bfilipek
asked on
SSL on Apache; close but not quite running
I have Apache and OpenSSL and followed the instructions on this site: http://tldp.org/HOWTO/SSL-RedHat-HOWTO-3.html
I ran these commands:
openssl genrsa -des3 -out filename.key 1024
openssl req -new -key filename.key -out filename.csr
I sent GeoTrust the csr and got my key back from them. I put the key in a file here:
/usr/local/apache2/conf/ss l.crt/file name.crt
My httpd.conf file has the following line:
<IfModule mod_ssl.c>
Include conf/ssl.conf
</IfModule>
So I checked and modified (where necessary) the ssl.conf file so that it has the entries mentioned in this post: https://www.experts-exchange.com/questions/21597022/Apache-SSL-https.html
Stoped and started the server by running:
httpd stop
httpd startssl
httpd restart
When I go to https://my.domain.com it gives me the "page cannot be displayed" error yet http://my.domain.com works fine.
Ideas?
I ran these commands:
openssl genrsa -des3 -out filename.key 1024
openssl req -new -key filename.key -out filename.csr
I sent GeoTrust the csr and got my key back from them. I put the key in a file here:
/usr/local/apache2/conf/ss
My httpd.conf file has the following line:
<IfModule mod_ssl.c>
Include conf/ssl.conf
</IfModule>
So I checked and modified (where necessary) the ssl.conf file so that it has the entries mentioned in this post: https://www.experts-exchange.com/questions/21597022/Apache-SSL-https.html
Stoped and started the server by running:
httpd stop
httpd startssl
httpd restart
When I go to https://my.domain.com it gives me the "page cannot be displayed" error yet http://my.domain.com works fine.
Ideas?
first check error.log file: what does it say ? send it here
ASKER
I can't find error.log. I did a "locate error.log" and it came back with nothing.
usually it is in /usr/local/apache2/logs directory
ASKER
[root@SRVWEB logs]# cat error_log
[Tue Dec 28 18:01:25 2004] [notice] Apache/2.0.52 (Unix) configured -- resuming normal operations
[Tue Dec 28 18:03:29 2004] [notice] caught SIGTERM, shutting down
[Tue Dec 28 18:03:33 2004] [notice] Apache/2.0.52 (Unix) configured -- resuming normal operations
[Tue Jan 04 10:51:52 2005] [notice] caught SIGTERM, shutting down
[Tue Dec 28 18:01:25 2004] [notice] Apache/2.0.52 (Unix) configured -- resuming normal operations
[Tue Dec 28 18:03:29 2004] [notice] caught SIGTERM, shutting down
[Tue Dec 28 18:03:33 2004] [notice] Apache/2.0.52 (Unix) configured -- resuming normal operations
[Tue Jan 04 10:51:52 2005] [notice] caught SIGTERM, shutting down
could you also send ssl.conf file content
ASKER
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<IfDefine SSL>
Listen 443
AddType application/filename.crt
AddType application/filename.crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache2/log s/ssl_scac he
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache2/lo gs/ssl_mut ex
<VirtualHost _default_:443>
DocumentRoot "/usr/local/apache2/htdocs "
ServerName myweb.mydomain.com:443
ServerAdmin webmaster@somewhere.com
ErrorLog /usr/local/apache2/logs/er ror_log
TransferLog /usr/local/apache2/logs/ac cess_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA :+HIGH:+ME DIUM:+LOW: +SSLv2:+EX P:+eNULL
SSLCertificateFile /usr/local/apache2/conf/ss l.crt/file name.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ss l.key/file name.key
<Files ~ "\.(cgi|shtml|phtml|php3?) $">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache2/cgi-bi n">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache2/logs/ss l_request_ log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
SSLRandomSeed connect builtin
<IfDefine SSL>
Listen 443
AddType application/filename.crt
AddType application/filename.crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache2/log
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache2/lo
<VirtualHost _default_:443>
DocumentRoot "/usr/local/apache2/htdocs
ServerName myweb.mydomain.com:443
ServerAdmin webmaster@somewhere.com
ErrorLog /usr/local/apache2/logs/er
TransferLog /usr/local/apache2/logs/ac
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA
SSLCertificateFile /usr/local/apache2/conf/ss
SSLCertificateKeyFile /usr/local/apache2/conf/ss
<Files ~ "\.(cgi|shtml|phtml|php3?)
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache2/cgi-bi
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache2/logs/ss
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
ASKER
So what is wrong with my ssl.conf file?
In your first mail you said that ou followed the faq from tldp.org. But if you check that faq then you should see that the config file is a little bit different.
in your config file you have
<VirtualHost _default_:443>
replace _default_ by your server's IP address. Eg.:
<VirtualHost xxx.xxx.xxx.xx:443>
Also remove :443 from ServerName directive:
ServerName myweb.mydomain.com
Also you don't have
SSLCACertificateFile directive which point to CA bundle file.
As it is mentioned in faq which you used: "The directives that are the most important for SSL are the SSLEngine on, SSLCertificateFile, SSLCertificateKeyFile, and in many cases SSLCACertificateFile directives."
in your config file you have
<VirtualHost _default_:443>
replace _default_ by your server's IP address. Eg.:
<VirtualHost xxx.xxx.xxx.xx:443>
Also remove :443 from ServerName directive:
ServerName myweb.mydomain.com
Also you don't have
SSLCACertificateFile directive which point to CA bundle file.
As it is mentioned in faq which you used: "The directives that are the most important for SSL are the SSLEngine on, SSLCertificateFile, SSLCertificateKeyFile, and in many cases SSLCACertificateFile directives."
ASKER
ramazanyich,
- I changed the <VirtualHost _default_:443> to my IP as you suggested <VirtualHost 111.222.333.444:443>
- I removed :443 from the ServerName directive.
- I ran: apachectl stop, apachectl startssl, apachectl restart
And it still does not work.
Is the SSLCACertificateFile required? I did not recieve anything like that from GeoTrust when I purchased the SSL cert.
Thanks for sticking with me on this, I must be very close to getting it to work.
ps thanks administrator.
- I changed the <VirtualHost _default_:443> to my IP as you suggested <VirtualHost 111.222.333.444:443>
- I removed :443 from the ServerName directive.
- I ran: apachectl stop, apachectl startssl, apachectl restart
And it still does not work.
Is the SSLCACertificateFile required? I did not recieve anything like that from GeoTrust when I purchased the SSL cert.
Thanks for sticking with me on this, I must be very close to getting it to work.
ps thanks administrator.
Is your the received cerificate is PEM encoded ? could yo send it to personal mailox ?
coulf you also send the resukt of execution of following command:
>httpd -V
it will show all modules that are compiled for your apache installation
>httpd -V
it will show all modules that are compiled for your apache installation
ASKER
Not sure how to tell if it is PEM encoded. I am going to guess not.
I ran httpd -V and all it gave me was "service ver. 0.91"
I ran httpd -V and all it gave me was "service ver. 0.91"
It seems that during startup SSL variable is not defined.
Try to run:
>/usr/local/apache2/bin/ap achectl startssl
Try to run:
>/usr/local/apache2/bin/ap
ASKER
Well at this point I am going to uninstall and start fresh. I cant get it to work. Please close this post.
ASKER
Well it's working now. I had to change a few lines in the httpd.conf file. The VirtualHost was set to the IP address, so I changed it to *:80.
Then I changed:
Listen x.x.x.x:80 (x's were the IP address)
to
Listen 0.0.0.0:80
In ssh.conf I changed:
Listen x.x.x.x:443 (x's were the IP address)
to
Listen 0.0.0.0:443
All good now.
Then I changed:
Listen x.x.x.x:80 (x's were the IP address)
to
Listen 0.0.0.0:80
In ssh.conf I changed:
Listen x.x.x.x:443 (x's were the IP address)
to
Listen 0.0.0.0:443
All good now.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.