You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jeff Shearer <je...@shearer-family.org> on 2011/06/17 18:27:49 UTC
[users@httpd] SSL configuration not working
I am having some trouble getting an SSL connection to work properly. It has been a while since I have done this. If I disable SSL I can get to the http site just fine. As a trouble shooting step I left the http site up and enabled the SSL site. Again I can get to the http site but not the https site. I am getting no helpful messages in my logs. I have my log level set to debug.
I am running apache 2.2.14
I am using nearly the same configuration I had previously used for a SSL protected web server, but there are some difference. For one thing, when I received the .crt I was instructed to load an intermediary .crt file. I followed the instructions on the GeoTrust site and now have this SSL configuration:
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/files/thisdomain.conf/thisdomain.crt"
SSLCertificateKeyFile "/files/thisdomain.conf/thisdomain.key"
SSLCACertificateFile "/files/thisdomain.conf/intermediate.crt"
SSLOptions +StdEnvVars +ExportCertData
here is the ls output from /files/thisdomain.conf
-rw-r--r-- 1 root wheel 1989 Jun 16 23:55 apache.thisdomain.conf
-rw-r--r-- 1 root wheel 1756 Jun 16 22:46 thisdomain.crt
-rw-r--r-- 1 root wheel 1675 Jun 16 23:30 thisdomain.key
-rw-r--r-- 1 root wheel 1675 Jun 16 22:44 thisdomainkey.pem
-rw-r--r-- 1 root wheel 1391 Jun 16 23:41 intermediate.crt
Another thing I wonder about is that when I created the .crt, I forgot to indicate that I was using Apache SSL. When I received the notice that the .crt was ready, the message indicated I was using some off brand, MS IIS. I spoke with my reseller's help desk and they indicated this was not a problem. Maybe they are wrong?
When I created my key, it was a .pem file. Because my previously working site had a .key file, I copied the .pem to .key. My research indicates there is a difference beyond file extension. Could this be the problem?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL configuration not working
Posted by Pete Houston <ph...@openstrike.co.uk>.
On Fri, Jun 17, 2011 at 12:27:49PM -0400, Jeff Shearer wrote:
> I am running apache 2.2.14
>
[snip]
>
> SSLCACertificateFile "/files/thisdomain.conf/intermediate.crt"
>
At least, this is not what you want. SSLCACertificateFile specifies the
cert of the CA which issues certs to the *clients*. To use an
intermediate cert for the server, use SSLCertificateChainFile instead.
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile
HTH,
Pete
--
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107
[users@httpd] Re: SSL configuration not working
Posted by DW <xf...@hotmail.com>.
See if this article has anything useful to make it work:
<http://beeznest.wordpress.com/2008/04/25/how-to-configure-https-on-apache-2/>
hth
Jeff Shearer wrote:
> I am having some trouble getting an SSL connection to work properly. It has been a while since I have done this. If I disable SSL I can get to the http site just fine. As a trouble shooting step I left the http site up and enabled the SSL site. Again I can get to the http site but not the https site. I am getting no helpful messages in my logs. I have my log level set to debug.
>
> I am running apache 2.2.14
>
> I am using nearly the same configuration I had previously used for a SSL protected web server, but there are some difference. For one thing, when I received the .crt I was instructed to load an intermediary .crt file. I followed the instructions on the GeoTrust site and now have this SSL configuration:
>
> SSLEngine on
>
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> SSLCertificateFile "/files/thisdomain.conf/thisdomain.crt"
>
> SSLCertificateKeyFile "/files/thisdomain.conf/thisdomain.key"
>
> SSLCACertificateFile "/files/thisdomain.conf/intermediate.crt"
>
> SSLOptions +StdEnvVars +ExportCertData
>
>
> here is the ls output from /files/thisdomain.conf
>
> -rw-r--r-- 1 root wheel 1989 Jun 16 23:55 apache.thisdomain.conf
>
> -rw-r--r-- 1 root wheel 1756 Jun 16 22:46 thisdomain.crt
>
> -rw-r--r-- 1 root wheel 1675 Jun 16 23:30 thisdomain.key
>
> -rw-r--r-- 1 root wheel 1675 Jun 16 22:44 thisdomainkey.pem
>
> -rw-r--r-- 1 root wheel 1391 Jun 16 23:41 intermediate.crt
>
>
> Another thing I wonder about is that when I created the .crt, I forgot to indicate that I was using Apache SSL. When I received the notice that the .crt was ready, the message indicated I was using some off brand, MS IIS. I spoke with my reseller's help desk and they indicated this was not a problem. Maybe they are wrong?
>
> When I created my key, it was a .pem file. Because my previously working site had a .key file, I copied the .pem to .key. My research indicates there is a difference beyond file extension. Could this be the problem?
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org