Trouble Shooting SSL on CENTOS 7

Hello,
I am trying to install and SSL certificate on a website after i've migrated it from Ubuntu to a CentOS server.
Everything is up and running but I can't get SSL working. Apache starts fine. My config test shows no errors. But when I try to connect to the server through ssl, in all browsers I get ERR_CONNECTION_REFUSED. I don't believe its an SSL issue but maybe a firewall. I don't know as im unfamiliar with CENTOS, Any ideas?
jxm90Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Which centos versions? Did you open the firewall on port 443?
Does OpenSSL restrict which protocols are permitted?
Did you copy both the certificate and the private key in the SSL.conf?
lsof -I:443 is anything listening?


openssl s_client -connect localhost:443
jxm90Author Commented:
CentOS7, I did not open the firewall but as far as I've been able to find one is not configured.
lsof -i:443 shows nothing listening. Test connect does not work.

ssl.conf file is as shown below
<VirtualHost *:443>
        DocumentRoot /var/www/site
        ServerName mysite.com
        ServerAlias mysite.com
                SSLEngine on
                SSLCertificateFile /etc/pki/tls/certs/5453453f.crt
                SSLCertificateKeyFile /etc/pki/tls/private/mysite.com.key
                SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt
</VirtualHost>

Open in new window

arnoldCommented:
Your apache is not setup to startssl.

Use apachectl to tests config
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

jxm90Author Commented:
apachectl configtest Shows “Syntax Ok”
Prabhin MPDevOps EngineerCommented:
check selinux is blocking or not?
gelonidaCommented:
@Prabhin might have the right idea. I was also once fighting on a machine using CentoOS. (Some servers didn't manage to create listening sockets.)
The culprit was the configuration of SELinux.

Did you find anything in the apache error log files, that indicated, that it was not able to listen on 443?

I'm quite lousy with SE linux and don't know the commands that could validate that hypothesis by heart. I just looked them up when I had my problems and forgot them since.
Bernie BsenChef de cuisineCommented:
not quite sure, but i assume a SSL connection needs a unique IP address to work.
i use
<VirtualHost xx.xx.xx.xx:443>
DocumentRoot /d2/httpd/web
ServerName www.mydomain.com
ServerAliasmydomain.com
ErrorLog /d2/logs/mydomain.com.ssl.err
CustomLog /d2/logs/mydomain.ssl.log combined
ServerAdmin myname@mydomain.com
php_admin_value open_basedir /d2/httpd/web/:/d2/httpd/cloud:/d2/xxxxCloud:/usr/local/lib/php/:/d2/upload_temp/:/d2/logs/
SSLEngine on
SSLCertificateFile /d2/ssl/www.mydomain.com.crt
SSLCertificateKeyFile /d2/ssl/www.mydomain.com.key
SSLProtocol ALL -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
</VirtualHost>

Open in new window

And somewhere in the httpd.conf must be a line like
Listen xx.xx.xx.xx:443

Open in new window

, otherwise apache does not listen to port 443
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Going from Ubuntu to CentOS, eh... Ouch...

The CentOS approach to managing your Apache config will be very different than Ubuntu. To me Ubuntu is far more organized + self documenting.

That said, your first step will be to get Apache listing on port 443. This this occurs, no point in debugging anything else.

Note: There is no requirement for a unique IP for any listeners... well... unless you're running a very old version of Apache... as in one of the 2.2 versions, so very old.

If the the Apache SSL module is disabled, this might be problem as you must have the ssl module installed + enabled for the port 443 stanzas to be processed correctly, to start listening.

Aside: Also by default, CentOS doesn't enable HTTP2 support either, so best enable this too.

Aside: CentOS, last I checked, does no block single threaded MPM from being installed when HTTP2 is running, which makes Apache highly unstable. If you run HTTP2, be sure to only use mpm_event + FPM PHP, else you'll have all manner of subtle problems which are near impossible to debug.

To verify modules are enabled...

# apachectl -M | egrep -e http2 -e ssl
 http2_module (shared)
 ssl_module (shared)

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
arnoldCommented:
If one has a single IP one can define the listener in that way in the event the person has a SAN cert.


since lsof -i:443 returns no answer, this means that the SSL.conf is not included when httpd.conf /etc/httpd/httpd.conf.d/ is not included ssl_engine is not enabled as David referenced.

missed, your ssl.conf is missing the following: if the output you displayed was all that was in the file.
look within /etc/httpd/conf.d/
there should be an ssl.conf.example that you can use as the basis to whichi you add the virtual host.

LoadModule ssl_module modules/mod_ssl.so

#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Arnold makes a good point.

You must have the SSL module loaded along with a config file also, to enable actual listening.

Good catch Arnold!
hieloCommented:
>> I don't believe its an SSL issue but maybe a firewall.
In that case try executing the following three commands from the command line:

sudo firewall-cmd --add-service=https --permanent

sudo firewall-cmd --reload

sudo systemctl restart httpd.service

Open in new window

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Unlikely to be a firewall issue.

If you run machine local commands + you have no 443 listener, problem lies in Apache config, nowhere else.

You must have Apache working first. You'll know Apache is working when you see something like this...

#
 lsof -i:443 2>/dev/null
COMMAND    PID     USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
apache2 506437 www-data    6u  IPv6 276976697      0t0  TCP *:https (LISTEN)
apache2 506438 www-data    6u  IPv6 276976697      0t0  TCP *:https (LISTEN)
apache2 966469     root    6u  IPv6 276976697      0t0  TCP *:https (LISTEN)

lxd: net14-jasites # netstat -pluten | grep :443
tcp6       0      0 :::443                  :::*                    LISTEN      0          276976697  506437/apache2

Open in new window


There may be other problems, like firewall setup... and... Apache must be listening first, before anything else comes into play.
jxm90Author Commented:
I appreciate all the input, upgrading apache to http2 seemed to solve the issue. Most likely a misconfiguration somewhere.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Curious. Upgrading to HTTP2 (alone) should have had no effect.

When you have time, add a comment about exact steps you took to fix your problem (all commands issued).

This could save someone in the future a massive amount of time.

Glad you got this working!
jxm90Author Commented:
I believe I had something wrong in my apache configurations so I removed them before uninstalling apache.
sudo rm /etc/httpd/conf/*
sudo rm /etc/httpd/conf.d/*
sudo yum remove httpd

I used this guide and the repository within to upgrade apache to a version that supported HTTP2.
https://inside-out.xyz/technology/how-to-enable-http-2-in-centos-7.html
Once that was done. I got it working by editting the default /etc/httpd/conf.d/ssl.conf template file.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Thanks for adding the update!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.