You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Rex Brooks <re...@starbourne.com> on 2006/05/15 18:49:54 UTC
[users@httpd] SSL Problem Still not Solved in Apache2-RHEL4
I'm still stuck with httpd not starting while mod_ssl included in
Apache2.0 in RHEL4.
httpd will start without mod_ssl.
However, connection is then refused at both of the Virtual Hosts I'm
using together:
Default=mysqld-php portal;
Other=Derby-tomcat-jsp ebxmlrr registry;
so I returned to turned mod_ssl back on.
error_log:
[date-time] [notice] core dump file size limit raised to 4294967295 bytes
[date-time] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[date-time] [error] Server should be SSL-aware but has no certificate
configured [Hint: SSLCertificateFile]
Note: 'SSLEngine on' is specified in both the httpd.conf and the
ssl.conf files. I found one question in my research where this
duplication was a problem in conjunction with duplicated ssl
variables/settings. Unfortunately the version of apache and OS were
not specified, but removing 'SSLEngine on' from httpd.conf caused no
change in the condition, so I returned to initial conditions again.
Vitals:
ssl.conf:
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd.conf/sslkey/server.key
permissions:
[root@XXXX ssl.crt]# ls -al
total 40
drwx------ 2 root root 4096 May 13 08:06 .
drwxr-xr-x 7 root root 4096 May 13 08:23 ..
-rw-r--r-- 1 root root 1773 May 8 17:22 cacert.pem
-rw-r--r-- 1 root root 1522 Feb 28 2005 Makefile.crt
-rw------- 1 root root 1497 May 8 21:27 server.crt
[root@XXX ssl.crt]# cd ..
[root@@XXX conf]# cd ssl.key
[root@XXX ssl.key]# ls -al
total 48
drwx------ 2 root root 4096 Feb 28 2005 .
drwxr-xr-x 7 root root 4096 May 13 08:23 ..
-rw-r--r-- 1 root root 1751 May 8 17:18 privkey.pem
-rw------- 1 root root 963 May 8 21:23 server.key
As you can see, the server.crt and server.key files are not publicly
readable, but I do not have specific lines in ssl.conf for cacert.pem
or privkey.pem. The documentaton for apache-ssl specfically mentions
pem-encoding as does the Apache Model mod_ssl documentation. Could
this be a problem?
The SSLCACertificatePath is commented in ssl.conf. Could this be a problem?
I haven't changed or questioned all of the variables, including
DocumentRoot and ServerName which are also commented.
I have to find a solution to this. It's one of those things that just
isn't optional for me. Sorry to be a pain.
Rex
--
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-849-2309
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL Problem Still not Solved in Apache2-RHEL4
Posted by Bill Jones <te...@gmail.com>.
On 5/15/06, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> I wrote support/win32/wintty.c to create a console window on the fly for
> such a dialog, letting the service speak with the user at the console.
> Obviously, it's win32 specific. But I can't imagine it would be impossible
> to create a similar tty piped window applet on Unix, if someone is up to
> the challenge.
Maybe reimplemented as an irssi ncurses window?
I was thinking something along these lines earlier trying various ssh
Perl scripts but I do not know how to handle detecting the local
console versus someone who is ssh'ed in restarting the server (at any
rate I have never gotten the Enter Passphrase prompt when using
service httpd start) -- bottom line is that some human will have to
enter the passphrase manually =(
--
WC (Bill) Jones -- http://youve-reached-the.endoftheinternet.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL Problem Still not Solved in Apache2-RHEL4
Posted by Rex Brooks <re...@starbourne.com>.
Thanks Bill,
I will be running Bill Jones' suggestion first in the a.m. around
4:00 a.m. We'll see where I go from there. I will post the results as
soon as I know. Given the project this effort is designed for,
security concerns are going to get more, not less important, but I
will just have to deal with that when I get there.
Thanks very much,
Rex
At 10:35 PM -0500 5/15/06, William A. Rowe, Jr. wrote:
>Rex Brooks wrote:
>>
>>I have Apache2 in RHEL4, so I am assuming that the SSL Sections you
>>refer to are in ssl.conf which is loaded as a DSO.
>>
>>I understand that httpd must be able to read the crt/pem file.
>>
>>I did specify a pass phrase when I created the key/crt. However, I
>>do not get a request asking me to supply the pass phrase when I
>>enter: service httpd start. I just get the same FAILED notice with
>>the same error in the error_log.
>
>If it is in fact 'tripping' over the passphrase, and stdin/stdout aren't
>providing access to the console from 'service httpd start' in redhat, you
>might want to look at the SSLPassphraseDialog applet. One option is to pass
>a pipe:/path/to/binary that can invoke a pipe program which queries all of
>the passphrases.
>
>I wrote support/win32/wintty.c to create a console window on the fly for
>such a dialog, letting the service speak with the user at the console.
>Obviously, it's win32 specific. But I can't imagine it would be impossible
>to create a similar tty piped window applet on Unix, if someone is up to
>the challenge.
>
>There are simpler SSLPassphraseDialog alternatives, see...
>http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslpassphrasedialog
>(I just noticed the pipe:/path/to/pipe is undocumented; whoops!)
>
>Bill
>Bill
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
--
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-849-2309
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL Problem Still not Solved in Apache2-RHEL4
Posted by Rex Brooks <re...@starbourne.com>.
Thanks again, Bill,
Thinking through this as I tried Bill Jones' suggestions, it appears
that the PassPhrase with or without a dialog applet is not at fault
here.
The first time this start failure occurred it was immediately after
registering a new user in the ebxmllrr -3.0-beta1 registry using the
web browser interface where the instructions walk you through the
process of importing the key into the browser.
At 10:35 PM -0500 5/15/06, William A. Rowe, Jr. wrote:
>Rex Brooks wrote:
>>
>>I have Apache2 in RHEL4, so I am assuming that the SSL Sections you
>>refer to are in ssl.conf which is loaded as a DSO.
>>
>>I understand that httpd must be able to read the crt/pem file.
>>
>>I did specify a pass phrase when I created the key/crt. However, I
>>do not get a request asking me to supply the pass phrase when I
>>enter: service httpd start. I just get the same FAILED notice with
>>the same error in the error_log.
>
>If it is in fact 'tripping' over the passphrase, and stdin/stdout aren't
>providing access to the console from 'service httpd start' in redhat, you
>might want to look at the SSLPassphraseDialog applet. One option is to pass
>a pipe:/path/to/binary that can invoke a pipe program which queries all of
>the passphrases.
>
>I wrote support/win32/wintty.c to create a console window on the fly for
>such a dialog, letting the service speak with the user at the console.
>Obviously, it's win32 specific. But I can't imagine it would be impossible
>to create a similar tty piped window applet on Unix, if someone is up to
>the challenge.
>
>There are simpler SSLPassphraseDialog alternatives, see...
>http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslpassphrasedialog
>(I just noticed the pipe:/path/to/pipe is undocumented; whoops!)
>
>Bill
>Bill
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
--
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-849-2309
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL Problem Still not Solved in Apache2-RHEL4
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Rex Brooks wrote:
>
> I have Apache2 in RHEL4, so I am assuming that the SSL Sections you
> refer to are in ssl.conf which is loaded as a DSO.
>
> I understand that httpd must be able to read the crt/pem file.
>
> I did specify a pass phrase when I created the key/crt. However, I do
> not get a request asking me to supply the pass phrase when I enter:
> service httpd start. I just get the same FAILED notice with the same
> error in the error_log.
If it is in fact 'tripping' over the passphrase, and stdin/stdout aren't
providing access to the console from 'service httpd start' in redhat, you
might want to look at the SSLPassphraseDialog applet. One option is to pass
a pipe:/path/to/binary that can invoke a pipe program which queries all of
the passphrases.
I wrote support/win32/wintty.c to create a console window on the fly for
such a dialog, letting the service speak with the user at the console.
Obviously, it's win32 specific. But I can't imagine it would be impossible
to create a similar tty piped window applet on Unix, if someone is up to
the challenge.
There are simpler SSLPassphraseDialog alternatives, see...
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslpassphrasedialog
(I just noticed the pipe:/path/to/pipe is undocumented; whoops!)
Bill
Bill
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL Problem Still not Solved in Apache2-RHEL4
Posted by Rex Brooks <re...@starbourne.com>.
Thanks Bill,
Since I am a morning person, I will do this at about 4:00 a.m. in the
morning here on the left coast. I would love to try it now and
confirm it, but I've learned better. I just want to be on the safe
side, or the safe side, and I know for sure I am better at being
careful in the early a.m.
I will post the results as soon as I know.
Thanks again,
Rex
At 10:19 PM -0400 5/15/06, Bill Jones wrote:
>On 5/15/06, Rex Brooks <re...@starbourne.com> wrote:
>
>>I did specify a pass phrase when I created the key/crt. However, I do
>>not get a request asking me to supply the pass phrase when I enter:
>>service httpd start. I just get the same FAILED notice with the same
>>error in the error_log.
>
>You likely wont get a request if you use "service httpd start" -- we
>will try to resolve this step by step; please read all this mess
>before attempting any of it.
>
>First off before we start please back up everything and place the back
>up in a safe place; you probably should back it up twice to be safe.
>:-)
>
>Next, before you install my version of your ssl.conf please try this
>command sequence first: ( Found at:
>http://www.modssl.org/docs/2.8/ssl_faq.html#ToC30 )
>
># become root
>su -
>
># cd to the dircectory where the server key file is and execute
>cp server.key server.key.PW_BackUp
>cp server.key server.key.orig
>
># Remove the passphase from the server key
>openssl rsa -in server.key.org -out server.key
>
># Make sure the server.key file is now only readable by root:
>chown root:root server.key && chmod 0400 server.key
>
># NOTE -
># Make sure you subsitute your file names for the above "server key"
>
># Lastly -- try to start the server
>service httpd start
>
># various commands to see if its really running -
>lsof |grep -i tcp |grep -i http
>netstat -plan |grep 80
>tcpdump port 80
>
>If that works then we know that you canot start apache using "service"
>-- you'll either have to not use a passphrase (which is upto company
>security policy) or always start the "/etc/init.d/httpd restart" by
>hand -- so it will prompt you for the passphrase.
>
>If the above does not work you are welcome to try out my version of
>the ssl.conf -- please make two backups of your original first. But I
>feel strongly that the above passphrase issue is partially, if not
>completely, at fault.
>
>
>HTH/Sx
>--
>WC (Bill) Jones -- http://youve-reached-the.endoftheinternet.org/
>
>
>Content-Type: application/octet-stream; name="ssl.conf"
>Content-Disposition: attachment; filename="ssl.conf"
>X-Attachment-Id: f_en9mb1oz
>
>Attachment converted: Macintosh HD:ssl 1.conf ( / ) (00130C8B)
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
--
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-849-2309
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL Problem Still not Solved in Apache2-RHEL4
Posted by Rex Brooks <re...@starbourne.com>.
Thanks Bill,
Sounds like a plan. Did not know about octal. As for SSL being at
fault, I based that only on the error message and the fact that
removing mod_ssl allows httpd to start. The fact that it starts but
won't accept connections seems signficant, and it seems like the
VirtualHost settings in httpd.config and ssl.conf might be another
set of tests to consider. However, one thing at a time.
Thanks again,
Rex
At 9:45 AM -0400 5/16/06, Bill Jones wrote:
>On 5/16/06, Rex Brooks <re...@starbourne.com> wrote:
>
>>
>>openssl rsa -in server.key.orig -out server.key
>
>OK; sorry.
>
>>also the chmod 0400 should be chmod 400, but neither of those
>
>It's octal so 0400 is correct but 400 and 0400 are the same =)
>
>>impacted the results: The passphrase was removed but httpd still
>>failed to start.
>
>Theres another issue then with possibly one of the other modules you
>want to run... Can you try to start with both or either disabled to
>see if SSL comes up?
>
>>We KNOW mod_ssl is at fault here, since, beyond the error message,
>
>Are we so sure that when all else fails ssl is at fault? =)
>
>>httpd starts when mod_ssl is removed. We also know that when it is
>>removed the VirtualHosts won't accept connections. AND, it appears
>>that the PassPhrase is not responsible. (Note, I said, appears, since
>>I am wondering if I actually need to be logged in as my user and then
>>become root, instead of being logged in as root, which I have been?)
>
>Logged in as root is required to 'start' apache -- what ID does it run as?
>
>>Regardless, there ought to be a process of elimination which will
>>isolate the culprit in here somewhere.
>
>I would try it with SSl only as see if it works, then slowly add each
>additional requirement to see what breaks, etc.
>
>--
>WC (Bill) Jones -- http://youve-reached-the.endoftheinternet.org/
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
--
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-849-2309
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL Problem Still not Solved in Apache2-RHEL4
Posted by Bill Jones <te...@gmail.com>.
On 5/16/06, Rex Brooks <re...@starbourne.com> wrote:
>
> openssl rsa -in server.key.orig -out server.key
OK; sorry.
> also the chmod 0400 should be chmod 400, but neither of those
It's octal so 0400 is correct but 400 and 0400 are the same =)
> impacted the results: The passphrase was removed but httpd still
> failed to start.
Theres another issue then with possibly one of the other modules you
want to run... Can you try to start with both or either disabled to
see if SSL comes up?
> We KNOW mod_ssl is at fault here, since, beyond the error message,
Are we so sure that when all else fails ssl is at fault? =)
> httpd starts when mod_ssl is removed. We also know that when it is
> removed the VirtualHosts won't accept connections. AND, it appears
> that the PassPhrase is not responsible. (Note, I said, appears, since
> I am wondering if I actually need to be logged in as my user and then
> become root, instead of being logged in as root, which I have been?)
Logged in as root is required to 'start' apache -- what ID does it run as?
> Regardless, there ought to be a process of elimination which will
> isolate the culprit in here somewhere.
I would try it with SSl only as see if it works, then slowly add each
additional requirement to see what breaks, etc.
--
WC (Bill) Jones -- http://youve-reached-the.endoftheinternet.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL Problem Still not Solved in Apache2-RHEL4
Posted by Rex Brooks <re...@starbourne.com>.
I tried both of Bill's suggestions and neither solved the problem
yet. The error message steadfastly remains the same. At least its
consistent.
Just a slight note, there was a typo on the modssl.org page which got
transferred:
openssl rsa -in server.key.org -out server.key
should be:
openssl rsa -in server.key.orig -out server.key
also the chmod 0400 should be chmod 400, but neither of those
impacted the results: The passphrase was removed but httpd still
failed to start.
We KNOW mod_ssl is at fault here, since, beyond the error message,
httpd starts when mod_ssl is removed. We also know that when it is
removed the VirtualHosts won't accept connections. AND, it appears
that the PassPhrase is not responsible. (Note, I said, appears, since
I am wondering if I actually need to be logged in as my user and then
become root, instead of being logged in as root, which I have been?)
Regardless, there ought to be a process of elimination which will
isolate the culprit in here somewhere.
Unfortunately, SSL is not optional.
Thanks,
Rex
>On 5/15/06, Rex Brooks <re...@starbourne.com> wrote:
>
>>I did specify a pass phrase when I created the key/crt. However, I do
>>not get a request asking me to supply the pass phrase when I enter:
>>service httpd start. I just get the same FAILED notice with the same
>>error in the error_log.
>
>You likely wont get a request if you use "service httpd start" -- we
>will try to resolve this step by step; please read all this mess
>before attempting any of it.
>
>First off before we start please back up everything and place the back
>up in a safe place; you probably should back it up twice to be safe.
>:-)
>
>Next, before you install my version of your ssl.conf please try this
>command sequence first: ( Found at:
>http://www.modssl.org/docs/2.8/ssl_faq.html#ToC30 )
>
># become root
>su -
>
># cd to the dircectory where the server key file is and execute
>cp server.key server.key.PW_BackUp
>cp server.key server.key.orig
>
># Remove the passphase from the server key
>openssl rsa -in server.key.org -out server.key
>
># Make sure the server.key file is now only readable by root:
>chown root:root server.key && chmod 0400 server.key
>
># NOTE -
># Make sure you subsitute your file names for the above "server key"
>
># Lastly -- try to start the server
>service httpd start
>
># various commands to see if its really running -
>lsof |grep -i tcp |grep -i http
>netstat -plan |grep 80
>tcpdump port 80
>
>If that works then we know that you canot start apache using "service"
>-- you'll either have to not use a passphrase (which is upto company
>security policy) or always start the "/etc/init.d/httpd restart" by
>hand -- so it will prompt you for the passphrase.
>
>If the above does not work you are welcome to try out my version of
>the ssl.conf -- please make two backups of your original first. But I
>feel strongly that the above passphrase issue is partially, if not
>completely, at fault.
>
>
>HTH/Sx
>--
>WC (Bill) Jones -- http://youve-reached-the.endoftheinternet.org/
>
>
>Content-Type: application/octet-stream; name="ssl.conf"
>Content-Disposition: attachment; filename="ssl.conf"
>X-Attachment-Id: f_en9mb1oz
>
>Attachment converted: Macintosh HD:ssl 1.conf ( / ) (00130C8B)
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
--
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-849-2309
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL Problem Still not Solved in Apache2-RHEL4
Posted by Bill Jones <te...@gmail.com>.
On 5/15/06, Rex Brooks <re...@starbourne.com> wrote:
> I did specify a pass phrase when I created the key/crt. However, I do
> not get a request asking me to supply the pass phrase when I enter:
> service httpd start. I just get the same FAILED notice with the same
> error in the error_log.
You likely wont get a request if you use "service httpd start" -- we
will try to resolve this step by step; please read all this mess
before attempting any of it.
First off before we start please back up everything and place the back
up in a safe place; you probably should back it up twice to be safe.
:-)
Next, before you install my version of your ssl.conf please try this
command sequence first: ( Found at:
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC30 )
# become root
su -
# cd to the dircectory where the server key file is and execute
cp server.key server.key.PW_BackUp
cp server.key server.key.orig
# Remove the passphase from the server key
openssl rsa -in server.key.org -out server.key
# Make sure the server.key file is now only readable by root:
chown root:root server.key && chmod 0400 server.key
# NOTE -
# Make sure you subsitute your file names for the above "server key"
# Lastly -- try to start the server
service httpd start
# various commands to see if its really running -
lsof |grep -i tcp |grep -i http
netstat -plan |grep 80
tcpdump port 80
If that works then we know that you canot start apache using "service"
-- you'll either have to not use a passphrase (which is upto company
security policy) or always start the "/etc/init.d/httpd restart" by
hand -- so it will prompt you for the passphrase.
If the above does not work you are welcome to try out my version of
the ssl.conf -- please make two backups of your original first. But I
feel strongly that the above passphrase issue is partially, if not
completely, at fault.
HTH/Sx
--
WC (Bill) Jones -- http://youve-reached-the.endoftheinternet.org/
Re: [users@httpd] SSL Problem Still not Solved in Apache2-RHEL4
Posted by Rex Brooks <re...@starbourne.com>.
Sorry the thread is so confusing. I tried to boil the symptoms down
to the basics in that last post.
I have Apache2 in RHEL4, so I am assuming that the SSL Sections you
refer to are in ssl.conf which is loaded as a DSO. What I have does
not match the page specified, at least not exactly or in the
sequence. However, there are matching items.
For instance in my ssl.conf file I have There are also items
commented that are not commented in the sample you referred me to. I
decided to just attach the file.
I understand that httpd must be able to read the crt/pem file.
I did specify a pass phrase when I created the key/crt. However, I do
not get a request asking me to supply the pass phrase when I enter:
service httpd start. I just get the same FAILED notice with the same
error in the error_log.
Thanks,
Rex
At 1:02 PM -0400 5/15/06, Bill Jones wrote:
>On 5/15/06, Rex Brooks <re...@starbourne.com> wrote:
>>I'm still stuck with httpd not starting while mod_ssl included in
>>Apache2.0 in RHEL4.
>>
>>httpd will start without mod_ssl.
>
>Sorry, I have tried to read this thread but I am totally confused;
>could you please see if your SSL sections match this example:
>http://dw.ccsh.us/doku.php?id=ssl
>
>Some sections are required and the httpd MUST be able to read the
>crt/pem file; also, if you have the ssl cert password protected you
>will have to manually start apache as it prompts for the password.
>
>HTH/Sx
>--
>WC (Bill) Jones -- http://youve-reached-the.endoftheinternet.org/
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
--
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-849-2309
Re: [users@httpd] SSL Problem Still not Solved in Apache2-RHEL4
Posted by Bill Jones <te...@gmail.com>.
On 5/15/06, Rex Brooks <re...@starbourne.com> wrote:
> I'm still stuck with httpd not starting while mod_ssl included in
> Apache2.0 in RHEL4.
>
> httpd will start without mod_ssl.
Sorry, I have tried to read this thread but I am totally confused;
could you please see if your SSL sections match this example:
http://dw.ccsh.us/doku.php?id=ssl
Some sections are required and the httpd MUST be able to read the
crt/pem file; also, if you have the ssl cert password protected you
will have to manually start apache as it prompts for the password.
HTH/Sx
--
WC (Bill) Jones -- http://youve-reached-the.endoftheinternet.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org