You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by J Tom Moon 79 <jt...@gmail.com> on 2014/12/17 01:55:21 UTC
[users@httpd] apache 2.4 enable SSL for simple VirtualHost *:8843
I'm unable to simply enable SSL for a VirtualHost using a very simple
configuration.
I'm recently upgraded Ubuntu 12 to Ubuntu 14. apache was upgraded from 2.2
to 2.4.7 . I've checked the 2.4 docs for 2.2.->2.4 changes and reviewed my
configuration scripts in depth.
I can create an unencrypted VirtualHost (http) but not one an encrypted one
(https) on port 8843. I can browse to the site just fine with
http://server:8843 (I see the expected index.html file). If I try
https://server:8843 I get "ssl_error_rx_record_too_long" error (using
Firefox 33).
I've tried many options within the configuration files. I haven't
drastically changed any pre-configured apache configuration files. The
apache2 service does see my changes but just seems to not enable SSL.
Here is a selected summary of all the related files. Can anyone identify
what I'm missing?
----
__/etc/apache2/apache2.conf__
...
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel debug
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
...
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
__/etc/apache2/mods-enabled/ssl.load__
# Depends: setenvif mime socache_shmcb
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
__/etc/apache2/mods-enabled/ssl.conf__
<IfModule ssl_module>
# I've tried both of the following sets for SSLRandomSeed
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# tried with and without the next option
#SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLCipherSuite all
SSLProtocol all # tried this as 'HIGH:!aNULL:!MD5'
SSLInsecureRenegotiation on # tried this on and off
ErrorLog /var/log/apache2/mod_ssl.log
LogLevel debug
SSLStrictSNIVHostCheck Off
</IfModule>
__/etc/apache2/sites-enabled/ssl-test__
# tried with and without each of the following
#LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
#LoadModule ssl_module modules/mod_ssl.so
Listen 8843
<VirtualHost *:8843>
ServerName myserver
SSLEngine on # tried with this directive at the top and the bottom of
this file
DocumentRoot /var/www/
<Directory "/var/www/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
SSLRequireSSL # tried with and without this directive
</Directory>
ErrorLog ${APACHE_LOG_DIR}/ssl-test.log
SSLCertificateFile /etc/ssl/certs/test1.cert.pem
SSLCertificateKeyFile /etc/ssl/private/test1.cert.key
# tried with and without all of the following directives
SSLCipherSuite HIGH:!aNULL:!MD5
#SSLCipherSuite HIGH
SSLProtocol -all +TLSv1 +SSLv3
#SSLProtocol all
SSLVerifyClient none
SSLProxyEngine off
SSLRequireSSL
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
</VirtualHost>
__/etc/apache2/ports.conf__
<IfModule ssl_module>
Listen 8843
</IfModule>
The user that runs apache2 is user www-data .
I have tested that www-data and root can access the key files
/etc/ssl/certs/test1.cert.pem /etc/ssl/private/test1.cert.key .
$ sudo -u www-data cp /etc/ssl/certs/test1.cert.pem
/etc/ssl/private/test1.cert.key /tmp/
I have checked that /usr/lib/apache2/modules/mod_ssl.so exists and is
executable.
$ sudo -u www-data ls -l /usr/lib/apache2/modules/mod_ssl.so
-rwxr-xr-x 1 root root 211184 Jul 22 07:38
/usr/lib/apache2/modules/mod_ssl.so
I have tailed the relevant apache2 logs and checked for errors. I see
these SSL related message on startup. (including one skip message for
127.0.0.1:80, but then later there is a resuming message)
[ssl:info] [pid 21186:tid 139942871500672] AH01887: Init: Initializing
(virtual) servers for SSL
[ssl:info] [pid 21186:tid 139942871500672] AH01876: mod_ssl/2.4.7
compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
[auth_digest:notice] [pid 21187:tid 139942871500672] AH01757: generating
secret for digest authentication ...
[auth_digest:debug] [pid 21187:tid 139942871500672]
mod_auth_digest.c(250): AH01759: done
[ssl:debug] [pid 21297:tid 140596905265024] ssl_engine_pphrase.c(181):
AH02199: SSL not enabled on vhost 127.0.1.1:80, skipping SSL setup
[socache_shmcb:debug] [pid 21297:tid 140596905265024]
mod_socache_shmcb.c(389): AH00821: shmcb_init allocated 512000 bytes of
shared memory
...
[ssl:info] [pid 21297:tid 140596905265024] AH01887: Init: Initializing
(virtual) servers for SSL
[ssl:info] [pid 21297:tid 140596905265024] AH01876: mod_ssl/2.4.7
compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
[mpm_worker:notice] [pid 21297:tid 140596905265024] AH00292: Apache/2.4.7
(Ubuntu) OpenSSL/1.0.1f configured -- resuming normal operations
[mpm_worker:info] [pid 21297:tid 140596905265024] AH00293: Server built:
Jul 22 2014 14:36:38
[core:notice] [pid 21297:tid 140596905265024] AH00094: Command line:
'/usr/sbin/apache2'
[mpm_worker:debug] [pid 21297:tid 140596905265024] worker.c(1829):
AH00294: Accept mutex: fcntl (default: sysvsem)
The openssl binary runs and supports ciphers:
$ openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:...
I check the apache2ctl binary compilations settings
$ apache2ctl -V
AH00558: apache2: Could not reliably determine the server's fully
qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
globally to suppress this message
Server version: Apache/2.4.7 (Ubuntu)
Server built: Jul 22 2014 14:36:38
Server's Module Magic Number: 20120211:27
Server loaded: APR 1.5.1-dev, APR-UTIL 1.5.3
Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3
Architecture: 64-bit
Server MPM: worker
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/apache2"
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="mime.types"
-D SERVER_CONFIG_FILE="apache2.conf"
I checked apache2ctl settings
$ apache2ctl -S
AH00558: apache2: Could not reliably determine the server's fully
qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
globally to suppress this message
VirtualHost configuration:
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www"
Main ErrorLog: "/var/log/apache2/mod_ssl.log"
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33
The apache2ctl syntax check is OK.
$ apache2ctl -t
AH00558: apache2: Could not reliably determine the server's fully
qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
globally to suppress this message
Syntax OK
The file /etc/init.d/apache2 does start apache using /usr/sbin/apache2ctl
(and not /usr/sbin/apache2 ).
Any ideas on what I need to enable SSL for this VirtualHost ?
Again, I can see HTTP response on 8443 but never HTTPS.
--
-JamesThomasMoon1979
Re: [users@httpd] Re: apache 2.4 enable SSL for simple VirtualHost *:8843
Posted by Daniel <df...@gmail.com>.
"simple configuration you say"?
I would certainly try to simplify it much more. You have many Ifmodules and
repeated directives and many directives you don't even need, as well as
dated ones, so to try to make it work better start by removing all
unnecessary stuff.
I would simply delete ALL that and try something simpler like this:
# Listen to force ipv4 and make sure this isn't your issue
Listen 0.0.0.0:8443
# Now Basic secure ssl config for 2.4 with all the stuff you will probably
need in most cases
# (don't try insecurerenegotiation again), I tried to make this directives
based on your previous paths:
## SSL Server config
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
LoadModule
socache_shmcb_module /usr/lib/apache2/modules/mod_socache_shmcb.so
SSLProtocol all -SSLv3 -SSLv2
SSLCompression off
SSLCipherSuite TLSv1.2:HIGH:!MEDIUM:!LOW:!SSLv2:!aNULL:!EXP:!eNULL:!PSK
SSLHonorCipherOrder on
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLSessionCache shmcb:${APACHE_LOG_DIR}/ssl_gcache_data(512000)
###
# and now the SSL virtualhost
# SSLPassPhrase and all that will be needed IF your key is encrypted.
<VirtualHost *:8443>
ServerName myserver
DocumentRoot /var/www
CustomLog ${APACHE_LOG_DIR}/myserver-ssl.log
ErrorLog ${APACHE_LOG_DIR}/myserver-ssl-error.log
SSLEngine on
SSLCertificateFile /etc/ssl/certs/test1.cert.pem
SSLCertificateKeyFile /etc/ssl/private/test1.cert.key
# last but not least use the 2.4 access directives with "Require"
<Directory /var/www>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
Once you have all this set up make sure the virtualhost shows up in
"apachectl -S" otherwise it is probably your config not loading the
virtualhost even though you may think it is doing so. At least the logs you
showed only mention 127.0.1.1:80 <http://127.0.1.1/>
IMHO, It is always better to resort to one single configuration file for
everything if the server is just a couple of virtualhosts.
Regards
2014-12-17 2:01 GMT+01:00 J Tom Moon 79 <jt...@gmail.com>:
>
> Also, the RSA key files were generated with the following command:
>
> $ sudo openssl req -x509 -nodes -days 730 -newkey "rsa:512" -subj
> '/C=US/ST=WA/L=Sea/O=Company Inc/OU=my-team' -keyout
> /etc/ssl/private/test1.cert.key -out /etc/ssl/certs/test1.cert.pem
>
> There were no apparent problems.
>
> On Tue, Dec 16, 2014 at 4:55 PM, J Tom Moon 79 <
> jtm.moon.forum.user@gmail.com> wrote:
>>
>> I'm unable to simply enable SSL for a VirtualHost using a very simple
>> configuration.
>>
>> I'm recently upgraded Ubuntu 12 to Ubuntu 14. apache was upgraded from
>> 2.2 to 2.4.7 . I've checked the 2.4 docs for 2.2.->2.4 changes and
>> reviewed my configuration scripts in depth.
>> I can create an unencrypted VirtualHost (http) but not one an encrypted
>> one (https) on port 8843. I can browse to the site just fine with
>> http://server:8843 (I see the expected index.html file). If I try
>> https://server:8843 I get "ssl_error_rx_record_too_long" error (using
>> Firefox 33).
>>
>> I've tried many options within the configuration files. I haven't
>> drastically changed any pre-configured apache configuration files. The
>> apache2 service does see my changes but just seems to not enable SSL.
>> Here is a selected summary of all the related files. Can anyone identify
>> what I'm missing?
>>
>> ----
>>
>> __/etc/apache2/apache2.conf__
>> ...
>> ErrorLog ${APACHE_LOG_DIR}/error.log
>> LogLevel debug
>> IncludeOptional mods-enabled/*.load
>> IncludeOptional mods-enabled/*.conf
>> Include ports.conf
>> ...
>> IncludeOptional conf-enabled/*.conf
>> IncludeOptional sites-enabled/*.conf
>>
>> __/etc/apache2/mods-enabled/ssl.load__
>>
>> # Depends: setenvif mime socache_shmcb
>> LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
>>
>>
>> __/etc/apache2/mods-enabled/ssl.conf__
>> <IfModule ssl_module>
>> # I've tried both of the following sets for SSLRandomSeed
>> SSLRandomSeed startup builtin
>> SSLRandomSeed connect builtin
>> SSLRandomSeed startup file:/dev/urandom 512
>> SSLRandomSeed connect file:/dev/urandom 512
>>
>> AddType application/x-x509-ca-cert .crt
>> AddType application/x-pkcs7-crl .crl
>>
>> # tried with and without the next option
>> #SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
>>
>> SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
>> SSLSessionCacheTimeout 300
>> SSLCipherSuite all
>> SSLProtocol all # tried this as 'HIGH:!aNULL:!MD5'
>> SSLInsecureRenegotiation on # tried this on and off
>> ErrorLog /var/log/apache2/mod_ssl.log
>> LogLevel debug
>> SSLStrictSNIVHostCheck Off
>> </IfModule>
>>
>> __/etc/apache2/sites-enabled/ssl-test__
>> # tried with and without each of the following
>> #LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
>> #LoadModule ssl_module modules/mod_ssl.so
>>
>> Listen 8843
>> <VirtualHost *:8843>
>>
>> ServerName myserver
>> SSLEngine on # tried with this directive at the top and the bottom of
>> this file
>> DocumentRoot /var/www/
>> <Directory "/var/www/">
>> Options Indexes FollowSymLinks MultiViews
>> AllowOverride None
>> Order allow,deny
>> allow from all
>> SSLRequireSSL # tried with and without this directive
>> </Directory>
>> ErrorLog ${APACHE_LOG_DIR}/ssl-test.log
>> SSLCertificateFile /etc/ssl/certs/test1.cert.pem
>> SSLCertificateKeyFile /etc/ssl/private/test1.cert.key
>>
>> # tried with and without all of the following directives
>> SSLCipherSuite HIGH:!aNULL:!MD5
>>
>> #SSLCipherSuite HIGH
>>
>> SSLProtocol -all +TLSv1 +SSLv3
>>
>> #SSLProtocol all
>>
>> SSLVerifyClient none
>> SSLProxyEngine off
>> SSLRequireSSL
>> SSLRandomSeed startup file:/dev/urandom 1024
>> SSLRandomSeed connect file:/dev/urandom 1024
>>
>> </VirtualHost>
>>
>> __/etc/apache2/ports.conf__
>> <IfModule ssl_module>
>> Listen 8843
>> </IfModule>
>>
>> The user that runs apache2 is user www-data .
>> I have tested that www-data and root can access the key files
>> /etc/ssl/certs/test1.cert.pem /etc/ssl/private/test1.cert.key .
>>
>> $ sudo -u www-data cp /etc/ssl/certs/test1.cert.pem
>> /etc/ssl/private/test1.cert.key /tmp/
>>
>>
>> I have checked that /usr/lib/apache2/modules/mod_ssl.so exists and is
>> executable.
>>
>> $ sudo -u www-data ls -l /usr/lib/apache2/modules/mod_ssl.so
>> -rwxr-xr-x 1 root root 211184 Jul 22 07:38
>> /usr/lib/apache2/modules/mod_ssl.so
>>
>>
>> I have tailed the relevant apache2 logs and checked for errors. I see
>> these SSL related message on startup. (including one skip message for
>> 127.0.0.1:80, but then later there is a resuming message)
>>
>> [ssl:info] [pid 21186:tid 139942871500672] AH01887: Init: Initializing
>> (virtual) servers for SSL
>> [ssl:info] [pid 21186:tid 139942871500672] AH01876: mod_ssl/2.4.7
>> compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
>> [auth_digest:notice] [pid 21187:tid 139942871500672] AH01757:
>> generating secret for digest authentication ...
>> [auth_digest:debug] [pid 21187:tid 139942871500672]
>> mod_auth_digest.c(250): AH01759: done
>> [ssl:debug] [pid 21297:tid 140596905265024] ssl_engine_pphrase.c(181):
>> AH02199: SSL not enabled on vhost 127.0.1.1:80, skipping SSL setup
>> [socache_shmcb:debug] [pid 21297:tid 140596905265024]
>> mod_socache_shmcb.c(389): AH00821: shmcb_init allocated 512000 bytes of
>> shared memory
>> ...
>> [ssl:info] [pid 21297:tid 140596905265024] AH01887: Init: Initializing
>> (virtual) servers for SSL
>> [ssl:info] [pid 21297:tid 140596905265024] AH01876: mod_ssl/2.4.7
>> compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
>> [mpm_worker:notice] [pid 21297:tid 140596905265024] AH00292:
>> Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f configured -- resuming normal
>> operations
>> [mpm_worker:info] [pid 21297:tid 140596905265024] AH00293: Server
>> built: Jul 22 2014 14:36:38
>> [core:notice] [pid 21297:tid 140596905265024] AH00094: Command line:
>> '/usr/sbin/apache2'
>> [mpm_worker:debug] [pid 21297:tid 140596905265024] worker.c(1829):
>> AH00294: Accept mutex: fcntl (default: sysvsem)
>>
>>
>> The openssl binary runs and supports ciphers:
>>
>> $ openssl ciphers
>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:...
>>
>>
>> I check the apache2ctl binary compilations settings
>>
>> $ apache2ctl -V
>> AH00558: apache2: Could not reliably determine the server's fully
>> qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
>> globally to suppress this message
>> Server version: Apache/2.4.7 (Ubuntu)
>> Server built: Jul 22 2014 14:36:38
>> Server's Module Magic Number: 20120211:27
>> Server loaded: APR 1.5.1-dev, APR-UTIL 1.5.3
>> Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3
>> Architecture: 64-bit
>> Server MPM: worker
>> threaded: yes (fixed thread count)
>> forked: yes (variable process count)
>> Server compiled with....
>> -D APR_HAS_SENDFILE
>> -D APR_HAS_MMAP
>> -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
>> -D APR_USE_SYSVSEM_SERIALIZE
>> -D APR_USE_PTHREAD_SERIALIZE
>> -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
>> -D APR_HAS_OTHER_CHILD
>> -D AP_HAVE_RELIABLE_PIPED_LOGS
>> -D DYNAMIC_MODULE_LIMIT=256
>> -D HTTPD_ROOT="/etc/apache2"
>> -D SUEXEC_BIN="/usr/lib/apache2/suexec"
>> -D DEFAULT_PIDLOG="/var/run/apache2.pid"
>> -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>> -D DEFAULT_ERRORLOG="logs/error_log"
>> -D AP_TYPES_CONFIG_FILE="mime.types"
>> -D SERVER_CONFIG_FILE="apache2.conf"
>>
>>
>> I checked apache2ctl settings
>>
>> $ apache2ctl -S
>> AH00558: apache2: Could not reliably determine the server's fully
>> qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
>> globally to suppress this message
>> VirtualHost configuration:
>> ServerRoot: "/etc/apache2"
>> Main DocumentRoot: "/var/www"
>> Main ErrorLog: "/var/log/apache2/mod_ssl.log"
>> Mutex authdigest-client: using_defaults
>> Mutex ssl-stapling: using_defaults
>> Mutex ssl-cache: using_defaults
>> Mutex default: dir="/var/lock/apache2" mechanism=fcntl
>> Mutex mpm-accept: using_defaults
>> Mutex authdigest-opaque: using_defaults
>> Mutex watchdog-callback: using_defaults
>> PidFile: "/var/run/apache2/apache2.pid"
>> Define: DUMP_VHOSTS
>> Define: DUMP_RUN_CFG
>> Define: ENABLE_USR_LIB_CGI_BIN
>> User: name="www-data" id=33
>> Group: name="www-data" id=33
>>
>>
>> The apache2ctl syntax check is OK.
>>
>> $ apache2ctl -t
>> AH00558: apache2: Could not reliably determine the server's fully
>> qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
>> globally to suppress this message
>> Syntax OK
>>
>>
>> The file /etc/init.d/apache2 does start apache using /usr/sbin/apache2ctl
>> (and not /usr/sbin/apache2 ).
>>
>>
>> Any ideas on what I need to enable SSL for this VirtualHost ?
>> Again, I can see HTTP response on 8443 but never HTTPS.
>>
>> --
>> -JamesThomasMoon1979
>>
>
>
> --
> -J Tom Moon 79
>
[users@httpd] Re: apache 2.4 enable SSL for simple VirtualHost *:8843
Posted by J Tom Moon 79 <jt...@gmail.com>.
Also, the RSA key files were generated with the following command:
$ sudo openssl req -x509 -nodes -days 730 -newkey "rsa:512" -subj
'/C=US/ST=WA/L=Sea/O=Company Inc/OU=my-team' -keyout
/etc/ssl/private/test1.cert.key -out /etc/ssl/certs/test1.cert.pem
There were no apparent problems.
On Tue, Dec 16, 2014 at 4:55 PM, J Tom Moon 79 <
jtm.moon.forum.user@gmail.com> wrote:
>
> I'm unable to simply enable SSL for a VirtualHost using a very simple
> configuration.
>
> I'm recently upgraded Ubuntu 12 to Ubuntu 14. apache was upgraded from
> 2.2 to 2.4.7 . I've checked the 2.4 docs for 2.2.->2.4 changes and
> reviewed my configuration scripts in depth.
> I can create an unencrypted VirtualHost (http) but not one an encrypted
> one (https) on port 8843. I can browse to the site just fine with
> http://server:8843 (I see the expected index.html file). If I try
> https://server:8843 I get "ssl_error_rx_record_too_long" error (using
> Firefox 33).
>
> I've tried many options within the configuration files. I haven't
> drastically changed any pre-configured apache configuration files. The
> apache2 service does see my changes but just seems to not enable SSL.
> Here is a selected summary of all the related files. Can anyone identify
> what I'm missing?
>
> ----
>
> __/etc/apache2/apache2.conf__
> ...
> ErrorLog ${APACHE_LOG_DIR}/error.log
> LogLevel debug
> IncludeOptional mods-enabled/*.load
> IncludeOptional mods-enabled/*.conf
> Include ports.conf
> ...
> IncludeOptional conf-enabled/*.conf
> IncludeOptional sites-enabled/*.conf
>
> __/etc/apache2/mods-enabled/ssl.load__
>
> # Depends: setenvif mime socache_shmcb
> LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
>
>
> __/etc/apache2/mods-enabled/ssl.conf__
> <IfModule ssl_module>
> # I've tried both of the following sets for SSLRandomSeed
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> SSLRandomSeed startup file:/dev/urandom 512
> SSLRandomSeed connect file:/dev/urandom 512
>
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
>
> # tried with and without the next option
> #SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
>
> SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
> SSLSessionCacheTimeout 300
> SSLCipherSuite all
> SSLProtocol all # tried this as 'HIGH:!aNULL:!MD5'
> SSLInsecureRenegotiation on # tried this on and off
> ErrorLog /var/log/apache2/mod_ssl.log
> LogLevel debug
> SSLStrictSNIVHostCheck Off
> </IfModule>
>
> __/etc/apache2/sites-enabled/ssl-test__
> # tried with and without each of the following
> #LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
> #LoadModule ssl_module modules/mod_ssl.so
>
> Listen 8843
> <VirtualHost *:8843>
>
> ServerName myserver
> SSLEngine on # tried with this directive at the top and the bottom of
> this file
> DocumentRoot /var/www/
> <Directory "/var/www/">
> Options Indexes FollowSymLinks MultiViews
> AllowOverride None
> Order allow,deny
> allow from all
> SSLRequireSSL # tried with and without this directive
> </Directory>
> ErrorLog ${APACHE_LOG_DIR}/ssl-test.log
> SSLCertificateFile /etc/ssl/certs/test1.cert.pem
> SSLCertificateKeyFile /etc/ssl/private/test1.cert.key
>
> # tried with and without all of the following directives
> SSLCipherSuite HIGH:!aNULL:!MD5
>
> #SSLCipherSuite HIGH
>
> SSLProtocol -all +TLSv1 +SSLv3
>
> #SSLProtocol all
>
> SSLVerifyClient none
> SSLProxyEngine off
> SSLRequireSSL
> SSLRandomSeed startup file:/dev/urandom 1024
> SSLRandomSeed connect file:/dev/urandom 1024
>
> </VirtualHost>
>
> __/etc/apache2/ports.conf__
> <IfModule ssl_module>
> Listen 8843
> </IfModule>
>
> The user that runs apache2 is user www-data .
> I have tested that www-data and root can access the key files
> /etc/ssl/certs/test1.cert.pem /etc/ssl/private/test1.cert.key .
>
> $ sudo -u www-data cp /etc/ssl/certs/test1.cert.pem
> /etc/ssl/private/test1.cert.key /tmp/
>
>
> I have checked that /usr/lib/apache2/modules/mod_ssl.so exists and is
> executable.
>
> $ sudo -u www-data ls -l /usr/lib/apache2/modules/mod_ssl.so
> -rwxr-xr-x 1 root root 211184 Jul 22 07:38
> /usr/lib/apache2/modules/mod_ssl.so
>
>
> I have tailed the relevant apache2 logs and checked for errors. I see
> these SSL related message on startup. (including one skip message for
> 127.0.0.1:80, but then later there is a resuming message)
>
> [ssl:info] [pid 21186:tid 139942871500672] AH01887: Init: Initializing
> (virtual) servers for SSL
> [ssl:info] [pid 21186:tid 139942871500672] AH01876: mod_ssl/2.4.7
> compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
> [auth_digest:notice] [pid 21187:tid 139942871500672] AH01757: generating
> secret for digest authentication ...
> [auth_digest:debug] [pid 21187:tid 139942871500672]
> mod_auth_digest.c(250): AH01759: done
> [ssl:debug] [pid 21297:tid 140596905265024] ssl_engine_pphrase.c(181):
> AH02199: SSL not enabled on vhost 127.0.1.1:80, skipping SSL setup
> [socache_shmcb:debug] [pid 21297:tid 140596905265024]
> mod_socache_shmcb.c(389): AH00821: shmcb_init allocated 512000 bytes of
> shared memory
> ...
> [ssl:info] [pid 21297:tid 140596905265024] AH01887: Init: Initializing
> (virtual) servers for SSL
> [ssl:info] [pid 21297:tid 140596905265024] AH01876: mod_ssl/2.4.7
> compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
> [mpm_worker:notice] [pid 21297:tid 140596905265024] AH00292:
> Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f configured -- resuming normal
> operations
> [mpm_worker:info] [pid 21297:tid 140596905265024] AH00293: Server built:
> Jul 22 2014 14:36:38
> [core:notice] [pid 21297:tid 140596905265024] AH00094: Command line:
> '/usr/sbin/apache2'
> [mpm_worker:debug] [pid 21297:tid 140596905265024] worker.c(1829):
> AH00294: Accept mutex: fcntl (default: sysvsem)
>
>
> The openssl binary runs and supports ciphers:
>
> $ openssl ciphers
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:...
>
>
> I check the apache2ctl binary compilations settings
>
> $ apache2ctl -V
> AH00558: apache2: Could not reliably determine the server's fully
> qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
> globally to suppress this message
> Server version: Apache/2.4.7 (Ubuntu)
> Server built: Jul 22 2014 14:36:38
> Server's Module Magic Number: 20120211:27
> Server loaded: APR 1.5.1-dev, APR-UTIL 1.5.3
> Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3
> Architecture: 64-bit
> Server MPM: worker
> threaded: yes (fixed thread count)
> forked: yes (variable process count)
> Server compiled with....
> -D APR_HAS_SENDFILE
> -D APR_HAS_MMAP
> -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
> -D APR_USE_SYSVSEM_SERIALIZE
> -D APR_USE_PTHREAD_SERIALIZE
> -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
> -D APR_HAS_OTHER_CHILD
> -D AP_HAVE_RELIABLE_PIPED_LOGS
> -D DYNAMIC_MODULE_LIMIT=256
> -D HTTPD_ROOT="/etc/apache2"
> -D SUEXEC_BIN="/usr/lib/apache2/suexec"
> -D DEFAULT_PIDLOG="/var/run/apache2.pid"
> -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
> -D DEFAULT_ERRORLOG="logs/error_log"
> -D AP_TYPES_CONFIG_FILE="mime.types"
> -D SERVER_CONFIG_FILE="apache2.conf"
>
>
> I checked apache2ctl settings
>
> $ apache2ctl -S
> AH00558: apache2: Could not reliably determine the server's fully
> qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
> globally to suppress this message
> VirtualHost configuration:
> ServerRoot: "/etc/apache2"
> Main DocumentRoot: "/var/www"
> Main ErrorLog: "/var/log/apache2/mod_ssl.log"
> Mutex authdigest-client: using_defaults
> Mutex ssl-stapling: using_defaults
> Mutex ssl-cache: using_defaults
> Mutex default: dir="/var/lock/apache2" mechanism=fcntl
> Mutex mpm-accept: using_defaults
> Mutex authdigest-opaque: using_defaults
> Mutex watchdog-callback: using_defaults
> PidFile: "/var/run/apache2/apache2.pid"
> Define: DUMP_VHOSTS
> Define: DUMP_RUN_CFG
> Define: ENABLE_USR_LIB_CGI_BIN
> User: name="www-data" id=33
> Group: name="www-data" id=33
>
>
> The apache2ctl syntax check is OK.
>
> $ apache2ctl -t
> AH00558: apache2: Could not reliably determine the server's fully
> qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
> globally to suppress this message
> Syntax OK
>
>
> The file /etc/init.d/apache2 does start apache using /usr/sbin/apache2ctl
> (and not /usr/sbin/apache2 ).
>
>
> Any ideas on what I need to enable SSL for this VirtualHost ?
> Again, I can see HTTP response on 8443 but never HTTPS.
>
> --
> -JamesThomasMoon1979
>
--
-J Tom Moon 79