Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SSL on Apache doesn't make sense..

Status
Not open for further replies.
ronnyserrano

ronnyserrano

MIS
Oct 4, 2006
36
US
I'm a windows guy so excuse me if this seems like a simple question..

I've been asked to do some work on a Linux box that has our dev website on it. They want to activate an SSL Cert. I was able to walk through creating the signing request and generating a cert and all. placed it in the /etc/pki/tls/private directory. The issue I have is with the httpd.conf file.

The only reference to ssl in the httpd.conf is here:
# for the staging site
<VirtualHost 172.20.30.43:80>
SSLEngine off
ServerName heartsonfire.modernista.com
ServerAdmin webmaster@modernista.com
DocumentRoot /work/hof/deploy
ErrorLog /etc/httpd/logs/hof-error_log
ServerAlias ServerAlias heartsonfire.modernista.com
CustomLog /etc/httpd/logs/hof-access_log combined
ErrorDocument 404 /us/en-us/404/index.php
</VirtualHost>

I tried to add the following, but everytime apache restarts it prompts for a password.. not a big deal right now.. but the server never ends up responding to requests on 443 or 80 when this is in the httpd.conf.

<VirtualHost 172.20.30.43:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
ServerName webdev1.heartsonfire.com
DocumentRoot /work/hof/deploy
</VirtualHost>

When I leave on the virtual host for port 80 active and remark out the stuff for 443, then it works and even responds on 443. I just don't understand why and before I decide to do this on a production server, I need to understand what is happening.

Thanks in advance,
RS
 
Sort by date Sort by votes
The prompting is for the passphrase for the server key. If you've forgotten it or don't know it or want the server to come up unintended, you can use openssl to remove the passphrase.


You didn't say if you give the correct passphrase...I believe if you don't or leave it at that point the servers will not come up. Always check via netstat:

netstat -an | grep 80 | grep LIST
netstat -an | grep 443 | grep LIST
 
Upvote 0 Downvote
oops.. I do put the correct pass phrase in and it appears to come up, but when I run the netstat -aunt i don't see anything listening on port 80 or port 443.

 
Upvote 0 Downvote
Specify a different ErrorLog for you https virtualhost, and the output of both.
 
Upvote 0 Downvote
Also look in the apache error logs. These should be in the same location as the other logs, like syslog, but under an apache directory. Often times if there is an error, even one that doesn't show up when you start apache it will show up there.

 
Upvote 0 Downvote
Thanks guys!!!

haven't fixed it yet, but now get a better idea of what is happening..

[root@webdev1 logs]# cat webdevssl_log
[Mon Nov 02 14:47:17 2009] [error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]
[Mon Nov 02 14:47:17 2009] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:func(148):reason(104)
[Mon Nov 02 14:47:17 2009] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:func(104):reason(168)
[Mon Nov 02 14:47:17 2009] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:func(120):nested asn1 error
[Mon Nov 02 14:47:17 2009] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:func(154):ASN1 lib
[Mon Nov 02 14:47:26 2009] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Nov 02 14:47:26 2009] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?
[Mon Nov 02 14:47:26 2009] [error] Unable to configure RSA server private key
[Mon Nov 02 14:47:26 2009] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[root@webdev1 logs]# cd on Nov 02 14:47:17 2009] [error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]
 
Upvote 0 Downvote
How many bits did you use in the key?

I recall something, but can't recall where, that Apache has a limit and it isn't too high.
 
Upvote 0 Downvote
Does /etc/pki/tls/private/server.key
start with:
-----BEGIN RSA PRIVATE KEY-----
and end with
-----END RSA PRIVATE KEY-----


Try and change the passphrase (you will need to know the old one to do this):

openssl rsa -in /etc/pki/tls/private/server.key -out /tmp/new.key

I think the error is a passphrase problem...
 
Upvote 0 Downvote
Thanks everyone for all the help. I think I finally figured it out. My issue wasn't the cert it was apache. I was modifying the httpd.conf file and it was messing things up. I didn't realize that in addition to the httpd.conf I could just modify the ssl.conf file. Once I made my changes there and pointed things correctly, I restart apache and things came up rosey.

I guess my lack of knowledge on apache really messed me up on this one. The fact that you can make the changes either in httpd.conf or ssl.conf.

Thanks again!
RS
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AbidingDude
  • Locked
  • Question
Newbie Apache Cache Question
Replies
5
Views
286
AbidingDude
AbidingDude
bhuv560
  • Locked
  • Question
Postfix Installation on EC2 AWS Linux
Replies
0
Views
126
bhuv560
bhuv560
daniel.warner
  • Locked
  • Question
Desperately need help setting up wildcard certs on Apache/Tomcat
Replies
2
Views
205
daniel.warner
daniel.warner
gregor weertman
  • Locked
  • Question
set samba &quot;template shell&quot; dependent on group
Replies
0
Views
115
gregor weertman
gregor weertman
lslamp
  • Locked
  • Question
Bash Onliner ... 1
Replies
2
Views
216
lslamp
lslamp

Part and Inventory Search

Sponsor

Back
Top