Setting up an SSL server with Apache2
Posted by Steve on Thu 9 Feb 2006 at 11:27
With the introduction of the Apache2 packages in Debian it is much simpler to create and use a secure SSL protected webserver than in the old days with Apache 1.3, here we'll show how it is done.
If you have Apache 2.x installed already then you're good to go as you don't need anything extra installed.
If you haven't got it installed then you can do so easily:
earth:~# apt-get install apache2 Reading Package Lists... Done Building Dependency Tree... Done The following extra packages will be installed: apache2-common apache2-mpm-worker apache2-utils openssl ssl-cert Suggested packages: apache2-doc ca-certificates The following NEW packages will be installed: apache2 apache2-common apache2-mpm-worker apache2-utils openssl ssl-cert 0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded. Need to get 2040kB of archives. After unpacking 6218kB of additional disk space will be used. Do you want to continue? [Y/n]
Once the server is installed you need to do three things to get a working SSL setup:
- Generate, or import, a certificate.
- Enable Apaches SSL support.
- Configure your SSL options.
Generating A Certificate
Generating a certificate from scratch will give you something which will be used to protect the traffic exchanged between clients and your server, however it will be signed by a untrusted certificate authority so it will generate warnings.
Importing a paid and "trusted" certificate will avoid this problem, but that is beyond the scope of this simple introduction.
Generating an SSL certificate for Apache2 may be accomplished using the apache2-ssl-certificate script. This will ask you questions interactively then generate the certificate file appropriately.
Here's a sample session:
earth:~# apache2-ssl-certificate creating selfsigned certificate replace it with one signed by a certification authority (CA) enter your ServerName at the Common Name prompt If you want your certificate to expire after x days call this programm with -days x Generating a 1024 bit RSA private key ............++++++ ..........................++++++ writing new private key to '/etc/apache2/ssl/apache.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: State or Province Name (full name) [Some-State]:Scotland Locality Name (eg, city) []:Edinburgh Organization Name (eg, company; recommended) []:Steve Kemp Organizational Unit Name (eg, section) []: server name (eg. ssl.domain.tld; required!!!) []:earth Email Address []: earth-admin@steve.org.uk
Enabling SSL Support
To use the SSL facilities of Apache2 you must enable the module mod_ssl, this can be achieved using the helper tool a2enmod (We've previously discussed the Apache2 helper scripts.)
As root run:
earth:~# a2enmod ssl Module ssl installed; run /etc/init.d/apache2 force-reload to enable.
Once this is done you'll have Apache setup to accept SSL connections, but the server will still only be listening for incoming HTTP requests on port 80 - and not SSL connections on port 443. To fix this you must add a line to the file /etc/apache2/ports.conf:
Listen 443
With these two steps out of the way you now have an Apache setup which will listen for and accept SSL connections. The next step is to modify your virtualhosts to use it.
Configuring your SSL Hosts
With a certificate setup, and the server updated to load and listen for incoming SSL connections you're almost finished. The final step is to ensure that your virtual hosts, or main host, will accept SSL options.
I use virtual hosts upon my machine and this just means adding a couple of options to each one I wish to use SSL:
SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.pem
For reference here is a complete example which should be easy to modify/understand:
NameVirtualHost *:443
NameVirtualHost *:80
<VirtualHost *:80>
ServerName earth.my.flat
DocumentRoot /var/www/
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName earth.my.flat
DocumentRoot /var/www/
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>
I thought the introduction would be sufficient to make it clear. Still its a good suggestion and I have no strong preference either way so I've changed it now.
Thanks.
[ Parent | Reply to this comment ]
Apache2 Installation with SSL and PHP support
and if any one is ready to post a new article apache2 with mysql support configuration that would help more people and different from other articles
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
apache2ctl restart
[ Parent | Reply to this comment ]
I applied Steve's directions to my system, except that I didn't put in a VirtualHost stanza for port 80, and I removed Listen 80 from ports.conf .. however, while the SSL on port 443 is indeed working fine, Apache still responds to non-secure port 80 requests.
[ Parent | Reply to this comment ]
Did you restart the server afterwards?
/etc/init.d/apache2 restart
Failing that I'd look to see that you don't have port 80 listed elsewhere:
rgrep 80 /etc/apache2/
[ Parent | Reply to this comment ]
rgrep 80 /etc/apache2/ returns nothing.
This is my 'default' site config (it's the only one there):
NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
# [2006-02-09] added to enable SSL as per
# http://www.debian-administration.org/articles/349
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>
Here's my ports.conf:
Listen 443
My httpd.conf is empty.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
lsof -i :80 returns nothing as well.
Incidentally, lsof -i :443 shows Apache2 running as it should:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
apache2 11488 root 3u IPv6 1442337 TCP *:https (LISTEN)
apache2 11489 www-data 3u IPv6 1442337 TCP *:https (LISTEN)
apache2 11490 www-data 3u IPv6 1442337 TCP *:https (LISTEN)
apache2 11495 www-data 3u IPv6 1442337 TCP *:https (LISTEN)
[ Parent | Reply to this comment ]
Looks like the whole thing was due to local caching -- in fact the server had stopped responding on :80 the minute I restarted. Man, I feel like a fool.
All's well.
Sorry for wasting your time, Steve -- and thanks for trying.
[ Parent | Reply to this comment ]
i'd suggest wget next time or telnet localhost 80 to avoid that problem
especially if all you want to do is see if you can connect
aaron
Through correctness comes ease
-Chiun
-The Destroyer series
[ Parent | Reply to this comment ]
-days xx
[ Parent | Reply to this comment ]
Self Signed is not needed anaymore.
[ Parent | Reply to this comment ]
[ View Steve's Scratchpad | View Weblogs ]
Is the root certificate for this CA included in any major browser?
If so they are usable, if not then they are not.
I see no information on the site except that this is one of their goals. No indication of whether they've succeeded ...
[ Parent | Reply to this comment ]
"Please note a general limitation is that, unlike long-time players like Verisign, CAcert's root certificate is not included by default in mainstream browsers, email clients, etc. This means people to whom you send encrypted email, or users who visit your SSL-enabled web server, will first have to import CAcert's root certificate, or they will have to agree to pop-up security warnings (which may look a little scary to non-techy users)."
[ Parent | Reply to this comment ]
I noticed that you mentioned that you add some config lines for each vhost you wanted to enable SSL for. I remember trying before to have multiple SSL vhosts on one server, but they just couldn't work (apache complains about it, forgot the exact error...but it defaults to using the first ssl vhost I think). My workaround was to make each SSL vhost listen on different ports (1443,2443,etc) and have the vhost redirect to itself using the custom port when accessed by a client. It's not a workaround I'm particularly proud of though.
Is there actually a way to make multiple SSL vhosts "share" port 443 on one server? If not, can anyone care to share why apache would impose such a limit? Thanks!
-Paul Prantilla
[ Parent | Reply to this comment ]
[ View Steve's Scratchpad | View Weblogs ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ View Steve's Scratchpad | View Weblogs ]
I guess you mean ApacheFriends.org ?
That is one solution for installing Apache + PHP + etc, but it is not ideal for Debian systems since it doesn't work with our packing system - and means that upgrades and security patches will need to be handled differently. Also looking at their webpages it doesn't mention SSL. Is that setup too?
Maybe when you have a single machine you can deal with that, but if you're looking after a lot it is best to stick to standard sources so you can patch them all in the same way ..
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[Sun Feb 26 16:09:01 2006] [error] VirtualHost :443 -- mixing ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Sun Feb 26 16:09:01 2006] [error] VirtualHost :80 -- mixing ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Sun Feb 26 16:09:01 2006] [warn] NameVirtualHost *:80 has no VirtualHosts
[Sun Feb 26 16:09:01 2006] [warn] NameVirtualHost *:443 has no VirtualHosts
Starting web server: Apache2.
This is what my .conf looks like
# This is here for backwards compatability reasons and to support
# installing 3rd party modules directly via apxs2, rather than
# through the /etc/apache2/mods-{available,enabled} mechanism.
#
#LoadModule mod_placeholder /usr/lib/apache2/modules/mod_placeholder.so
NameVirtualHost *:443
NameVirtualHost *:80
<virtualhost *:80>
ServerName 212.53.85.16
DocumentRoot /var/www/htdocs
</virtualhost>
<virtualhost *:443>
ServerName 212.53.85.16
DocumentRoot /var/www/htdocs
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</virtualhost>
and my ports.conf looks like
Listen 80
Listen 443
[ Parent | Reply to this comment ]
NameVirtualHost 212.53.85.16:80
Right now you have said you are describing the * server but then in the Virtual Host you only configure the 213.x.x.x virtual host.
If that does not help then check to see if you have a second site configuration file laying around. The file you listed above seems valid. So I think you might have another in the sites-enabled directory that is causing you grief. Heck, editing with emacs might have left a backup file that would be loaded and give you this problem.
Lastly if you installed apache2 on a box that used to host apache 1.3 note that the apache2 configuation is in /etc/apache2 and not etc/apache. You might have edited the wrong conf file.
Hope sometin' here helps ya mon!
Nokkin de Troll
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
SSL has nothing to do with username / password authentication.
I'd suggest that you have some other changes present in your Apache2 setup which is causing this.
Look for either .htaccess files beneath your documentroot, or "Require" settings somewhere inside /etc/apache2.
For more help you may find the debian-user mailing list helpful ...
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[Thu Mar 30 16:34:11 2006] [warn] RSA server certificate CommonName (CN) `myserver.mydomain.com'
does NOT match server name!?
[ Parent | Reply to this comment ]
[ View Steve's Scratchpad | View Weblogs ]
The error means the server name used by your webserver (ie "www.example.com") is different from the name of the certificate.
Generate another one as described above but make sure you enter an identical name to the server's external hostname.
[ Parent | Reply to this comment ]
...
...
Country Name (2 letter code) [GB]:problems making Certificate Request
and the creation stops. The certificate isn't created.
How can I solve it?
thanks for guide and help
peace
[ Parent | Reply to this comment ]
eg. thailand = th
united state = us
[ Parent | Reply to this comment ]
When I execute the command:
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
I am getting this response:
Generating a 2048 bit RSA private key
....................+++
........................................+++
writing new private key to 'myserver.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:problems making Certificate Request
I can not enter a two letter country code, for example th , if I do I get an error:
Country Name (2 letter code) [GB]:problems making Certificate Request
> th
bash: th: command not found
Please advise. Thank you
[ Parent | Reply to this comment ]
Your example was extremely helpful!!
[ Parent | Reply to this comment ]
ServerName subdomain1.domain.com
DocumentRoot /var/www/subdomain1.domain.com/public_html
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/subdomain1.domain.com_newcert.pem"
SSLCertificateKeyFile "/etc/apache2/ssl/subdomain1.domain_newkey.pem"
ErrorLog /var/log/apache2/error_subdomain1.domain.com.log
CustomLog /var/log/apache2/access_subdomain1.domain.com.log combined
ServerName subdomain2.domain.com
DocumentRoot /var/www/subdomain2.domain.com/public_html
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/subdomain2.domain.com_newcert.pem"
SSLCertificateKeyFile "/etc/apache2/ssl/subdomain2.domain_newkey.pem"
ErrorLog /var/log/apache2/error_subdomain2.domain.com.log
CustomLog /var/log/apache2/access_subdomain2.domain.com.log combined
The cert and key files are different and have been signed by CAcert.org. The thing is that, in case I configure only the first virtualhost everything works fine. But the moment I configure the second virtualhost, then both offer the certificate of the second one when you connect.
Any hints? Thanks in advance.
--
Jaume Sabater
http://linuxsilo.net/
"Ubi sapientas ibi libertas"
[ Parent | Reply to this comment ]
[ View Steve's Scratchpad | View Weblogs ]
Without using multiple IP addresses you cannot have more than one SSL server upon a single host.
If you had a "wildcard certificate" then it would work - but two different ones? Not at all.
See the Apache documentation for details.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
I'm a real estate broker (non-tech variety) and run a web site containing a rental application that is not secure. I got everything loaded per this article and the application comes up okay as a secure page but when I hit submit (which is a post to a perl script that sends an emmail acknowledgement and creates a file on disc containing the application info)the browser produces a dialogue box that leads only to opening or saving the file containing the perl script.
Would appreciate some guidance.
[ Parent | Reply to this comment ]
You've probably enabled the CGI handling for the non-SSL site, but not for the SSL one.
If you give an example of the URL which is failing (eg. is it /some/path/foo.cgi ?) then we might be able to help.
[ Parent | Reply to this comment ]
http://64.123.174.195/DBRE_Ap.htm
the failure is the attempt to post to /cgi-bin/new2FormMail.pl
[ Parent | Reply to this comment ]
OK I see the problem there:
- When sending the form via the http server it works.
- When sending the form to the https server you instead download the source to the script.
Inside the SSL virtualhost you're using you should add the following:
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
That will probably be enough. (Run "/etc/init.d/apache2 restart" afterwards!)
If that doesn't help then please post the configuration files for both the http and the https sites - basically you want to make them match so that the same CGI settings apply to both..
PS.
[ Parent | Reply to this comment ]
This is a hell of useful web site.
Been a few years since I tried to get Debian help off the internet. This was by far my best experience.
[ Parent | Reply to this comment ]
You got lucky :)
Your question was fairly easy understand, and you came back to supply followup details. Too often people ask questions and don't give enough useful information to identify their problems, or simply never return to answer any questions.
Still I'm glad you're impressed. I think the visitors here all do a great job of helping each other.
[ Parent | Reply to this comment ]
That's how a guide must be ... essential !
[ Parent | Reply to this comment ]
Just a small question, it is possible to configure like the exemple below ?
(same config for 80 and 443 ports and special config for 443 port)
Guy
NameVirtualHost *:443
NameVirtualHost *:80
<virtualhost *:>
ServerName earth.my.flat
DocumentRoot /var/www/
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</virtualhost>
<virtualhost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</virtualhost>
[ Parent | Reply to this comment ]
1. The difference of ssh and ssl?.
2. for example, I make a html page as index.html for my website on https. It's a simple html login page without using database (just enter username and password and then submit to other html page). What I want to know can we decrypt the message (read the original message before encrypted), so server can know the username and password. How to do that and can we do it for web that's not using database?. Thanx.
[ Parent | Reply to this comment ]
why this error?
[ Parent | Reply to this comment ]
A reasonable solution would be to remove the 000-default site from the sites-enabled folder. Or you could edit the default site to be a little more friendly. It is possible that *:* would play nicer than simply *.
[ Parent | Reply to this comment ]
just installed Etch, and i don't seem to have the apache2-ssl-certificate script.
am i missing something, or is did this script not make it to Etch from Sarge?
cheers
justin
[ Parent | Reply to this comment ]
Not present. Run this:
export RANDFILE=/dev/random openssl req $@ -new -x509 -days 365 -nodes -out \ /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem chmod 600 /etc/apache2/ssl/apache.pem
[ Parent | Reply to this comment ]
One solution
# mkdir /etc/apache2/ssl
# /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/apache.pem
Hope this helps.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
(Oh, why does SSL always have to be so complicated???)
Phil.
[ Parent | Reply to this comment ]
Allow you to pass additional arguments to the command if you wish.
Out of context it looks strange, but in a shell-script it works as expected.
[ Parent | Reply to this comment ]
Before running any of the above commands the differences between Sarge and Etch need to be resolved. Basically Etch is missing one directory, one script and one configuration file.
Etch does not have the directory /etc/apache2/ssl
This needs to be created with ownership and permissions of
drwxr-xr-x root root
Etch also needs the script /usr/sbin/apache2-ssl-certificate created with ownership root:root and permissions of 766.
The contents of this file should be
#!/bin/sh -e
if [ "$1" != "--force" -a -f /etc/apache2/ssl/apache.pem ]; then
echo "/etc/apache2/ssl/apache.pem exists! Use \"$0 --force.\""
exit 0
fi
if [ "$1" = "--force" ]; then
shift
fi
echo
echo creating selfsigned certificate
echo "replace it with one signed by a certification authority (CA)"
echo
echo enter your ServerName at the Common Name prompt
echo
echo If you want your certificate to expire after x days call this programm
echo with "-days x"
# use special .cnf, because with normal one no valid selfsigned
# certificate is created
export RANDFILE=/dev/random
openssl req $@ -config /usr/share/apache2/ssleay.cnf \
-new -x509 -nodes -out /etc/apache2/ssl/apache.pem \
-keyout /etc/apache2/ssl/apache.pem
chmod 600 /etc/apache2/ssl/apache.pem
ln -sf /etc/apache2/ssl/apache.pem \
/etc/apache2/ssl/`/usr/bin/openssl \
x509 -noout -hash < /etc/apache2/ssl/apache.pem`.0
Etch also needs to have the file /usr/share/apache2/ssleay.cnf which should have ownership of root:root and permissions of 644
The contents of this file should be
#
# SSLeay example configuration file.
#
RANDFILE = $ENV::HOME/.rnd
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company; recommended)
organizationName_max = 64
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_max = 64
commonName = server name (eg. ssl.domain.tld; required!!!)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
The rest of the instructions are then the same as the original above:
run
# apache2-ssl-certificate
and respond to the prompts to create the certificate.
run
# a2enmod ssl
to enable the ssl mod
then run
# /etc/init.d/apache2 force-reload
as asked.
Edit /etc/apache2/ports.conf and add a new line
Listen 443
Make sure a new line character has been added after this line. This may not be needed but better to be safe.
Then modified /etc/apache2/sites-available/default to basically add the ssl site to the default setup.
The original block is copied and the port numbers added but it is important to add the lines
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
to the second section.
This configuration basically means that the original site will be served up over ssl (i.e. https)
This is the new /etc/apache2/sites-available/default file:
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
RedirectMatch ^/$ /apache2-default/
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
RedirectMatch ^/$ /apache2-default/
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
# Added to enable ssl.
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>
Then restarted the Apache server with
# apache2ctl graceful
Your default web page should then be available at
https://www.example.com
as well as
http://www.example.com
From here you can change the DocumentRoot to get it to point somewhere else.
[ Parent | Reply to this comment ]
Question:
The script makes a symbolic link, that is named using the hash of the "key+certificate" file.
ln -sf /etc/apache2/ssl/apache.pem \
/etc/apache2/ssl/`/usr/bin/openssl \
x509 -noout -hash < /etc/apache2/ssl/apache.pem`.0
Why is this needed?
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
DEBIANHOST:/etc/apache2/sites-available# tail /var/www/webdav/logs/error.log
[Tue Feb 20 18:08:53 2007] [error] [client ip] client denied by server configuration: /var/www/webdav/
[Tue Feb 20 18:09:21 2007] [error] [client ip] client denied by server configuration: /var/www/webdav/test1.txt
[Tue Feb 20 18:09:26 2007] [error] [client ip] client denied by server configuration: /var/www/webdav/test2.txt
[Tue Feb 20 18:09:44 2007] [error] [client ip] client denied by server configuration: /var/www/webdav/test.txt
DEBIANHOST:/etc/apache2/sites-available# tail /var/www/webdav/logs/access.log
ip - - [20/Feb/2007:18:08:53 -0500] "GET / HTTP/1.1" 403 202 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9"
ip - - [20/Feb/2007:18:09:21 -0500] "GET /test1.txt HTTP/1.1" 403 211"-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9"
ip - - [20/Feb/2007:18:09:26 -0500] "GET /test2.txt HTTP/1.1" 403 211"-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9"
ip - - [20/Feb/2007:18:09:44 -0500] "GET /test.txt HTTP/1.1" 403 210 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9"
The different files are my attempts to change permissions, but nothing worked:
DEBIANHOST:/var/www/webdav# ls -l
total 16
drwxr-xr-x 2 root root 4096 2007-02-20 16:32 logs
-rw-r--r-- 1 root root 30 2007-02-13 07:51 test1.txt
-rw-r--r-- 1 www-data www-data 18 2007-02-13 09:08 test2.txt
-rw-r----- 1 www-data www-data 12 2007-02-13 07:36 test.txt
DEBIANHOST:/var/www# ls -l
total 8
drwxr-xr-x 2 root root 4096 2006-09-12 15:02 apache2-default
drwxr-xr-x 3 www-data www-data 4096 2007-02-13 09:08 webdav
My site files are here:
DEBIANHOST:/etc/apache2/sites-available# ls
default hmawdav
DEBIANHOST:/etc/apache2/sites-available# cat default
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
RedirectMatch ^/$ /apache2-default/
</Directory>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
</VirtualHost>
DEBIANHOST:/etc/apache2/sites-available# cat hmawdav
NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName DEBIANHOST
DocumentRoot /var/www/webdav/
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
ErrorLog /var/www/webdav/logs/error.log
CustomLog /var/www/webdav/logs/access.log combined
</VirtualHost>
[ Parent | Reply to this comment ]
[ View Steve's Scratchpad | View Weblogs ]
Take a look at /var/www/webdav/logs/error.log.
[ Parent | Reply to this comment ]
DEBIANHOST:/etc/apache2/sites-available# tail /var/www/webdav/logs/error.log
[Tue Feb 20 18:08:53 2007] [error] [client ip] client denied by server configuration: /var/www/webdav/
[Tue Feb 20 18:09:21 2007] [error] [client ip] client denied by server configuration: /var/www/webdav/test1.txt
[Tue Feb 20 18:09:26 2007] [error] [client ip] client denied by server configuration: /var/www/webdav/test2.txt
[Tue Feb 20 18:09:44 2007] [error] [client ip] client denied by server configuration: /var/www/webdav/test.txt
What do I need to change in the server config?
[ Parent | Reply to this comment ]
DEBIANHOST:~$ cat /etc/apache2/conf.d/local_configs.conf
#Tighten access to the file system
<Directory />
#forbid default access to file system locations
Order Deny,Allow
Deny from all
#prevent use of .htaccess files in all directories
#apart from those specifically enabled
AllowOverride None
</Directory>
#limit available info about this server
ServerSignature Off
ServerTokens production
#hide all files with the .inc (php include) extension
<Files "*.inc">
Order allow,deny
Deny from all
</Files>
So adding a directive to the SSL VirtualHost solved it.
<Directory /var/www/webdav>
AllowOverride None
Order allow,deny
allow from all
</Directory>
[ Parent | Reply to this comment ]
I (somewhat) successfully got ssl working, with the following exception: when i access https://192.168.10.2 everything works fine. however, when i access it via fqdn https://www.ccpip.net i get a 501 not implemented - the requested method is not implemented by the server.
note that i do get a security warning that the cert does not match the server name, so it appears that some communication is taking place.
any clues as to what i've borked up will be appreciated!
Thanks,
Cliff Pankonien
[ Parent | Reply to this comment ]
#openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem
Good luck
-Setiawans
[ Parent | Reply to this comment ]
[Error] Illegal attempt to re-initialise SSL for server(Theoretically shouldn't happen!)
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[Fri Apr 13 09:22:07 2007] [error] Init: Private key not found
[Fri Apr 13 09:22:07 2007] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Fri Apr 13 09:22:07 2007] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Apr 13 09:22:07 2007] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri Apr 13 09:22:07 2007] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
Thanks for light
[ Parent | Reply to this comment ]
Chty
[ Parent | Reply to this comment ]
[ View Steve's Scratchpad | View Weblogs ]
True. See the earlier comment in this article for alternative instructions.
[ Parent | Reply to this comment ]
NameVirtualHost *:80
<VirtualHost *:80>
ServerName earth.my.flat
DocumentRoot /var/www/
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</VirtualHost>
NameVirtualHost *:443
<VirtualHost *:443>
ServerName earth.my.flat
DocumentRoot /var/www/
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ View Steve's Scratchpad | View Weblogs ]
True. Read the comments on this article and you'll see this has been mentioned already, along with a solution.
[ Parent | Reply to this comment ]
Can we host different apps on a single SSL enabled domain...Like xyz.domain.com is SSL enabled. By default https://xyz.domain.com will listen on 443 and I have an App configured there
<VirtualHost xyz.domain.com:443>
....
</VirtualHost>
Can i configure it again on another port the below way?
<VirtualHost xyz.domain.com:9886>
....
</VirtualHost>
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Nice work. So I would ask you for my problem: all seems work, but only seems !
I notice I did the configuration without reading this article, but I do all that is noticed. (and of course apache2 works fine before trying to add ssl feature)
First a basic netstat: no more port 80 neither 443
And the /var/log/apache2/error.log says:
[error] Init: Multiple RSA server certificates not allowed
I defined in the <VirtualHost *:443> the directives SSL....
And I don't see any problem in the ssl.conf
Thanks to your help and any explanation.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
the problem comes with ssl certificate I think, in error log file I had the messages:
[error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]
[error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
on other forum I found some post about, but I tried and nothing works at this time.
thanks for your help me to understand what happens
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
you can use
/etc/init.d/httpd status
to find out the server is not running but pid file seems dead locked.
I don't know what the hell the pid file is.
My problem maybe was caused by I have several IP listen on 443 but no virtual host respectively.
[ Parent | Reply to this comment ]
in your previous article on apache2 ( before it was packaged), there was a line saying:
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
in ssl.conf.
However, this doesn't seem to appear in my etch installation of apache2.
After I added this by hand to ssl.conf my problems with Apache2 on MSIE6 disappeared. Since this is mentioned on a lot of places, I find it strange that it hasn't been included in the official package? (i installed Debian Etch Stable on the machine). Is there a reason for this, and am I missing a point somewhere?
Best regards,
Jure
[ Parent | Reply to this comment ]
To get a trusted certificate, you must send the trusted autority a CSR file (Certificate Request) which you generate from your .key (private key) file, (There are plenty of "howto's" to show you how to accomplish this and it is outside the scope of this message to show you how)
EG. http://www.rapidssl.com/ssl-certificate-support/generate-csr/Apac he2.htm
They then send you back a .crt file (A Certificate)
This is different from the self signing .pem file that you generate in your example, and it simply will not work the way you describe.
However, if you manually join the .key file and the .crt file together with a text editor (vi, pico etc) you create a single file and name this domain_name.pem then you reference this file in the apache config and all will work;
SSLCertificateFile /etc/apache2/ssl/domain_name.pem
Samples of the files are below to show you the process;
I generate a .key file (domain_name.key);
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC9D6//mPq2hQr/YQ8pwPAO4EeM12BwarG0C2pQy2tcXq3P4rYY
4dDbY6Zt+4GZqKj1wT0w7bUkVzwrKgdLCO2MTC75X0ewTLsIMVl8J/mMZfHrnl1E
5rXRjmF+dy5dV/PbWJcboM0S2m8d/5VIgdVP4dKZ9WLECqjwz4lgS+oPQwIDAQAB
AoGAL37RaBS2Z0PlD2MCvCqMJDCTyP4SbCthmSmE++cegYYHhEIgHQAdx/+wv9B/
uTL298RWwQD7Ho9yq3vy7+F2SoEfK7NbiQJAPOIa78uAEIgvWGoHv19W/WqUaAn6
hM0J3ejVgjI4Jug/MSQe7yeNOMiFMt8QWxUp7UFIJWPWTQOt0gvWo77JoQJAMeAP
PoxsTd6PIZQ/saYEPjcYjXdgsPtsH3A9KrHNeSvFpoAo1eT9g1mWVLicVy3AhTdc
7198FYLn+DZSDrWI4QJANXDghxg8A07Ze2uNyKSnTboxFzAqUZl/ZHI/qbJ8mrdw
bIvaN5lRW5PgPfSd7yZ+xcz/VP5XqNd3qIsVjXdDWw==
-----END RSA PRIVATE KEY-----
I then use this file to generate a .csr file (domain_name.csr), which I send to the trusted certificate provider, and they send back a valid Certificate which you save in a .crt file (domain_name.crt)
Sample Certificate file (Returned from SSL Cert vendor and saved as domain_name.crt);
-----BEGIN CERTIFICATE-----
MIIDVDCCAr2gAwIBAgIDBwAAMA0GCSqGSIb3DQEBBAUAMFoxCzAJBgNVBAYTAlVT
MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4
IFNlY3VyZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwHhcNMDcxMDIzMDA1NzQzWhcN
MTAxMDIzMDA1NzQzWjCBwzELMAkGA1UEBhMCQVUxHTAbBgNVBAoTFGFkbWluLmRv
bWFpbnouY29tLmF1MRIwEAYDVQQLEwkyNTMwMjQ3NjQxMTAvBgNVBAsTKFNlZSB3
HwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvZ2xvYmFs
Y2ExLmNybDAfBgNVHSMEGDAWgBS+qKB0clBrRLfJI9j7qP+zV2tobDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B
AQQFAAOBgQBW8f4cV3fTqSecZvoETlocM3vnzLWpDS6DHrGaxYgjGne9ic9i/TJf
cvtzL5P9lM8xcsVhj4TdQwYBrbkr9xAWSc3jUEhPfDkqPqU1rWKY8B2nlANQJTzY
LGNdsbIH/m6zwP8VtSWLFM6HGqpMUnEj9o9wIw1EXnU/7+O1FuHi/g==
-----END CERTIFICATE-----
Then you join these together in a single file to create a single .pem file (domain_name.pem);
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC9D6//mPq2hQr/YQ8pwPAO4EeM12BwarG0C2pQy2tcXq3P4rYY
4dDbY6Zt+4GZqKj1wT0w7bUkVzwrKgdLCO2MTC75X0ewTLsIMVl8J/mMZfHrnl1E
5rXRjmF+dy5dV/PbWJcboM0S2m8d/5VIgdVP4dKZ9WLECqjwz4lgS+oPQwIDAQAB
AoGAL37RaBS2Z0PlD2MCvCqMJDCTyP4SbCthmSmE++cegYYHhEIgHQAdx/+wv9B/
uTL298RWwQD7Ho9yq3vy7+F2SoEfK7NbiQJAPOIa78uAEIgvWGoHv19W/WqUaAn6
hM0J3ejVgjI4Jug/MSQe7yeNOMiFMt8QWxUp7UFIJWPWTQOt0gvWo77JoQJAMeAP
PoxsTd6PIZQ/saYEPjcYjXdgsPtsH3A9KrHNeSvFpoAo1eT9g1mWVLicVy3AhTdc
7198FYLn+DZSDrWI4QJANXDghxg8A07Ze2uNyKSnTboxFzAqUZl/ZHI/qbJ8mrdw
bIvaN5lRW5PgPfSd7yZ+xcz/VP5XqNd3qIsVjXdDWw==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDVDCCAr2gAwIBAgIDBwAAMA0GCSqGSIb3DQEBBAUAMFoxCzAJBgNVBAYTAlVT
MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4
IFNlY3VyZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwHhcNMDcxMDIzMDA1NzQzWhcN
MTAxMDIzMDA1NzQzWjCBwzELMAkGA1UEBhMCQVUxHTAbBgNVBAoTFGFkbWluLmRv
bWFpbnouY29tLmF1MRIwEAYDVQQLEwkyNTMwMjQ3NjQxMTAvBgNVBAsTKFNlZSB3
HwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvZ2xvYmFs
Y2ExLmNybDAfBgNVHSMEGDAWgBS+qKB0clBrRLfJI9j7qP+zV2tobDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B
AQQFAAOBgQBW8f4cV3fTqSecZvoETlocM3vnzLWpDS6DHrGaxYgjGne9ic9i/TJf
cvtzL5P9lM8xcsVhj4TdQwYBrbkr9xAWSc3jUEhPfDkqPqU1rWKY8B2nlANQJTzY
LGNdsbIH/m6zwP8VtSWLFM6HGqpMUnEj9o9wIw1EXnU/7+O1FuHi/g==
-----END CERTIFICATE-----
reference this in your apache ssl configuration;
SSLCertificateFile /etc/apache2/ssl/domain_name.pem
and restart apache.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Package apache2-common is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
apache2.2-common apache2-utils
apache2-ssl-certificate is no where to be found. I would think it is in apache2-utils but it is not.
[ Parent | Reply to this comment ]
Use make-ssl-cert from package ssl-cert, e.g.:
# mkdir /etc/apache2/ssl
# /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
Apparently by default it only makes certs valid for 30 days, so you'd have to use some option to change that I assume.
[ Parent | Reply to this comment ]
As a newbie the only thing I had to guess was where to put the configuration lines. I simply added them to the end of my /etc/apache2/apache2.conf not sure if thats right but everything seems to be working.
thanks
Munga
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ View Steve's Scratchpad | View Weblogs ]
I use this for creating a new CERT - I'm sorry to say I have no idea how to extend and existing cert.
export RANDFILE=/dev/random openssl req -new -x509 -days 1000-nodes -out \ /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem chmod 600 /etc/apache2/ssl/apache.pem
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ View Steve's Scratchpad | View Weblogs ]
You'll need to restart your Apache server to make it re-read the key:
/etc/init.d/apache2 restart
Also it might be worth double-checking you're referring the file that we created (/etc/apache2/ssl/apache.pem) in your Apache configuration, not another key file.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
The best way is to generate your key without a passphrase.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
The best way is to generate your key without a passphrase in the first place.
Like I said before.
You can remove one easily enough...
[ Parent | Reply to this comment ]
I could not get that command to work. Seems like the openssl command ends at "...key" I tried including "Enter pass phrase..." several ways but could not get that accepted.
When I end the command at "...key" the program responds "writing RSA key" but I am given no opportunity to enter a blank as a pass phrase.
Glanced at the "open" man page but is beyond me at this time and now hoping to prevail on you again.
Thanks.
Doug
[ Parent | Reply to this comment ]
OK lets take it from the top.
- you want SSL on Apache.
- You've got a key. Which has a passphrase on it.
Your options are either:
- Generate a new key - making sure it doesn't have a passphrase.
- Remove the passphrase from the existing key.
Since you don't show exactly what went wrong I think generating a new key should be the easiest route. As root run:
export RANDFILE=/dev/random openssl req -new -x509 -days 1000 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem chmod 600 /etc/apache2/ssl/apache.pem /etc/init.d/apache2 restart
That should work pretty well.
[ Parent | Reply to this comment ]
Thanks. That did it. Feel like I owe you some money... I'll look around on your site to see what I can do.
Doug
[ Parent | Reply to this comment ]
[ View Steve's Scratchpad | View Weblogs ]
Great, glad we got there in the end.
I have a wishlist at amazon, linked to on my profile page, but honestly a "thank you" comment is just as good.
Submitting new articles is even more useful!
[ Parent | Reply to this comment ]
For a work-around, see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=398520
[ Parent | Reply to this comment ]
You say:
<<<<<
I use virtual hosts upon my machine and this just means adding a couple of options to each one I wish to use SSL:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
For reference here is a complete example which should be easy to modify/understand:
>>>>>
But it is not clear which specific filename(s) you are referring to.
I can't tell, but perhaps the article needs a slight update / modification?
I just installed today, and within the resulting files are the various 'snakeoil' files. Which is to say, it seems possible that having enabled mod_ssl, apache2/https is ready to go out of the box.
Not to say what you have isn't entirely appropriate, but perhaps a paragraph in the middle along the lines of:
With this change, you can test that all is well with apache by going to https://localhost. You will notice some extra dialogues as a result, which can be addressed by using your own (self-signed) certificate. And here's how you do that ... (proceeding with what you already have).
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
The ServerName parameter seems not work with SSL.
[ Parent | Reply to this comment ]
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslstrictsnivho stcheck
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
[ Parent | Reply to this comment ]
when i have conf file as below:-
<VirtualHost 162.109.35.186:9090>
ServerAdmin root@162.109.35.186
DocumentRoot "/usr/local/AdventNet/WebNMS"
ServerName APACHE_SERVER_NAME
SSLEngine on
SSLCertificateFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/server.cer
</VirtualHost>
<VirtualHost 162.109.35.198:9095>
DocumentRoot "/usr/local/AdventNet/virtual"
ServerAdmin root@162.109.35.198
ServerName 162.109.35.198
</VirtualHost>
i get following error:-
[Wed Nov 07 12:36:16 2012] [info] Init: Seeding PRNG with 136 bytes of entropy
[Wed Nov 07 12:36:16 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 12:36:16 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 12:36:16 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 12:36:16 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Nov 07 12:36:19 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Nov 07 12:36:19 2012] [info] Init: Initializing (virtual) servers for SSL
[Wed Nov 07 12:36:19 2012] [info] Configuring server for SSL protocol
[Wed Nov 07 12:36:19 2012] [info] Configuring server for SSL protocol
[Wed Nov 07 12:36:19 2012] [error] Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!
if i add follwing still same:
NameVirtualHost 162.109.35.186:9090
NameVirtualHost 162.109.35.198:9095
but if i do following
<VirtualHost 162.109.35.186:9090>
ServerAdmin root@162.109.35.186
DocumentRoot "/usr/local/AdventNet/WebNMS"
ServerName APACHE_SERVER_NAME
SSLEngine on
SSLCertificateFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/server.cer
</VirtualHost>
<VirtualHost 162.109.35.198:9095>
DocumentRoot "/usr/local/AdventNet/virtual"
ServerAdmin root@162.109.35.198
ServerName 162.109.35.198
SSLEngine on
SSLCertificateFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/server.cer
</VirtualHost>
without commeted out:
#NameVirtualHost 162.109.35.186:9090
#NameVirtualHost 162.109.35.198:9095
i get following errors :
[Wed Nov 07 13:01:16 2012] [info] Init: Seeding PRNG with 136 bytes of entropy
[Wed Nov 07 13:01:16 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 13:01:16 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 13:01:16 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 13:01:16 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Nov 07 13:01:17 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Nov 07 13:01:17 2012] [info] Init: Initializing (virtual) servers for SSL
[Wed Nov 07 13:01:17 2012] [info] Configuring server for SSL protocol
[Wed Nov 07 13:01:17 2012] [info] Configuring server for SSL protocol
[Wed Nov 07 13:01:17 2012] [warn] RSA server certificate CommonName (CN) `162.109.35.186' does NOT match server name!?
[Wed Nov 07 13:01:17 2012] [info] Configuring server for SSL protocol
[Wed Nov 07 13:01:17 2012] [warn] RSA server certificate CommonName (CN) `162.109.35.186' does NOT match server name!?
[Wed Nov 07 13:01:17 2012] [info] mod_ssl/2.2.10 compiled against Server: Apache/2.2.10, Library: OpenSSL/0.9.7d
[Wed Nov 07 13:01:17 2012] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/AdventNet/WebNMS/apache/logs/jk-runtime-status
[Wed Nov 07 13:01:17 2012] [info] Init: Seeding PRNG with 136 bytes of entropy
[Wed Nov 07 13:01:17 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 13:01:17 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 13:01:17 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 13:01:17 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Nov 07 13:01:19 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Nov 07 13:01:19 2012] [info] Init: Initializing (virtual) servers for SSL
[Wed Nov 07 13:01:19 2012] [info] Configuring server for SSL protocol
[Wed Nov 07 13:01:19 2012] [info] Configuring server for SSL protocol
[Wed Nov 07 13:01:19 2012] [warn] RSA server certificate CommonName (CN) `162.109.35.186' does NOT match server name!?
[Wed Nov 07 13:01:19 2012] [info] Configuring server for SSL protocol
[Wed Nov 07 13:01:19 2012] [warn] RSA server certificate CommonName (CN) `162.109.35.186' does NOT match server name!?
[Wed Nov 07 13:01:19 2012] [info] mod_ssl/2.2.10 compiled against Server: Apache/2.2.10, Library: OpenSSL/0.9.7d
[Wed Nov 07 13:01:19 2012] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/AdventNet/WebNMS/apache/logs/jk-runtime-status
[Wed Nov 07 13:01:19 2012] [notice] Digest: generating secret for digest authentication ...
[Wed Nov 07 13:01:19 2012] [notice] Digest: done
[Wed Nov 07 13:01:20 2012] [notice] Apache/2.2.10 (Unix) DAV/2 mod_ssl/2.2.10 OpenSSL/0.9.7d mod_jk/1.2.26 configured -- resuming normal operations
[Wed Nov 07 13:01:20 2012] [info] Server built: Oct 28 2008 10:34:09
[Wed Nov 07 13:02:04 2012] [info] [client 162.109.35.186] Connection to child 0 established (server tycotest04:443)
[Wed Nov 07 13:02:04 2012] [info] Seeding PRNG with 136 bytes of entropy
[Wed Nov 07 13:02:05 2012] [info] Initial (No.1) HTTPS request received for child 0 (server tycotest04:443)
[Wed Nov 07 13:02:05 2012] [error] [client 162.109.35.186] File does not exist: /usr/local/AdventNet/WebNMS/unauthenticatedservlets/com.adventnet .nms.servlets.ConnectionCheckServlet
[Wed Nov 07 13:02:06 2012] [info] [client 162.109.35.186] Connection to child 1 established (server tycotest04:443)
[Wed Nov 07 13:02:06 2012] [info] Seeding PRNG with 136 bytes of entropy
[Wed Nov 07 13:02:06 2012] [info] Initial (No.1) HTTPS request received for child 1 (server tycotest04:443)
[Wed Nov 07 13:02:06 2012] [error] [client 162.109.35.186] File does not exist: /usr/local/AdventNet/WebNMS/unauthenticatedservlets/com.adventnet .nms.servlets.ConnectionCheckServlet
[Wed Nov 07 13:02:07 2012] [info] [client 162.109.35.186] Connection closed to child 1 with standard shutdown (server tycotest04:443)
[Wed Nov 07 13:02:07 2012] [info] [client 162.109.35.186] Connection closed to child 0 with standard shutdown (server tycotest04:443)
[Wed Nov 07 13:02:11 2012] [info] removed PID file /usr/local/AdventNet/WebNMS/apache/logs/httpd.pid (pid=7584)
[Wed Nov 07 13:02:11 2012] [notice] caught SIGTERM, shutting down
any ideas what i'm doing wrong as atleast it should regonsise the 186 ip address as its the main one that works if i dont have virtual host config.
[ Parent | Reply to this comment ]
If you don't understand the security implications of SSL you shouldn't be writing how-tos about it.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Also when you are referring to add "Listen 443" on ports.conf file you might want to specify in what section of the file to add the directive. For instance does it go at the top with the other ports or goes between the the first <IfModule mod_ssl.c> brackets.
You a assuming everyone has been using Apache for a while but a beginner might not understand your content as it will have to search for the mention information.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]