bin/apachectl startssl
0
 

Author Comment

by:bfilipek
ID: 16500210
Well at this point I am going to uninstall and start fresh. I cant get it to work. Please close this post.
0
 

Author Comment

by:bfilipek
ID: 16586343
Well it's working now. I had to change a few lines in the httpd.conf file. The VirtualHost was set to the IP address, so I changed it to *:80.

Then I changed:
Listen x.x.x.x:80 (x's were the IP address)
to
Listen 0.0.0.0:80

In ssh.conf I changed:
Listen x.x.x.x:443 (x's were the IP address)
to
Listen 0.0.0.0:443

All good now.
0
 

Accepted Solution

by:
GranMod earned 0 total points
ID: 16791751
PAQed with points refunded (500)

GranMod
Community Support Moderator
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
The title says it all. Writing any type of PHP Application or API code that provides high throughput, while under a heavy load, seems to be an arcane art form (Black Magic). This article aims to provide some general guidelines for producing this typ…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Screencast - Getting to Know the Pipeline
Suggested Courses
Course of the Month20 days, 21 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question