Naresh Hangi
asked on
Installing ssl certificate on centos 7
Hi,
I have a Apache webserver on centos7
Its perfectly running on http port 80
Below is the configuration
httpd.conf
Listen 80
User tomcat
Group apache
configured vhost.cong in /etc/httpd/conf.d/
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin abc@def.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/htmlexample.com/
ErrorLog /var/log/httpd/example.com /error.log
CustomLog /var/log/httpd/example.com /access.lo g combined
I have generated csr file and purchased ssl certificate from godaddy.
got crt,pem and bundle crt file.
kept all 3 files in /var/www/html/ssl and used chmod 770 for all 3 files.
modifued below in /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
DocumentRoot "/var/www/html/example.com /"
ServerName www.example.com:443
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEE D:!IDEA
SSLCertificateFile /var/www/html/ssl/example. crt
SSLCertificateKeyFile /var/www/html/ssl/example. com.key
SSLCACertificateFile /var/www/html/ssl/gd_bundl e-g2-g1
getting error while restarting systemctl restart httpd
[root@xxx conf.d]# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@xxx conf.d]# journalctl -xe
--
-- Unit httpd.service has finished shutting down.
Oct 12 23:23:36 xxx systemd[1]: Starting T
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
Oct 12 23:23:36 xxx httpd[13882]: AH00548:
Oct 12 23:23:36 xxx systemd[1]: httpd.serv
Oct 12 23:23:36 xxx kill[13883]: kill: can
Oct 12 23:23:36 xxx systemd[1]: httpd.serv
Oct 12 23:23:36 xxx systemd[1]: Failed to
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has failed.
--
-- The result is failed.
Oct 12 23:23:36 xxx systemd[1]: Unit httpd
Oct 12 23:23:36 xxx systemd[1]: httpd.serv
Oct 12 23:23:36 xxx polkitd[2665]: Unregis
Please help me on this
Thanks
Naresh
I have a Apache webserver on centos7
Its perfectly running on http port 80
Below is the configuration
httpd.conf
Listen 80
User tomcat
Group apache
configured vhost.cong in /etc/httpd/conf.d/
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin abc@def.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/htmlexample.com/
ErrorLog /var/log/httpd/example.com
CustomLog /var/log/httpd/example.com
I have generated csr file and purchased ssl certificate from godaddy.
got crt,pem and bundle crt file.
kept all 3 files in /var/www/html/ssl and used chmod 770 for all 3 files.
modifued below in /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
DocumentRoot "/var/www/html/example.com
ServerName www.example.com:443
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEE
SSLCertificateFile /var/www/html/ssl/example.
SSLCertificateKeyFile /var/www/html/ssl/example.
SSLCACertificateFile /var/www/html/ssl/gd_bundl
getting error while restarting systemctl restart httpd
[root@xxx conf.d]# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@xxx conf.d]# journalctl -xe
--
-- Unit httpd.service has finished shutting down.
Oct 12 23:23:36 xxx systemd[1]: Starting T
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
Oct 12 23:23:36 xxx httpd[13882]: AH00548:
Oct 12 23:23:36 xxx systemd[1]: httpd.serv
Oct 12 23:23:36 xxx kill[13883]: kill: can
Oct 12 23:23:36 xxx systemd[1]: httpd.serv
Oct 12 23:23:36 xxx systemd[1]: Failed to
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has failed.
--
-- The result is failed.
Oct 12 23:23:36 xxx systemd[1]: Unit httpd
Oct 12 23:23:36 xxx systemd[1]: httpd.serv
Oct 12 23:23:36 xxx polkitd[2665]: Unregis
Please help me on this
Thanks
Naresh
Note: The error you're seeing relates to virtual host definition, rather than SSL.
Run apachectl configtest
See if you have config errors.
Servername should only include www.example.com
The port on which it is listening is set by the virtualhost.
See if you have config errors.
Servername should only include www.example.com
The port on which it is listening is set by the virtualhost.
Additional feature of apache 2.4 vs 2.2: it can run several web sites (as 2.2), each with its own certificate (2.2: only one)
arnold brings up a good point.
1) You can either attempt starting Apache (httpd in your case), then review your Apache error log... or...
2) Run apachectl on the command line, to produce any config errors/warnings on the command line.
Might be easier you to run apachectl... easier to see errors...
1) You can either attempt starting Apache (httpd in your case), then review your Apache error log... or...
2) Run apachectl on the command line, to produce any config errors/warnings on the command line.
Might be easier you to run apachectl... easier to see errors...
can you share the error log file
You shoukd not place certificates in /var/www/html
This is a web browseable location and exposes your servers private key.
The certificates are usually stored in /etc/httpd/conf/ ...
PKI ..... A location. More secure.
This may or might not contribute if Selinux locks it out..
This is a web browseable location and exposes your servers private key.
The certificates are usually stored in /etc/httpd/conf/ ...
PKI ..... A location. More secure.
This may or might not contribute if Selinux locks it out..
Hi Arnold,
Can you update us on your issue and findings?
Can you update us on your issue and findings?
Bernard, please clarify.
/etc/httpd includes different configs as well as a location where certificates, private keys and ca certs should be stored that are referenced in the conf.d/SSL.conf
servernAme serverAlias needs just the name, there is no place for :443 or another port there.
/etc/httpd includes different configs as well as a location where certificates, private keys and ca certs should be stored that are referenced in the conf.d/SSL.conf
servernAme serverAlias needs just the name, there is no place for :443 or another port there.
Provide the output of the following command, as a starting point to continue working on a fix...
lxd: net16-dmarc-work # apachectl -V | head
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2019-08-21T20:43:21
Server's Module Magic Number: 20120211:88
Server loaded: APR 1.7.0, APR-UTIL 1.6.1
Compiled using: APR 1.6.3, APR-UTIL 1.6.1
Architecture: 64-bit
Server MPM: event
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
This means several things.
1) You seem to be using an old version of Apache-2.2, which is a very bad idea, because Apache-2.2 is retired now, so upgrading to any recent Distro you'll only have Apache-2.4 which makes fairly significant config file changes.
2) Best to first update to latest Apache. This morning latest is Apache-2.4.41.1 so start with this version.
3) If you're using Apache-2.4, the problem is <NameVirtualHost> has been completely retired, hence <NameVirtualHost> is now a NOP (no operation/action), hence Apache-2.4 flags this as an error + will fail to start.
To fix this, describe the history of your package installation.
Mention whether you're running Apache-2.2 or Apache-2.4 along with your Apache upgrade history, especially if you upgraded to Apache-2.4 from Apache-2.2 sometime recently.