jxm90
asked on
Trouble Shooting SSL on CENTOS 7
Hello,
I am trying to install and SSL certificate on a website after i've migrated it from Ubuntu to a CentOS server.
Everything is up and running but I can't get SSL working. Apache starts fine. My config test shows no errors. But when I try to connect to the server through ssl, in all browsers I get ERR_CONNECTION_REFUSED. I don't believe its an SSL issue but maybe a firewall. I don't know as im unfamiliar with CENTOS, Any ideas?
I am trying to install and SSL certificate on a website after i've migrated it from Ubuntu to a CentOS server.
Everything is up and running but I can't get SSL working. Apache starts fine. My config test shows no errors. But when I try to connect to the server through ssl, in all browsers I get ERR_CONNECTION_REFUSED. I don't believe its an SSL issue but maybe a firewall. I don't know as im unfamiliar with CENTOS, Any ideas?
ASKER
CentOS7, I did not open the firewall but as far as I've been able to find one is not configured.
lsof -i:443 shows nothing listening. Test connect does not work.
ssl.conf file is as shown below
lsof -i:443 shows nothing listening. Test connect does not work.
ssl.conf file is as shown below
<VirtualHost *:443>
DocumentRoot /var/www/site
ServerName mysite.com
ServerAlias mysite.com
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/5453453f.crt
SSLCertificateKeyFile /etc/pki/tls/private/mysite.com.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt
</VirtualHost>
Your apache is not setup to startssl.
Use apachectl to tests config
Use apachectl to tests config
ASKER
apachectl configtest Shows “Syntax Ok”
check selinux is blocking or not?
@Prabhin might have the right idea. I was also once fighting on a machine using CentoOS. (Some servers didn't manage to create listening sockets.)
The culprit was the configuration of SELinux.
Did you find anything in the apache error log files, that indicated, that it was not able to listen on 443?
I'm quite lousy with SE linux and don't know the commands that could validate that hypothesis by heart. I just looked them up when I had my problems and forgot them since.
The culprit was the configuration of SELinux.
Did you find anything in the apache error log files, that indicated, that it was not able to listen on 443?
I'm quite lousy with SE linux and don't know the commands that could validate that hypothesis by heart. I just looked them up when I had my problems and forgot them since.
not quite sure, but i assume a SSL connection needs a unique IP address to work.
i use
i use
<VirtualHost xx.xx.xx.xx:443>
DocumentRoot /d2/httpd/web
ServerName www.mydomain.com
ServerAliasmydomain.com
ErrorLog /d2/logs/mydomain.com.ssl.err
CustomLog /d2/logs/mydomain.ssl.log combined
ServerAdmin myname@mydomain.com
php_admin_value open_basedir /d2/httpd/web/:/d2/httpd/cloud:/d2/xxxxCloud:/usr/local/lib/php/:/d2/upload_temp/:/d2/logs/
SSLEngine on
SSLCertificateFile /d2/ssl/www.mydomain.com.crt
SSLCertificateKeyFile /d2/ssl/www.mydomain.com.key
SSLProtocol ALL -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
</VirtualHost>
And somewhere in the httpd.conf must be a line likeListen xx.xx.xx.xx:443
, otherwise apache does not listen to port 443
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If one has a single IP one can define the listener in that way in the event the person has a SAN cert.
since lsof -i:443 returns no answer, this means that the SSL.conf is not included when httpd.conf /etc/httpd/httpd.conf.d/ is not included ssl_engine is not enabled as David referenced.
missed, your ssl.conf is missing the following: if the output you displayed was all that was in the file.
look within /etc/httpd/conf.d/
there should be an ssl.conf.example that you can use as the basis to whichi you add the virtual host.
LoadModule ssl_module modules/mod_ssl.so
#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443
since lsof -i:443 returns no answer, this means that the SSL.conf is not included when httpd.conf /etc/httpd/httpd.conf.d/ is not included ssl_engine is not enabled as David referenced.
missed, your ssl.conf is missing the following: if the output you displayed was all that was in the file.
look within /etc/httpd/conf.d/
there should be an ssl.conf.example that you can use as the basis to whichi you add the virtual host.
LoadModule ssl_module modules/mod_ssl.so
#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443
Arnold makes a good point.
You must have the SSL module loaded along with a config file also, to enable actual listening.
Good catch Arnold!
You must have the SSL module loaded along with a config file also, to enable actual listening.
Good catch Arnold!
>> I don't believe its an SSL issue but maybe a firewall.
In that case try executing the following three commands from the command line:
In that case try executing the following three commands from the command line:
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload
sudo systemctl restart httpd.service
Unlikely to be a firewall issue.
If you run machine local commands + you have no 443 listener, problem lies in Apache config, nowhere else.
You must have Apache working first. You'll know Apache is working when you see something like this...
#
There may be other problems, like firewall setup... and... Apache must be listening first, before anything else comes into play.
If you run machine local commands + you have no 443 listener, problem lies in Apache config, nowhere else.
You must have Apache working first. You'll know Apache is working when you see something like this...
#
lsof -i:443 2>/dev/null
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
apache2 506437 www-data 6u IPv6 276976697 0t0 TCP *:https (LISTEN)
apache2 506438 www-data 6u IPv6 276976697 0t0 TCP *:https (LISTEN)
apache2 966469 root 6u IPv6 276976697 0t0 TCP *:https (LISTEN)
lxd: net14-jasites # netstat -pluten | grep :443
tcp6 0 0 :::443 :::* LISTEN 0 276976697 506437/apache2
There may be other problems, like firewall setup... and... Apache must be listening first, before anything else comes into play.
ASKER
I appreciate all the input, upgrading apache to http2 seemed to solve the issue. Most likely a misconfiguration somewhere.
Curious. Upgrading to HTTP2 (alone) should have had no effect.
When you have time, add a comment about exact steps you took to fix your problem (all commands issued).
This could save someone in the future a massive amount of time.
Glad you got this working!
When you have time, add a comment about exact steps you took to fix your problem (all commands issued).
This could save someone in the future a massive amount of time.
Glad you got this working!
ASKER
I believe I had something wrong in my apache configurations so I removed them before uninstalling apache.
I used this guide and the repository within to upgrade apache to a version that supported HTTP2.
template file.
sudo rm /etc/httpd/conf/*
sudo rm /etc/httpd/conf.d/*
sudo yum remove httpd
I used this guide and the repository within to upgrade apache to a version that supported HTTP2.
https://inside-out.xyz/technology/how-to-enable-http-2-in-centos-7.htmlOnce that was done. I got it working by editting the default /etc/httpd/conf.d/ssl.conf
Thanks for adding the update!
Does OpenSSL restrict which protocols are permitted?
Did you copy both the certificate and the private key in the SSL.conf?
lsof -I:443 is anything listening?
openssl s_client -connect localhost:443