HTTPS is not working on my server

Hi.

I got .crt file from my CA and i already had the .key file which i used for CSR. Ii added .crt and .key file in my httpd.conf and restarted it. Now when i telnet the host it accepts the connection but when i use https from browser it says unable to connect and when i use http with :443 it says Bad request.

Can anyone tell me what am I missing?
LVL 9
Shahzad Fateh AliWeb Solutions Architect & Technical Project Manager- VentureDive (Pvt) LtdAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steve BinkCommented:
Post your conf files.
0
TintinCommented:
When you telnet, are you using the hostname or IP address?
0
Shahzad Fateh AliWeb Solutions Architect & Technical Project Manager- VentureDive (Pvt) LtdAuthor Commented:
@routinet:  Conf files are attached
@Tintin: I use system name as the system is on our LAN. Also after telnet connect i tried to GET the content fo any file it responded in 'Bad server request'

Complete error was:
"
Your browser (or proxy) sent a request that this server could not understand.  
 
If you think this is a server error, please contact the webmaster.  
 "



listen-conf.txt
vhost-conf.txt
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

Steve BinkCommented:
When you get the bad request, are you using http:// or https://?  You should not be able to telnet your request to the server since telnet does not establish the SSL session.  You can use the openssl command line client to test, though.

If you ping the name, does it resolve?  What happens if you try to browse to the SSL site by IP?

You have a custom log for SSL.  What entries are generated with each connection attempt or server startup?
0
Shahzad Fateh AliWeb Solutions Architect & Technical Project Manager- VentureDive (Pvt) LtdAuthor Commented:
I tried to connect using openssl and here is what i got.

# openssl s_client -connect lvpal145:443

CONNECTED(00000003)
depth=0 /C=DE/O=SAP-AG/OU=Kaleido/CN=lvpal145
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=DE/O=SAP-AG/OU=Kaleido/CN=lvpal145
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=DE/O=SAP-AG/OU=Kaleido/CN=lvpal145
verify error:num=21:unable to verify the first certificate
verify return:1
29135:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
29135:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:


0
Steve BinkCommented:
What permissions do you have on the files?  Double-check the spelling of the path and filename of the certificate and private key (SSLCertificateFile and SSLCertificateKeyFile).  Do you see any errors in your Apache logs (or console) when you manually restart the service?
0
Shahzad Fateh AliWeb Solutions Architect & Technical Project Manager- VentureDive (Pvt) LtdAuthor Commented:
I have found following lines related to SSL in error_log

[Wed Apr 07 07:27:54 2010] [notice] Apache/2.2.3 (Linux/SUSE) configured -- resuming normal operations
[Wed Apr 07 07:28:43 2010] [error] Certificate Verification: Error (20): unable to get local issuer certificate
[Wed Apr 07 23:07:11 2010] [error] Certificate Verification: Error (20): unable to get local issuer certificate
[Wed Apr 07 23:07:18 2010] [error] Certificate Verification: Error (20): unable to get local issuer certificate
[Wed Apr 07 23:17:59 2010] [error] [client 10.48.130.49] Invalid method in request \x16\x03\x01
[Wed Apr 07 23:28:28 2010] [notice] caught SIGTERM, shutting down
[Wed Apr 07 23:29:01 2010] [warn] Init: Oops, you want to request client authentication, but no CAs are known for verification!?  [Hint: SSLCACertificate*]
[Wed Apr 07 23:29:01 2010] [warn] RSA server certificate CommonName (CN) `lvpal145' does NOT match server name!?
[Wed Apr 07 23:29:01 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Wed Apr 07 23:29:02 2010] [warn] Init: Oops, you want to request client authentication, but no CAs are known for verification!?  [Hint: SSLCACertificate*]
[Wed Apr 07 23:29:02 2010] [warn] RSA server certificate CommonName (CN) `lvpal145' does NOT match server name!?

also, I do not get any error when i restart apache service from command line.


0
Steve BinkCommented:
You are requiring client verification in your SSL setup.  That means you are requesting a certificate from the user, which you will verify against your own CAs.  Check your vhost.conf for the appropriate lines (looks like 107 and 108).  

Also, make sure you have the proper permissions on your certificate file.  Both the key and the cert need to be readable by the web user.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.