|
|
queuebert
new user
Reg'd: Mon
Posts: 3
|
|
Hi all,
I am trying to implement SSL on my Apache2 configuration. I took all the steps but I apparently did something wrong and am having difficulty tracking it down.
Facts:
- openssl is downloaded and when I run "apache2ctl startssl", it gives me no errors.
- I know it is passing the <IfDefine SSL> test because if I put jibberish within that section, it tells me about it whereas it used to not tell me.
- I have generated temporary .csr, .crt, and .key files, all of which Apache 2 appears to be reading.
- I have listen.conf set with NameVirtualHost *, and a virtual host to match, *:443.
- I have port 443 open on my firewall
Problem:
When I try to visit https://secure.host.com, Firefox tells me "The Connection to secure.host.com has terminated unexpectedly. Some data may have been transferred." Internet Explorer tells me "You are about to view data over a secure connection blah blah blah" and then when I click OK, it takes me to the built-in "Server not found" page.
If anyone could give me any suggestions or advice, or point me to a more appropriate forum, I would greatly appreciate it!
Thanks,
Sean Noble
|
|
MarkRound111
new user
Reg'd: Fri
Posts: 7
|
|
What does the configuration look like for the vhost on port 443 ?
|
queuebert
new user
Reg'd: Mon
Posts: 3
|
|
Here it is...
<IfDefine SSL>
<VirtualHost 10.0.2.121:443>
ServerAdmin secure@host.com
DocumentRoot /var/www/htdocs/secure.host.com/
ServerName secure.host.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl.crt/host.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/host.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /var/www/log/host_ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
Also a note I forgot to mention before, it's not getting to the point where anything is written to the log file.
Further, I was mistaken about the SSL-enabled virtual host being *:443, it is in fact 10.0.2.121:443. When I use *:443 it says that the results could be unpredictable.
|
queuebert
new user
Reg'd: Mon
Posts: 3
|
|
Nevermind, I figured it out. I appreciate the interest in helping, though. :-) Thanks!
|
hard_format
new user
Reg'd: Thu
Posts: 2
|
|
I am having the same, or atleast a similiar problem with getting SSL to work with apache 2, how did you end up resolving your problem?
Thanks in advance.
|
TheFatControlleR
Forum Admin
Reg'd: Fri
Posts: 6673
Loc: Megatripolis
|
|
Hi hard_format - Welcome to the forum!
Unfortunately, I doubt you'll get an answer to that. This thread is nigh on 4 months old and queuebert appears to be one of those folk who don't help others by reporting back with their solution.
Try posting your query in full, in a new thread. 
 TFC
'The power of accurate observation is frequently called cynicism by those who don't have it.' - George Bernard Shaw
|
hard_format
new user
Reg'd: Thu
Posts: 2
|
|
Actually, I did end up finding a solution myself. I had been trying to verify that the apache was actually handing the traffic on port 443 over to SSL and that everything was getting through my firewalls to where it needed to be.
'openssl s_client -connect localhost:443'
Proved that traffic was getting through on port 443 but apache was trying to deal with the traffic itself instead of sending it through SSL.
As it turned out the problem was a series of little things with apache itself and all my futzing with certificates was pointless. First problem was the stupidest, I was starting apache with './apachectl start' instead of './apachectl startssl', then there were also some problems with my httpd.conf.
I had to alter my 'NameVirtualHost' line to include the port 80, and make a duplicate for port 443. Finally I had to duplicate all of my 'VirtualHost' blocks to have one standard port 80 version, and one SSL configured port 443 version.
Just for fun and to make everything look a little better I put all the SSL 'VirtualHost' blocks and the extra 'NameVirtualHost' statement inside an '<IfDefine SSL></IfDefine>' block.
And hooray, SSL works! only problem now is that I've discovered that you can only have one SSL certificate per IP. So the only way to have multiple virtualhosts each with their own cert is to use IP based virtualhosting instead of the name based setup I've got now.
Here's a modified version of the relevant portion of my httpd.conf, hope this clears up any of the muck from above.
Code:
NameVirtualHost 192.168.1.2:80
<IfModule mod_ssl.c>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
NameVirtualHost 192.168.1.2:443
</IfModule>
Listen *:80
ServerName my.servername.example.com
<IfDefine SSL>
Listen *:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache2/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache2/logs/ssl_mutex
<VirtualHost 192.168.1.2:443>
ServerAdmin admin@example.com
DocumentRoot /usr/local/apache2/htdocs
ServerName my.servername.example.com
ErrorLog logs/my.servername.example.com-error_log-ssl
TransferLog logs/my.servername.example.com-access_log-ssl
ScriptAlias /cgi-bin/ /usr/local/apache2/cgi-bin/
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache2/conf/ssl/www.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl/www.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
<VirtualHost 192.168.1.2:443>
ServerAdmin admin@example.com
DocumentRoot /home/vhost2/public_html
ServerName vhost2.servername.example.com
ErrorLog logs/vhost2.servername.example.com-error_log-ssl
TransferLog logs/vhost2.servername.example.com-access_log-ssl
ScriptAlias /cgi-bin/ /usr/local/apache2/cgi-bin/
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache2/conf/ssl/vhost2.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl/vhost2.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
<VirtualHost 192.168.1.2:443>
ServerAdmin admin@example.com
DocumentRoot /home/vhost3/public_html
ServerName vhost3.servername.example.com
ErrorLog logs/vhost3.servername.example.com-error_log-ssl
TransferLog logs/vhost3.servername.example.com-access_log-ssl
ScriptAlias /cgi-bin/ /usr/local/apache2/cgi-bin/
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache2/conf/ssl/vhost3.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl/vhost3.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Options Includes MultiViews
</VirtualHost>
</IfDefine>
<VirtualHost 192.168.1.2:80>
ServerAdmin admin@example.com
DocumentRoot /usr/local/apache2/htdocs
ServerName my.servername.example.com
ErrorLog logs/my.servername.example.com-error_log
TransferLog logs/my.servername.example.com-access_log
ScriptAlias /cgi-bin/ /usr/local/apache2/cgi-bin/
Options Includes MultiViews
</VirtualHost>
<VirtualHost 192.168.1.2:80>
ServerAdmin admin@example.com
DocumentRoot /home/vhost2/public_html
ServerName vhost2.servername.example.com
ErrorLog logs/vhost2.servername.example.com-error_log
TransferLog logs/vhost2.servername.example.com-access_log
</VirtualHost>
<VirtualHost vhost3.servername.example.com:80>
ServerAdmin admin@example.com
DocumentRoot /home/vhost3/public_html
ServerName vhost3.servername.example.com
ErrorLog logs/vhost3.servername.example.com-error_log
TransferLog logs/vhost3.servername.example.com-access_log
</VirtualHost>
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
