You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Rex Brooks <re...@starbourne.com> on 2006/05/14 17:38:49 UTC
Re: [users@httpd] Correction & Question: SSLCertificateFile:
RedHat (RHEL4) apache startup failure: ebxml-registry-repository on
tomcat on port 6480, with Mambo LAMP Portal on port 8080: Despite
Self-Signed Cert: [error] Server should be SSL-aware but has no
certificate configured [Hint: SSLCertificateFile]
Note: Please don't be shy if you have expertise in the effect of
permissions on cacert.pem, server.crt, privkey.pem and server.key on
whether or not apache2.0 in RHEL4 will start.
Just to confirm the error message that the configuration of SSL is
truly at fault, I removed the mod_ssl package and apache did indeed
start, though neither the (mysql-php) portal on port 8080 nor the
ebxmlrr3.0 freebxmlrr-3.0-beta1 registry (Apache Derby-JSP, JSF)
using Tomcat 5.0.28 on port 6480 would accept connections.
Thanks,
Rex
>Thanks again, Richard,
>
>I missed this message due to a series of 12-hour days during last
>week's OASIS Symposium.
>
>I apologize. I'm still working my way out of the backup. I
>appreciate your follow-through very much,
>
>Answers inline.
>
>
>At 11:46 AM -0700 5/9/06, Richard de Vries wrote:
>>Are you using a seperate configuration file for your
>>SSL instance?
>>
>>Let's start with a couple of basic things.
>>
>>1) Do you have the SSL configuration between <IfModule
>>XXXX> tags?. If so, what is your XXXX set to in this
>>case?
>
>There is no SSL configuration between<IfModule XXXX> tags. I have
>Apache2.0 in RHEL 4, so I have an ssl.conf file in directory
>/etc/httpd/conf.d.
>
>>2) SSLCertificateFile and SSLCertificateKeyFile point
>>to valid files right? Can you do a ls -al on that file
>>location?
>
>Yes.
>
>>3) Sometimes, some programs refuse to enable SSL if
>>the certificates are publicly readable. How are your
>>permissions on these files?
>
>[root@XXXX ssl.crt]# ls -al
>total 40
>drwx------ 2 root root 4096 May 13 08:06 .
>drwxr-xr-x 7 root root 4096 May 13 08:23 ..
>-rw-r--r-- 1 root root 1773 May 8 17:22 cacert.pem
>-rw-r--r-- 1 root root 1522 Feb 28 2005 Makefile.crt
>-rw------- 1 root root 1497 May 8 21:27 server.crt
>[root@XXX ssl.crt]# cd ..
>[root@@XXX conf]# cd ssl.key
>[root@XXX ssl.key]# ls -al
>total 48
>drwx------ 2 root root 4096 Feb 28 2005 .
>drwxr-xr-x 7 root root 4096 May 13 08:23 ..
>-rw-r--r-- 1 root root 1751 May 8 17:18 privkey.pem
>-rw------- 1 root root 963 May 8 21:23 server.key
>[root@XXX ssl.key]#
>
>>
>>Let's start with these steps, then work ourselves thru
>>your configuration. I don't think re-installing apache
>>would necesarrily fix anything.
>
>There are the permissions. You're right, re-installing wouldn't
>change this. ????
>
>Thanks again,
>Rex
>
>> Richard
>>--- Rex Brooks <re...@starbourne.com> wrote:
>>
>>> Thanks Richard,
>>>
>>> I appreciate that you took the time to answer. So
>>> far you are the
>>> only one. This installation is on RedHat Enterprise
>>> Linux4 and
>>> Apache2.0 and I have tried the Key-Certificate
>>> generation
>>> instructions detailed in the System Administration
>>> Guide Ch.
>>> 26.6-26.8,
>>>
>>> I tried the freebsd instructions at the url you
>>> advised, and what
>>> happened was that the certificate signing request
>>> could not open the
>>> key. I have also downloaded and tried with
>>> openssl-0.9.8b. I was able
>>> to generate the server.key and server.crt but httpd
>>> still does not
>>> start.
>>>
>>> The Admin Guide instructions also result in what
>>> ought to be a valid
>>> server key in the ssl.key directory and a server.crt
>>> in the ssl.crt
>>> directory as specified in the ssl.conf file in the
>>> /etc/httpd/conf
>>> directory, but httpd still does not start
>>>
>>> Here is the terminal output when attempting to start
>>> httpd:
>>>
>>> [root@c-xxx-xxx-xxx-xxx ~]# service httpd start
>>> Starting httpd: [Mon May 08 06:20:21 2006] [warn]
>>> The Alias directive
>>> in /etc/httpd/conf/httpd.conf at line 557 will
>>> probably never match
>>> because it overlaps an earlier AliasMatch.
>>> Warning: DocumentRoot
>>> [/home/xxx/jakarta-tomcat-5.0.28] does not exist
>>>
>>> [FAILED]
>>> [root@c-xxx-xxx-xxx-xxx ~]#
>>>
>>> Here is the httpd error_log for that sequence:
>>>
>>> [Mon May 08 06:20:21 2006] [notice] core dump file
>>> size limit raised
>>> to 4294967295 bytes
>>> [Mon May 08 06:20:22 2006] [notice] suEXEC mechanism
>>> enabled
>>> (wrapper: /usr/sbin/suexec)
>>> [Mon May 08 06:20:22 2006] [error] Server should be
>>> SSL-aware but has
>>> no certificate configured [Hint: SSLCertificateFile]
>>>
>>> It's beginning to look like I will have to reinstall
>>> apache.
>>>
>>> Regards,
>>> Rex
>>>
>>> >what error are you getting?
>>> >
>>> >Try following the instructions at this URL. They've
>> > >always worked for me:
>>> >
>>>
>>>http://www.corserv.com/freebsd/apache-ssl-howto.html
>>> >
>>> >--- Rex Brooks <re...@starbourne.com> wrote:
>>> >
>>> >> Please see my previous post for details.
>>> >>
>>> >> I said that mod_ssl was not installed, but a
>>> double
>>> >> check showed that it is.
>>> >>
>>> >> My question is only about filenames for
>>> >> SSLCertificateFile and/or
>>> >> SSLCertificateKeyFile.
>>> >>
>>> >> ApacheSSL Documentation says at
>>> >>
>>>
>>>http://www.apache-ssl.org/docs.html#SSLCertificateFile:
>>> >>
>>> >> This is your PEM-encoded server certificate
>>> >> (strictly, it is what
>>> >> SSLeay calls PEM, which isn't really).
>>> >>
>>> >> Example:
>>> >>
>>> >> SSLCertificateFile
>>> >> /usr/local/apache/certs/my.server.pem
>>> >>
>>> >> What the process described in RedHat Sys. Admin.
>>> >> Guide Ch. 26.6-26.8
>>> >> produces in the file ssl.conf located in
>>> >> /etc/httpd/conf.d/ used to
>>> >> configure SSL support is:
>>> >>
>>> >> SSLCertificateFile
>>> >> /etc/httpd/conf/ssl.crt/server.crt
>>> >>
>>> >> and
>>> >>
>>> >> SSLCertificateKeyFile
>>> >> /etc/httpd/conf/ssl.key/server.key
>>> >>
>>> >> There is a file named server.crt in the
>>> specified
>>> >> location, and an
>>> >> server.key file in its corresponding location.
>>> Could
>>> >> this lack of a
>>> >> PEM-encoded server certificate, however it is
>>> >> produced, the root
>>> >> cause of httpd start failure?
>>> >>
>>> >> I have downloaded and installed openssl-0.9.8b
>>> and I
>>> >> have also now
>>> >> generated a privkey.pem and a cacert.pem and I
>>> have
>>> >> put them in the
>>> >> same directories as the ssl.conf file specified,
>>> and
>>> >> edited that file
>>> >> to reflect that, rebooted and httpd still fails
>>> to
>>> >> start.
>>> >>
>>> >>
>>> >> Regards,
>>> >> Rex Brooks
>>> >>
>>> >>
>>> >> --
>>> >> Rex Brooks
>>> >> President, CEO
>>> >> Starbourne Communications Design
>>> >> GeoAddress: 1361-A Addison
>>> >> Berkeley, CA 94702
>>> >> Tel: 510-849-2309
>>> >>
>>> >>
>>>
>>>---------------------------------------------------------------------
>>> >> The official User-To-User support forum of the
>>> >> Apache HTTP Server Project.
>>> >> See <URL:http://httpd.apache.org/userslist.html>
>>> for
>>> >> more info.
>>> >> To unsubscribe, e-mail:
>>> > > users-unsubscribe@httpd.apache.org
>>> >> " from the digest:
>>> >> users-digest-unsubscribe@httpd.apache.org
>>> >> For additional commands, e-mail:
>>> >> users-help@httpd.apache.org
>>> >>
>>> >>
>>> >
>>> >
>>> >__________________________________________________
>>> >Do You Yahoo!?
>>> >Tired of spam? Yahoo! Mail has the best spam
>>> protection around
>>> >http://mail.yahoo.com
>>>
>>>
>>> --
>>> Rex Brooks
>>> President, CEO
>>> Starbourne Communications Design
>>> GeoAddress: 1361-A Addison
>>> Berkeley, CA 94702
>>> Tel: 510-849-2309
>>>
>>---------------------------------------------------------------------
>>> The official User-To-User support forum of the
>>> Apache HTTP Server Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for
>>> more info.
>>> To unsubscribe, e-mail:
>>> users-unsubscribe@httpd.apache.org
>>> " from the digest:
>>> users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail:
>>> users-help@httpd.apache.org
>>>
>>
>>
>>__________________________________________________
>>Do You Yahoo!?
>>Tired of spam? Yahoo! Mail has the best spam protection around
>>http://mail.yahoo.com
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>--
>Rex Brooks
>President, CEO
>Starbourne Communications Design
>GeoAddress: 1361-A Addison
>Berkeley, CA 94702
>Tel: 510-849-2309
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
--
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-849-2309
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org