Trouble Shooting SSL on CENTOS 7

jxm90
jxm90 used Ask the Experts™
on
Hello,
I am trying to install and SSL certificate on a website after i've migrated it from Ubuntu to a CentOS server.
Everything is up and running but I can't get SSL working. Apache starts fine. My config test shows no errors. But when I try to connect to the server through ssl, in all browsers I get ERR_CONNECTION_REFUSED. I don't believe its an SSL issue but maybe a firewall. I don't know as im unfamiliar with CENTOS, Any ideas?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
Which centos versions? Did you open the firewall on port 443?
Does OpenSSL restrict which protocols are permitted?
Did you copy both the certificate and the private key in the SSL.conf?
lsof -I:443 is anything listening?


openssl s_client -connect localhost:443

Author

Commented:
CentOS7, I did not open the firewall but as far as I've been able to find one is not configured.
lsof -i:443 shows nothing listening. Test connect does not work.

ssl.conf file is as shown below
<VirtualHost *:443>
        DocumentRoot /var/www/site
        ServerName mysite.com
        ServerAlias mysite.com
                SSLEngine on
                SSLCertificateFile /etc/pki/tls/certs/5453453f.crt
                SSLCertificateKeyFile /etc/pki/tls/private/mysite.com.key
                SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt
</VirtualHost>

Open in new window

Distinguished Expert 2017

Commented:
Your apache is not setup to startssl.

Use apachectl to tests config
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
apachectl configtest Shows “Syntax Ok”
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
check selinux is blocking or not?
@Prabhin might have the right idea. I was also once fighting on a machine using CentoOS. (Some servers didn't manage to create listening sockets.)
The culprit was the configuration of SELinux.

Did you find anything in the apache error log files, that indicated, that it was not able to listen on 443?

I'm quite lousy with SE linux and don't know the commands that could validate that hypothesis by heart. I just looked them up when I had my problems and forgot them since.
Bernie BsenChef de cuisine

Commented:
not quite sure, but i assume a SSL connection needs a unique IP address to work.
i use
<VirtualHost xx.xx.xx.xx:443>
DocumentRoot /d2/httpd/web
ServerName www.mydomain.com
ServerAliasmydomain.com
ErrorLog /d2/logs/mydomain.com.ssl.err
CustomLog /d2/logs/mydomain.ssl.log combined
ServerAdmin myname@mydomain.com
php_admin_value open_basedir /d2/httpd/web/:/d2/httpd/cloud:/d2/xxxxCloud:/usr/local/lib/php/:/d2/upload_temp/:/d2/logs/
SSLEngine on
SSLCertificateFile /d2/ssl/www.mydomain.com.crt
SSLCertificateKeyFile /d2/ssl/www.mydomain.com.key
SSLProtocol ALL -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
</VirtualHost>

Open in new window

And somewhere in the httpd.conf must be a line like
Listen xx.xx.xx.xx:443

Open in new window

, otherwise apache does not listen to port 443
Fractional CTO
Distinguished Expert 2018
Commented:
Going from Ubuntu to CentOS, eh... Ouch...

The CentOS approach to managing your Apache config will be very different than Ubuntu. To me Ubuntu is far more organized + self documenting.

That said, your first step will be to get Apache listing on port 443. This this occurs, no point in debugging anything else.

Note: There is no requirement for a unique IP for any listeners... well... unless you're running a very old version of Apache... as in one of the 2.2 versions, so very old.

If the the Apache SSL module is disabled, this might be problem as you must have the ssl module installed + enabled for the port 443 stanzas to be processed correctly, to start listening.

Aside: Also by default, CentOS doesn't enable HTTP2 support either, so best enable this too.

Aside: CentOS, last I checked, does no block single threaded MPM from being installed when HTTP2 is running, which makes Apache highly unstable. If you run HTTP2, be sure to only use mpm_event + FPM PHP, else you'll have all manner of subtle problems which are near impossible to debug.

To verify modules are enabled...

# apachectl -M | egrep -e http2 -e ssl
 http2_module (shared)
 ssl_module (shared)

Open in new window

Distinguished Expert 2017

Commented:
If one has a single IP one can define the listener in that way in the event the person has a SAN cert.


since lsof -i:443 returns no answer, this means that the SSL.conf is not included when httpd.conf /etc/httpd/httpd.conf.d/ is not included ssl_engine is not enabled as David referenced.

missed, your ssl.conf is missing the following: if the output you displayed was all that was in the file.
look within /etc/httpd/conf.d/
there should be an ssl.conf.example that you can use as the basis to whichi you add the virtual host.

LoadModule ssl_module modules/mod_ssl.so

#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Arnold makes a good point.

You must have the SSL module loaded along with a config file also, to enable actual listening.

Good catch Arnold!
Expert of the Year 2008
Top Expert 2008

Commented:
>> I don't believe its an SSL issue but maybe a firewall.
In that case try executing the following three commands from the command line:

sudo firewall-cmd --add-service=https --permanent

sudo firewall-cmd --reload

sudo systemctl restart httpd.service

Open in new window

David FavorFractional CTO
Distinguished Expert 2018

Commented:
Unlikely to be a firewall issue.

If you run machine local commands + you have no 443 listener, problem lies in Apache config, nowhere else.

You must have Apache working first. You'll know Apache is working when you see something like this...

#
 lsof -i:443 2>/dev/null
COMMAND    PID     USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
apache2 506437 www-data    6u  IPv6 276976697      0t0  TCP *:https (LISTEN)
apache2 506438 www-data    6u  IPv6 276976697      0t0  TCP *:https (LISTEN)
apache2 966469     root    6u  IPv6 276976697      0t0  TCP *:https (LISTEN)

lxd: net14-jasites # netstat -pluten | grep :443
tcp6       0      0 :::443                  :::*                    LISTEN      0          276976697  506437/apache2

Open in new window


There may be other problems, like firewall setup... and... Apache must be listening first, before anything else comes into play.

Author

Commented:
I appreciate all the input, upgrading apache to http2 seemed to solve the issue. Most likely a misconfiguration somewhere.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Curious. Upgrading to HTTP2 (alone) should have had no effect.

When you have time, add a comment about exact steps you took to fix your problem (all commands issued).

This could save someone in the future a massive amount of time.

Glad you got this working!

Author

Commented:
I believe I had something wrong in my apache configurations so I removed them before uninstalling apache.
sudo rm /etc/httpd/conf/*
sudo rm /etc/httpd/conf.d/*
sudo yum remove httpd

I used this guide and the repository within to upgrade apache to a version that supported HTTP2.
https://inside-out.xyz/technology/how-to-enable-http-2-in-centos-7.html
Once that was done. I got it working by editting the default /etc/httpd/conf.d/ssl.conf template file.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Thanks for adding the update!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial