You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Sweeny, Theo (Chief Customer Office)" <th...@directlinegroup.co.uk> on 2017/04/25 12:55:28 UTC
[users@httpd] SSL Certs Not Loading
Hello - I’ve installed new SSL certs on Apache v2.4.3 and for a single vhost - but the server won’t start.
The error logs are -
[Fri Apr 21 13:30:00.575805 2017] [ssl:emerg] [pid 97:tid 140688597538624] AH02311: Fatal error initialising mod_ssl, exiting. See /content/logs/httpd/error.log for more information
[Fri Apr 21 13:30:00.575781 2017] [ssl:emerg] [pid 97:tid 140688597538624] AH01895: Unable to configure verify locations for client authentication
Can you offer some pointers?
Regards,
Theo
Direct Line Insurance Group plc. Registered in England & Wales No 02280426. Registered Office: Churchill Court, Westmoreland Road, Bromley, Kent, BR1 1DP
This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. You should not copy, print, distribute, disclose or use any part of it. Internet e-mails are not necessarily secure. By replying to this message you give your consent to our monitoring of your email communications with us. We do not accept responsibility for changes made to this message after it was sent.
We cannot accept any liability for viruses transmitted via this email once it has left our network. We will never send e-mails requesting personal or confidential information. If you ever receive such an e-mail appearing to come from us, do not reply to it, instead please contact us immediately.
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
Re: [users@httpd] SSL Certs Not Loading
Posted by "Sweeny, Theo (Chief Customer Office)" <th...@directlinegroup.co.uk>.
I’ve enabled debug log for ssl in the vhosts file like so -
<IfModule mod_ssl.c>
ErrorLog /var/log/apache2/ssl_engine.log
LogLevel debug
</IfModule>
The output from this log is
[Fri Apr 21 16:38:35.834335 2017] [ssl:info] [pid 576:tid 140583896000320] AH02200: Loading certificate & private key of SSL-aware server 'xxx.com:443'
[Fri Apr 21 16:38:35.834528 2017] [ssl:debug] [pid 576:tid 140583896000320] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Fri Apr 21 16:38:35.853856 2017] [ssl:info] [pid 576:tid 140583896000320] AH01914: Configuring server 'xxx.com:443' for SSL protocol
[Fri Apr 21 16:38:35.853973 2017] [ssl:emerg] [pid 576:tid 140583896000320] AH01895: Unable to configure verify locations for client authentication
> On 25 Apr 2017, at 14:32, Robert Moskowitz <rg...@htt-consult.com> wrote:
>
> On my Centos system, I would be looking at: /etc/httpd/logs/ssl_error_log for cert errors.
>
> On 04/25/2017 03:18 PM, Sweeny, Theo (Chief Customer Office) wrote:
>> Hi Robert - the error found in /content/logs/httpd/error.log
>>
>> [Fri Apr 21 13:30:00.575781 2017] [ssl:emerg] [pid 97:tid 140688597538624] AH01895: Unable to configure verify locations for client authentication
>>
>> I think it is a SSL cert issue, since adding the ssl certs the server has stopped working.
>>
>>> On 25 Apr 2017, at 14:11, Robert Moskowitz <rg...@htt-consult.com> wrote:
>>>
>>> So what does /content/logs/httpd/error.log say?
>>>
>>> Often a permission problem.
>>>
>>> On 04/25/2017 02:55 PM, Sweeny, Theo (Chief Customer Office) wrote:
>>>> Hello - I’ve installed new SSL certs on Apache v2.4.3 and for a single vhost - but the server won’t start.
>>>>
>>>> The error logs are -
>>>>
>>>> [Fri Apr 21 13:30:00.575805 2017] [ssl:emerg] [pid 97:tid 140688597538624] AH02311: Fatal error initialising mod_ssl, exiting. See /content/logs/httpd/error.log for more information
>>>>
>>>> [Fri Apr 21 13:30:00.575781 2017] [ssl:emerg] [pid 97:tid 140688597538624] AH01895: Unable to configure verify locations for client authentication
>>>>
>>>> Can you offer some pointers?
>>>>
>>>> Regards,
>>>>
>>>> Theo
>>>>
>>>>
>>>>
>>>>
>>>> Direct Line Insurance Group plc. Registered in England & Wales No 02280426. Registered Office: Churchill Court, Westmoreland Road, Bromley, Kent, BR1 1DP
>>>>
>>>> This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. You should not copy, print, distribute, disclose or use any part of it. Internet e-mails are not necessarily secure. By replying to this message you give your consent to our monitoring of your email communications with us. We do not accept responsibility for changes made to this message after it was sent.
>>>>
>>>> We cannot accept any liability for viruses transmitted via this email once it has left our network. We will never send e-mails requesting personal or confidential information. If you ever receive such an e-mail appearing to come from us, do not reply to it, instead please contact us immediately.
>>>>
>>>> ______________________________________________________________________
>>>> This email has been scanned by the Symantec Email Security.cloud service.
>>>> For more information please visit http://www.symanteccloud.com
>>>> ______________________________________________________________________
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>> ______________________________________________________________________
>>> This email has been scanned by the Symantec Email Security.cloud service.
>>> For more information please visit http://www.symanteccloud.com
>>> ______________________________________________________________________
>>
>> ______________________________________________________________________
>> This email has been scanned by the Symantec Email Security.cloud service.
>> For more information please visit http://www.symanteccloud.com
>> ______________________________________________________________________
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
Re: [users@httpd] SSL Certs Not Loading
Posted by "Sweeny, Theo (Chief Customer Office)" <th...@directlinegroup.co.uk>.
The fix -
Generat a chain certificate using the root and intermediate certificates. Also remove the root ca certificate.
cat Root-R1.cer Intermediate.cer >> chain.cer
Add to the chain to the vhosts file
SSLCertificateChainFile /etc/httpd/conf/ssl/chain.cer
Also comment out
#SSLCACertificateFile /etc/httpd/conf/ssl/Root-R1.cer
Finally SSL config
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl/xxx.com.cer
SSLCertificateKeyFile /etc/httpd/conf/ssl/xxx.com.key
SSLCertificateChainFile /etc/httpd/conf/ssl/chain.cer
Thanks for the help.
> On 25 Apr 2017, at 14:32, Robert Moskowitz <rg...@htt-consult.com> wrote:
>
> On my Centos system, I would be looking at: /etc/httpd/logs/ssl_error_log for cert errors.
>
> On 04/25/2017 03:18 PM, Sweeny, Theo (Chief Customer Office) wrote:
>> Hi Robert - the error found in /content/logs/httpd/error.log
>>
>> [Fri Apr 21 13:30:00.575781 2017] [ssl:emerg] [pid 97:tid 140688597538624] AH01895: Unable to configure verify locations for client authentication
>>
>> I think it is a SSL cert issue, since adding the ssl certs the server has stopped working.
>>
>>> On 25 Apr 2017, at 14:11, Robert Moskowitz <rg...@htt-consult.com> wrote:
>>>
>>> So what does /content/logs/httpd/error.log say?
>>>
>>> Often a permission problem.
>>>
>>> On 04/25/2017 02:55 PM, Sweeny, Theo (Chief Customer Office) wrote:
>>>> Hello - I’ve installed new SSL certs on Apache v2.4.3 and for a single vhost - but the server won’t start.
>>>>
>>>> The error logs are -
>>>>
>>>> [Fri Apr 21 13:30:00.575805 2017] [ssl:emerg] [pid 97:tid 140688597538624] AH02311: Fatal error initialising mod_ssl, exiting. See /content/logs/httpd/error.log for more information
>>>>
>>>> [Fri Apr 21 13:30:00.575781 2017] [ssl:emerg] [pid 97:tid 140688597538624] AH01895: Unable to configure verify locations for client authentication
>>>>
>>>> Can you offer some pointers?
>>>>
>>>> Regards,
>>>>
>>>> Theo
>>>>
>>>>
>>>>
>>>>
>>>> Direct Line Insurance Group plc. Registered in England & Wales No 02280426. Registered Office: Churchill Court, Westmoreland Road, Bromley, Kent, BR1 1DP
>>>>
>>>> This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. You should not copy, print, distribute, disclose or use any part of it. Internet e-mails are not necessarily secure. By replying to this message you give your consent to our monitoring of your email communications with us. We do not accept responsibility for changes made to this message after it was sent.
>>>>
>>>> We cannot accept any liability for viruses transmitted via this email once it has left our network. We will never send e-mails requesting personal or confidential information. If you ever receive such an e-mail appearing to come from us, do not reply to it, instead please contact us immediately.
>>>>
>>>> ______________________________________________________________________
>>>> This email has been scanned by the Symantec Email Security.cloud service.
>>>> For more information please visit http://www.symanteccloud.com
>>>> ______________________________________________________________________
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>> ______________________________________________________________________
>>> This email has been scanned by the Symantec Email Security.cloud service.
>>> For more information please visit http://www.symanteccloud.com
>>> ______________________________________________________________________
>>
>> ______________________________________________________________________
>> This email has been scanned by the Symantec Email Security.cloud service.
>> For more information please visit http://www.symanteccloud.com
>> ______________________________________________________________________
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
Re: [users@httpd] SSL Certs Not Loading
Posted by Robert Moskowitz <rg...@htt-consult.com>.
On my Centos system, I would be looking at:
/etc/httpd/logs/ssl_error_log for cert errors.
On 04/25/2017 03:18 PM, Sweeny, Theo (Chief Customer Office) wrote:
> Hi Robert - the error found in /content/logs/httpd/error.log
>
> [Fri Apr 21 13:30:00.575781 2017] [ssl:emerg] [pid 97:tid 140688597538624] AH01895: Unable to configure verify locations for client authentication
>
> I think it is a SSL cert issue, since adding the ssl certs the server has stopped working.
>
>> On 25 Apr 2017, at 14:11, Robert Moskowitz <rg...@htt-consult.com> wrote:
>>
>> So what does /content/logs/httpd/error.log say?
>>
>> Often a permission problem.
>>
>> On 04/25/2017 02:55 PM, Sweeny, Theo (Chief Customer Office) wrote:
>>> Hello - I\u2019ve installed new SSL certs on Apache v2.4.3 and for a single vhost - but the server won\u2019t start.
>>>
>>> The error logs are -
>>>
>>> [Fri Apr 21 13:30:00.575805 2017] [ssl:emerg] [pid 97:tid 140688597538624] AH02311: Fatal error initialising mod_ssl, exiting. See /content/logs/httpd/error.log for more information
>>>
>>> [Fri Apr 21 13:30:00.575781 2017] [ssl:emerg] [pid 97:tid 140688597538624] AH01895: Unable to configure verify locations for client authentication
>>>
>>> Can you offer some pointers?
>>>
>>> Regards,
>>>
>>> Theo
>>>
>>>
>>>
>>>
>>> Direct Line Insurance Group plc. Registered in England & Wales No 02280426. Registered Office: Churchill Court, Westmoreland Road, Bromley, Kent, BR1 1DP
>>>
>>> This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. You should not copy, print, distribute, disclose or use any part of it. Internet e-mails are not necessarily secure. By replying to this message you give your consent to our monitoring of your email communications with us. We do not accept responsibility for changes made to this message after it was sent.
>>>
>>> We cannot accept any liability for viruses transmitted via this email once it has left our network. We will never send e-mails requesting personal or confidential information. If you ever receive such an e-mail appearing to come from us, do not reply to it, instead please contact us immediately.
>>>
>>> ______________________________________________________________________
>>> This email has been scanned by the Symantec Email Security.cloud service.
>>> For more information please visit http://www.symanteccloud.com
>>> ______________________________________________________________________
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>> ______________________________________________________________________
>> This email has been scanned by the Symantec Email Security.cloud service.
>> For more information please visit http://www.symanteccloud.com
>> ______________________________________________________________________
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL Certs Not Loading
Posted by "Sweeny, Theo (Chief Customer Office)" <th...@directlinegroup.co.uk>.
Hi Robert - the error found in /content/logs/httpd/error.log
[Fri Apr 21 13:30:00.575781 2017] [ssl:emerg] [pid 97:tid 140688597538624] AH01895: Unable to configure verify locations for client authentication
I think it is a SSL cert issue, since adding the ssl certs the server has stopped working.
> On 25 Apr 2017, at 14:11, Robert Moskowitz <rg...@htt-consult.com> wrote:
>
> So what does /content/logs/httpd/error.log say?
>
> Often a permission problem.
>
> On 04/25/2017 02:55 PM, Sweeny, Theo (Chief Customer Office) wrote:
>> Hello - I’ve installed new SSL certs on Apache v2.4.3 and for a single vhost - but the server won’t start.
>>
>> The error logs are -
>>
>> [Fri Apr 21 13:30:00.575805 2017] [ssl:emerg] [pid 97:tid 140688597538624] AH02311: Fatal error initialising mod_ssl, exiting. See /content/logs/httpd/error.log for more information
>>
>> [Fri Apr 21 13:30:00.575781 2017] [ssl:emerg] [pid 97:tid 140688597538624] AH01895: Unable to configure verify locations for client authentication
>>
>> Can you offer some pointers?
>>
>> Regards,
>>
>> Theo
>>
>>
>>
>>
>> Direct Line Insurance Group plc. Registered in England & Wales No 02280426. Registered Office: Churchill Court, Westmoreland Road, Bromley, Kent, BR1 1DP
>>
>> This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. You should not copy, print, distribute, disclose or use any part of it. Internet e-mails are not necessarily secure. By replying to this message you give your consent to our monitoring of your email communications with us. We do not accept responsibility for changes made to this message after it was sent.
>>
>> We cannot accept any liability for viruses transmitted via this email once it has left our network. We will never send e-mails requesting personal or confidential information. If you ever receive such an e-mail appearing to come from us, do not reply to it, instead please contact us immediately.
>>
>> ______________________________________________________________________
>> This email has been scanned by the Symantec Email Security.cloud service.
>> For more information please visit http://www.symanteccloud.com
>> ______________________________________________________________________
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
Re: [users@httpd] SSL Certs Not Loading
Posted by Robert Moskowitz <rg...@htt-consult.com>.
So what does /content/logs/httpd/error.log say?
Often a permission problem.
On 04/25/2017 02:55 PM, Sweeny, Theo (Chief Customer Office) wrote:
> Hello - I\u2019ve installed new SSL certs on Apache v2.4.3 and for a single vhost - but the server won\u2019t start.
>
> The error logs are -
>
> [Fri Apr 21 13:30:00.575805 2017] [ssl:emerg] [pid 97:tid 140688597538624] AH02311: Fatal error initialising mod_ssl, exiting. See /content/logs/httpd/error.log for more information
>
> [Fri Apr 21 13:30:00.575781 2017] [ssl:emerg] [pid 97:tid 140688597538624] AH01895: Unable to configure verify locations for client authentication
>
> Can you offer some pointers?
>
> Regards,
>
> Theo
>
>
>
>
> Direct Line Insurance Group plc. Registered in England & Wales No 02280426. Registered Office: Churchill Court, Westmoreland Road, Bromley, Kent, BR1 1DP
>
> This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. You should not copy, print, distribute, disclose or use any part of it. Internet e-mails are not necessarily secure. By replying to this message you give your consent to our monitoring of your email communications with us. We do not accept responsibility for changes made to this message after it was sent.
>
> We cannot accept any liability for viruses transmitted via this email once it has left our network. We will never send e-mails requesting personal or confidential information. If you ever receive such an e-mail appearing to come from us, do not reply to it, instead please contact us immediately.
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org