You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jeff Shearer <je...@shearer-family.org> on 2011/06/17 18:27:49 UTC

[users@httpd] SSL configuration not working

 I am having some trouble getting an SSL connection to work properly.  It has been a while since I have done this.   If I disable SSL I can get to the http site just fine.  As a trouble shooting step I left the http site up and enabled the SSL site.  Again I can get to the http site but not the https site.  I am getting no helpful messages in my logs.  I have my log level set to debug.

I am running apache 2.2.14

I am using nearly the same configuration I had previously used for a SSL protected web server, but there are some difference.  For one thing, when I received the .crt I was instructed to load an intermediary .crt file.  I followed the instructions on the GeoTrust site and now have this SSL configuration:

  SSLEngine on

  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

  SSLCertificateFile "/files/thisdomain.conf/thisdomain.crt"

  SSLCertificateKeyFile "/files/thisdomain.conf/thisdomain.key"

  SSLCACertificateFile "/files/thisdomain.conf/intermediate.crt"

  SSLOptions +StdEnvVars +ExportCertData


here is the ls output from /files/thisdomain.conf

-rw-r--r--  1 root       wheel  1989 Jun 16 23:55 apache.thisdomain.conf

-rw-r--r--  1 root       wheel  1756 Jun 16 22:46 thisdomain.crt

-rw-r--r--  1 root       wheel  1675 Jun 16 23:30 thisdomain.key

-rw-r--r--  1 root       wheel  1675 Jun 16 22:44 thisdomainkey.pem

-rw-r--r--  1 root       wheel  1391 Jun 16 23:41 intermediate.crt


Another thing I wonder about is that when I created the .crt, I forgot to indicate that I was using Apache SSL.  When I received the notice that the .crt was ready, the message indicated I was using some off brand, MS IIS.  I spoke with my reseller's help desk and they indicated this was not a problem.  Maybe they are wrong?

When I created my key, it was a .pem file.  Because my previously working site had a .key file, I copied the .pem to .key.  My research indicates there is a difference beyond file extension.  Could this be the problem?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] SSL configuration not working

Posted by Pete Houston <ph...@openstrike.co.uk>.
On Fri, Jun 17, 2011 at 12:27:49PM -0400, Jeff Shearer wrote:
> I am running apache 2.2.14
> 
[snip]
> 
>   SSLCACertificateFile "/files/thisdomain.conf/intermediate.crt"
> 

At least, this is not what you want. SSLCACertificateFile specifies the
cert of the CA which issues certs to the *clients*. To use an
intermediate cert for the server, use SSLCertificateChainFile instead.

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile

HTH,

Pete
-- 
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107

[users@httpd] Re: SSL configuration not working

Posted by DW <xf...@hotmail.com>.
See if this article has anything useful to make it work:

<http://beeznest.wordpress.com/2008/04/25/how-to-configure-https-on-apache-2/>

hth



Jeff Shearer wrote:
>  I am having some trouble getting an SSL connection to work properly.  It has been a while since I have done this.   If I disable SSL I can get to the http site just fine.  As a trouble shooting step I left the http site up and enabled the SSL site.  Again I can get to the http site but not the https site.  I am getting no helpful messages in my logs.  I have my log level set to debug.
> 
> I am running apache 2.2.14
> 
> I am using nearly the same configuration I had previously used for a SSL protected web server, but there are some difference.  For one thing, when I received the .crt I was instructed to load an intermediary .crt file.  I followed the instructions on the GeoTrust site and now have this SSL configuration:
> 
>   SSLEngine on
> 
>   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> 
>   SSLCertificateFile "/files/thisdomain.conf/thisdomain.crt"
> 
>   SSLCertificateKeyFile "/files/thisdomain.conf/thisdomain.key"
> 
>   SSLCACertificateFile "/files/thisdomain.conf/intermediate.crt"
> 
>   SSLOptions +StdEnvVars +ExportCertData
> 
> 
> here is the ls output from /files/thisdomain.conf
> 
> -rw-r--r--  1 root       wheel  1989 Jun 16 23:55 apache.thisdomain.conf
> 
> -rw-r--r--  1 root       wheel  1756 Jun 16 22:46 thisdomain.crt
> 
> -rw-r--r--  1 root       wheel  1675 Jun 16 23:30 thisdomain.key
> 
> -rw-r--r--  1 root       wheel  1675 Jun 16 22:44 thisdomainkey.pem
> 
> -rw-r--r--  1 root       wheel  1391 Jun 16 23:41 intermediate.crt
> 
> 
> Another thing I wonder about is that when I created the .crt, I forgot to indicate that I was using Apache SSL.  When I received the notice that the .crt was ready, the message indicated I was using some off brand, MS IIS.  I spoke with my reseller's help desk and they indicated this was not a problem.  Maybe they are wrong?
> 
> When I created my key, it was a .pem file.  Because my previously working site had a .key file, I copied the .pem to .key.  My research indicates there is a difference beyond file extension.  Could this be the problem?
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org