Link to home
Create AccountLog in
Avatar of bfilipek
bfilipek

asked on

SSL on Apache; close but not quite running

I have Apache and OpenSSL and followed the instructions on this site: http://tldp.org/HOWTO/SSL-RedHat-HOWTO-3.html

I ran these commands:

openssl genrsa -des3 -out filename.key 1024
openssl req -new -key filename.key -out filename.csr

I sent GeoTrust the csr and got my key back from them. I put the key in a file here:
/usr/local/apache2/conf/ssl.crt/filename.crt

My httpd.conf file has the following line:

<IfModule mod_ssl.c>
  Include conf/ssl.conf
</IfModule>

So I checked and modified (where necessary) the ssl.conf file so that it has the entries mentioned in this post: https://www.experts-exchange.com/questions/21597022/Apache-SSL-https.html

Stoped and started the server by running:

httpd stop
httpd startssl
httpd restart

When I go to https://my.domain.com it gives me the "page cannot be displayed" error yet http://my.domain.com works fine.

Ideas?
Avatar of ramazanyich
ramazanyich
Flag of Belgium image

first check error.log file: what does it say ? send it here
Avatar of bfilipek
bfilipek

ASKER

I can't find error.log. I did a "locate error.log" and it came back with nothing.
usually it is in /usr/local/apache2/logs directory
[root@SRVWEB logs]# cat error_log
[Tue Dec 28 18:01:25 2004] [notice] Apache/2.0.52 (Unix) configured -- resuming normal operations
[Tue Dec 28 18:03:29 2004] [notice] caught SIGTERM, shutting down
[Tue Dec 28 18:03:33 2004] [notice] Apache/2.0.52 (Unix) configured -- resuming normal operations
[Tue Jan 04 10:51:52 2005] [notice] caught SIGTERM, shutting down
could you also send ssl.conf file content
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<IfDefine SSL>
Listen 443
AddType application/filename.crt
AddType application/filename.crl
SSLPassPhraseDialog  builtin
SSLSessionCache         dbm:/usr/local/apache2/logs/ssl_scache
SSLSessionCacheTimeout  300
SSLMutex  file:/usr/local/apache2/logs/ssl_mutex
<VirtualHost _default_:443>
DocumentRoot "/usr/local/apache2/htdocs"
ServerName myweb.mydomain.com:443
ServerAdmin webmaster@somewhere.com
ErrorLog /usr/local/apache2/logs/error_log
TransferLog /usr/local/apache2/logs/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/filename.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/filename.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache2/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache2/logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
So what is wrong with my ssl.conf file?
In your first mail you said that ou followed the faq from tldp.org. But if you check that faq then you should see that the config file is a little bit different.
in your config file you have
<VirtualHost _default_:443>

replace _default_  by your server's IP address. Eg.:
<VirtualHost xxx.xxx.xxx.xx:443>

Also remove :443 from ServerName directive:
ServerName myweb.mydomain.com
Also you don't have
SSLCACertificateFile  directive which point to CA bundle file.
As it is mentioned in faq which you used: "The directives that are the most important for SSL are the SSLEngine on, SSLCertificateFile, SSLCertificateKeyFile, and in many cases SSLCACertificateFile directives."
ramazanyich,

- I changed the <VirtualHost _default_:443> to my IP as you suggested <VirtualHost 111.222.333.444:443>
- I removed :443 from the ServerName directive.
- I ran: apachectl stop, apachectl startssl, apachectl restart

And it still does not work.

Is the SSLCACertificateFile required? I did not recieve anything like that from GeoTrust when I purchased the SSL cert.

Thanks for sticking with me on this, I must be very close to getting it to work.


ps thanks administrator.
Is your the received cerificate is PEM encoded ? could yo send it to personal mailox ?
coulf you also send the resukt of execution of following command:
>httpd -V
it will show all modules that are compiled for your apache installation
Not sure how to tell if it is PEM encoded. I am going to guess not.

I ran httpd -V and all it gave me was "service ver. 0.91"
It seems that during startup SSL variable is not defined.
Try to run:
>/usr/local/apache2/bin/apachectl startssl
Well at this point I am going to uninstall and start fresh. I cant get it to work. Please close this post.
Well it's working now. I had to change a few lines in the httpd.conf file. The VirtualHost was set to the IP address, so I changed it to *:80.

Then I changed:
Listen x.x.x.x:80 (x's were the IP address)
to
Listen 0.0.0.0:80

In ssh.conf I changed:
Listen x.x.x.x:443 (x's were the IP address)
to
Listen 0.0.0.0:443

All good now.
ASKER CERTIFIED SOLUTION
Avatar of GranMod
GranMod

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer