Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 765
  • Last Modified:

ssl certificate installation

hello!!
i have dedicated web server with REDHAT Enterprise 4, apache 1.3 with open ssl. i want to install SSL certificate for one of my domain hosted on this server.
i have create the CSR and private key. submitted that CSR to verisign and got the certificate.
i have made the necessary changes to httpd.conf but i am unable  to use https://www.mysite.com
i get "cannot find server".
i have read that if you provide pass phrase during the creation of private key then every time apache is started it asks for that pass phrase. but when i restart httpd, it does not ask me for the pass phrase.
Following are the lines that i have added to my httpd.conf file


<IfDefine SSL>

##
## SSL Virtual Host Context
##

<VirtualHost 74.53.207.162:443>
ServerAlias mysite.com
ServerAdmin webmaster@mysite.com
DocumentRoot /home/myuser/public_html
BytesLog domlogs/mysite.com-bytes_log
User myuser
Group myuser
ServerName www.mysite.com

User myuser
Group myuser
CustomLog /usr/local/apache/domlogs/mysite.com combined
ScriptAlias /cgi-bin/ /home/myuser/public_html/cgi-bin/
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/www.mysite.com.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/www.mysite.com.key
SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/verisign.crt
</VirtualHost>

</IfDefine>

what should i do to fix the problem
0
SadafRasheed
Asked:
SadafRasheed
  • 4
  • 4
1 Solution
 
karlwilburCommented:
You need to have a:
Listen 443

outside of the VirtualHost block (i.e. in the main server config)

Also, I have never used the "<IfDefine>" around my SSL VirytualHost conifg. I have always just dropped it in. Her is a working example for an installation where is only one https server on the box:

********************************
******* httpd.conf ***********
********************************
<IfModule mod_ssl.c>
     Include conf/ssl.conf
</IfModule>

Include vhosts/*.conf
********************************


********************************
******* conf/ssl.conf ********
********************************
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<IfDefine SSL>
    Listen 443
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl
    SSLPassPhraseDialog  builtin
    SSLSessionCache         dbm:/usr/local/apache2/logs/ssl_scache
    SSLSessionCacheTimeout  300
    SSLMutex  file:/usr/local/apache2/logs/ssl_mute
</IfDefine>
********************************


********************************
*** vhosts/secure.conf ****
********************************
<VirtualHost *:443>
        ServerName secure.domain.tld
        ServerAdmin webmaster@domain.tld
        DocumentRoot "/path/to/htdocs"
        ScriptAlias /cgi-bin/ "/path/to/cgi-bin/"
        SSLEngine On
        SSLCertificateFile /path/to/ssl/crt
        SSLCertificateKeyFile /path/to/ssl/key
        SSLCertificateChainFile /path/to/ssl/sf_issuing.crt
        <Directory "/path/to/htdocs">
                Options FollowSymLinks
                SSLOptions +StdEnvVars
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
        <Directory "/path/to/cgi-bin">
                Options None
                SSLOptions +StdEnvVars
                AllowOverride None
                Order allow,deny
                Allow from all
        </Directory>
        ErrorLog /path/to/logs/error
        CustomLog /path/to/logs/access combined
        CustomLog /path/to/logs/ssl "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
        SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0
        LogLevel debug
</VirtualHost>
********************************
0
 
SadafRasheedAuthor Commented:
yes all these lines are there in httpd.conf..
if i dont use <IfDefine SSL> before the virtual host block i get a syntax error for all of the following  lines.. i searched the net and found that this is necessory..  
        SSLEngine On
        SSLCertificateFile /path/to/ssl/crt
        SSLCertificateKeyFile /path/to/ssl/key
        SSLCertificateChainFile /path/to/ssl/sf_issuing.crt
0
 
karlwilburCommented:
ok. Then is looks like you apache was not compiled with SSL enabled and is not loading the SSL module. You'll need to load the SSL module by placing this in the main server config:
LoadModule ssl_module path/to/libssl.so

for more information on mod_ssl checkout:
http://www.modssl.org/
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
SadafRasheedAuthor Commented:
i have these lines in my httpd.conf

<IfDefine SSL>
AddModule mod_ssl.c
</IfDefine>
 and also when i visit my ip address using web browse i get this message .
"If you can see this page, then the people who manage this server have installed cPanel and WebHost Manager (WHM) which use the Apache Web server software and the Apache Interface to OpenSSL (mod_ssl) successfully."

doesnt that means that ssl_module is loaded or do i still need to do that
0
 
karlwilburCommented:
I don't know about WHM and cPanel I'd never use them. Nothing beats good old bash: "karl@host ~# "

But what you saying would indicate that mod_ssl is set up correctly.

You mentioned a passphrase in your original post. Did you use a passphrase with the key creation? If so, then yes you will have ot enter the passphrase at server startup.  Apache will not start without it.

As for the AddModule vs LoadModule:
"The AddModule and ClearModuleList directives no longer exist. These directives were used to ensure that modules could be enabled in the correct order. The new Apache 2.0 API allows modules to explicitly specify their ordering, eliminating the need for these directives."
From: http://httpd.apache.org/docs/2.0/upgrading.html

That is my mistake. I was thinking apache2 but in your original post you clearly stated Apache 1.3.

If apache is working when accessed by IP address, could it be a DNS issue? Is this a new domain? new host?

Can you 'dig' it? 'nslookup'?
dig host.domain.tld
nslookup host.domain.tld

0
 
SadafRasheedAuthor Commented:
confirmed.. mod_ssl is built in.. when i entered the following line in my httpd.conf file
LoadModule ssl_module         /usr/local/ssl/libssl.so
and did a "apachectl configtest"
i got an error that says
module ssl_module is built-in and can't be loaded

domain is working fine. its not a new domain.

if i use apachectl startssl
then it asks me for a pass phrase. after i enter the pass phrase it says

./apachectl startssl: httpd could not be started

where should i check for error msgs..

apache starts properly if i run this command
apachectl start

0
 
karlwilburCommented:
Check the apache error log file:
/var/log/apache/error_log
0
 
SadafRasheedAuthor Commented:
hmm,, did that
at first i was getting
No such file or directory: could not open transfer log file /usr/local/apache/var/log/ssl_request_log.

after changing the httpd.conf and restarting and checking the error_log again i was getting

 [error] mod_ssl: Init: (www.mysite.com:443) Failed to configure CA certificate chain!

then i re-downloaded verisign intermediate certificate
restarted it and finally it started without any error :)
thanks a lot for your help :)
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now