You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Peter Fleck <fl...@umn.edu> on 2003/10/09 18:51:49 UTC
[users@httpd] Apache 2 SSL Problem
[Followup thread to "Apache 2 VirtualHost and SSL" with new corrected
info. I've tried to get more specific in asking for help.]
I'm looking for help in serving pages via SSL.
I'm using Apache 2.x running on Linux 9. Using name-based virtual
hosting and understand I can only have a single SSL virtual host.
SSL is working and the server is listening on port 443. I've
confirmed this with the curl tool and with netstat. The curl tool
actually returns my index page.
curl also generates log entries in "ssl_access_log" and "ssl_request_log."
But if I try to access the server with a browser, using an "https"
url, the connection is refused and nothing is logged.
Here's a brief summary of my setup. The port 80 sites are serving
with no problem.
Main/default ServerName designation is www.cancer.umn.edu. This is
also listed as ServerName for one of the virtual sites. AND it's the
ServerName for the secure virtual site. Could this cause a problem.
I do have "NameVirtualHost 160.94.109.179:80" and then list the
Virtual sites using IPs and ports as suggested on this list. So two
VirtualHosts are 160.94.109.179:80 with two different ServerNames and
the third is 160.94.109.179:443 with the 'www.cancer.umn.edu'
ServerName specified.
One more thing, when I restart Apache, the following error is
generated in "ssl_error_log." Since I generated my own certificate
and key for testing, I thought it might have to do with that.
[warn] RSA server certificate is a CA certificate (BasicConstraints:
CA == TRUE !?)
Thanks.
--
Peter Fleck
Webmaster | University of Minnesota Cancer Center
Dinnaken Office Bldg.
925 Delaware St. SE
Minneapolis, MN 55414
612-625-8668 | fleck004@umn.edu | www.cancer.umn.edu
Campus Mail: MMC 806
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2 SSL Problem
Posted by Peter Fleck <fl...@umn.edu>.
>Just to elaborate, here's some basic steps to follow to make a self-signed
>certificate for testing purposes only:
>
>1) mkdir ssl; chown root.root ssl; chmod 700 ssl; cd ssl
OK! I built a new certificate following Leif's excellent instructions
but still get the same warning in the ssl_error_log:
[warn] RSA server certificate is a CA certificate (BasicConstraints:
CA == TRUE !?)
and I still can't get a browser to even connect with https. So it
must be a configuration problem.
Here's the info from the original email about my setup.
SSL is working and the server is listening on port 443. I've
confirmed this with the curl tool and with netstat. The curl tool
actually returns my index page.
curl also generates log entries in "ssl_access_log" and "ssl_request_log."
But if I try to access the server with a browser, using an "https"
url, the connection is refused and nothing is logged.
Here's a brief summary of my setup. The port 80 sites are serving
with no problem.
Main/default ServerName designation is www.cancer.umn.edu. This is
also listed as ServerName for one of the virtual sites. AND it's the
ServerName for the secure virtual site. Could this cause a problem.
I do have "NameVirtualHost 160.94.109.179:80" and then list the
Virtual sites using IPs and ports as suggested on this list. So two
VirtualHosts are 160.94.109.179:80 with two different ServerNames and
the third is 160.94.109.179:443 with the 'www.cancer.umn.edu'
ServerName specified.
--
Peter Fleck
Webmaster | University of Minnesota Cancer Center
Dinnaken Office Bldg.
925 Delaware St. SE
Minneapolis, MN 55414
612-625-8668 | fleck004@umn.edu | www.cancer.umn.edu
Campus Mail: MMC 806
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2 SSL Problem
Posted by Leif W <wa...@usa.net>.
----- Original Message -----
From: "suomi" <ap...@ayni.com>
To: <us...@httpd.apache.org>
Sent: Thursday, October 09, 2003 1:41 PM
Subject: Re: [users@httpd] Apache 2 SSL Problem
> Regarding your first problem there you present to little info to say
> anything.
> regarding the CA certificate:
>
> you present poor apache a CA certificate, which you should not.
> create a simple certificate based on this CA certificate and configure
> this certificate to apache.
> howto create a certificate:
>
> man openssl
Just to elaborate, here's some basic steps to follow to make a self-signed
certificate for testing purposes only:
1) mkdir ssl; chown root.root ssl; chmod 700 ssl; cd ssl
Make a protected, root owned ssl directory to hold your KEY, CSR, and CRT
files.
2) openssl genrsa -des3 1024 > www.xxx.com.key
Make the key. If you're going to get a real certificate, then this file is
very important. Do not lose. Do not let it fall into wrong hands, etc..
Doing so will at the least cost you a new certificate, and at most all the
data protected by this certificate/key pair. Note about the -des3 option:
specifying this option allows you to further encrypt the key with a pass
phrase. This has the advantage of more protection, in the event the key
file is stolen, it is still protected. This has the disadvantage, that
every time you start the server (i.e. during bootup, "apachectl startssl"),
you have to physically be at the computer console and enter the pass phrase
for each and every certificate. To my knowledge there is no way to specify
the credentials programattically, due to further security concerns (extreme
paranoia).
3) openssl req -new -key www.xxx.com.key > www.xxx.com.csr
Create the Certificate Signing Request (CSR). The Common Name (CN)
specified here must match the address of the server exactly, (server.com and
www.server.com are two different things).
4) openssl req -x509 -days 30 -key www.xxx.com.key -in www.xxx.com.csr >
www.xxx.com.crt
Self-sign your certificate as if you were a Certificate Authority (CA).
This is the one-liner you pay all that money for. Adjust the -days options
accordingly.
5) chown root.root *; chmod 400 *
Further protect your KEY, CSR, and CRT files.
Hope this helps,
Leif
> suomi
>
> Peter Fleck wrote:
>
> > [Followup thread to "Apache 2 VirtualHost and SSL" with new corrected
> > info. I've tried to get more specific in asking for help.]
> >
> > I'm looking for help in serving pages via SSL.
> >
> > I'm using Apache 2.x running on Linux 9. Using name-based virtual
> > hosting and understand I can only have a single SSL virtual host.
> >
> > SSL is working and the server is listening on port 443. I've confirmed
> > this with the curl tool and with netstat. The curl tool actually
> > returns my index page.
> >
> > curl also generates log entries in "ssl_access_log" and
> > "ssl_request_log."
> >
> > But if I try to access the server with a browser, using an "https"
> > url, the connection is refused and nothing is logged.
> >
> > Here's a brief summary of my setup. The port 80 sites are serving with
> > no problem.
> >
> > Main/default ServerName designation is www.cancer.umn.edu. This is
> > also listed as ServerName for one of the virtual sites. AND it's the
> > ServerName for the secure virtual site. Could this cause a problem.
> >
> > I do have "NameVirtualHost 160.94.109.179:80" and then list the
> > Virtual sites using IPs and ports as suggested on this list. So two
> > VirtualHosts are 160.94.109.179:80 with two different ServerNames and
> > the third is 160.94.109.179:443 with the 'www.cancer.umn.edu'
> > ServerName specified.
> >
> > One more thing, when I restart Apache, the following error is
> > generated in "ssl_error_log." Since I generated my own certificate and
> > key for testing, I thought it might have to do with that.
> >
> > [warn] RSA server certificate is a CA certificate (BasicConstraints:
> > CA == TRUE !?)
> >
> > Thanks.
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2 SSL Problem
Posted by suomi <ap...@ayni.com>.
Regarding your first problem there you present to little info to say
anything.
regarding the CA certificate:
you present poor apache a CA certificate, which you should not.
create a simple certificate based on this CA certificate and configure
this certificate to apache.
howto create a certificate:
man openssl
suomi
Peter Fleck wrote:
> [Followup thread to "Apache 2 VirtualHost and SSL" with new corrected
> info. I've tried to get more specific in asking for help.]
>
> I'm looking for help in serving pages via SSL.
>
> I'm using Apache 2.x running on Linux 9. Using name-based virtual
> hosting and understand I can only have a single SSL virtual host.
>
> SSL is working and the server is listening on port 443. I've confirmed
> this with the curl tool and with netstat. The curl tool actually
> returns my index page.
>
> curl also generates log entries in "ssl_access_log" and
> "ssl_request_log."
>
> But if I try to access the server with a browser, using an "https"
> url, the connection is refused and nothing is logged.
>
> Here's a brief summary of my setup. The port 80 sites are serving with
> no problem.
>
> Main/default ServerName designation is www.cancer.umn.edu. This is
> also listed as ServerName for one of the virtual sites. AND it's the
> ServerName for the secure virtual site. Could this cause a problem.
>
> I do have "NameVirtualHost 160.94.109.179:80" and then list the
> Virtual sites using IPs and ports as suggested on this list. So two
> VirtualHosts are 160.94.109.179:80 with two different ServerNames and
> the third is 160.94.109.179:443 with the 'www.cancer.umn.edu'
> ServerName specified.
>
> One more thing, when I restart Apache, the following error is
> generated in "ssl_error_log." Since I generated my own certificate and
> key for testing, I thought it might have to do with that.
>
> [warn] RSA server certificate is a CA certificate (BasicConstraints:
> CA == TRUE !?)
>
> Thanks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2 SSL Problem
Posted by Peter Fleck <fl...@umn.edu>.
Resolved!
Thanks for the advice. It came down to a firewall that doesn't allow
connections on port 443.
--
Peter Fleck
Webmaster | University of Minnesota Cancer Center
Dinnaken Office Bldg.
925 Delaware St. SE
Minneapolis, MN 55414
612-625-8668 | fleck004@umn.edu | www.cancer.umn.edu
Campus Mail: MMC 806
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2 SSL Problem
Posted by Sagara Wijetunga <sa...@yahoo.com>.
http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#refused
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org