Re: [users] Can't start httpd 2.4.9 with simplest SSL config

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Haven't seen any mention of ca.crt/ca.key yet. Where do these come from?

Alright, I see now. The ssl.crt and ssl.key are preexisting folders in the example.
I don't have them created after installing the httpd. So I left the generated server.crt and server.key in the /usr/local/apache2/conf folder and referenced them from the conf/extra/httpd-ssl.conf as in my initial example:

SSLCertificateFile "/usr/local/apache2/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"

(that was the case in the very beginning, I have made a error when copying over the config into the original email)
The error message after generating the certificate following the steps in the article in log remains the same:

At first about missing parameters:

[Wed Jun 04 08:53:25.139183 2014] [ssl:info] [pid 25632:tid 140624693806848] AH01887: Init: Initializing (virtual) servers f
or SSL
[Wed Jun 04 08:53:25.139281 2014] [ssl:info] [pid 25632:tid 140624693806848] AH01914: Configuring server 192.168.9.128:443 f
or SSL protocol
[Wed Jun 04 08:53:25.139443 2014] [ssl:debug] [pid 25632:tid 140624693806848] ssl_engine_init.c(312): AH01893: Configuring T
LS extension handling
[Wed Jun 04 08:53:25.139789 2014] [ssl:debug] [pid 25632:tid 140624693806848] ssl_util_ssl.c(343): AH02412: [192.168.9.128:4
43] Cert matches for name '192.168.9.128' [subject: emailAddress=sshcherbakov@xxxxxxxxxxxxx,CN=192.168.9.128,OU=PSO,O=Pivota
l,L=Cologne,ST=NRW,C=DE / issuer: emailAddress=sshcherbakov@xxxxxxxxxxxxx,CN=192.168.9.128,OU=PSO,O=Pivotal,L=Cologne,ST=NRW
,C=DE / serial: DC21155C099C4F91 / notbefore: Jun  4 06:52:34 2014 GMT / notafter: Jun  4 06:52:34 2015 GMT]
[Wed Jun 04 08:53:25.139802 2014] [ssl:info] [pid 25632:tid 140624693806848] AH02568: Certificate and private key 192.168.9.
128:443:0 configured from /usr/local/apache2/conf/server.crt and /usr/local/apache2/conf/server.key
[Wed Jun 04 08:53:25.139971 2014] [ssl:info] [pid 25632:tid 140624693806848] AH01914: Configuring server 192.168.9.128:443 f
or SSL protocol
[Wed Jun 04 08:53:25.140044 2014] [ssl:debug] [pid 25632:tid 140624693806848] ssl_engine_init.c(312): AH01893: Configuring T
LS extension handling
[Wed Jun 04 08:53:25.140059 2014] [ssl:emerg] [pid 25632:tid 140624693806848] AH02572: Failed to configure at least one cert
ificate and key for 192.168.9.128:443
[Wed Jun 04 08:53:25.140066 2014] [ssl:emerg] [pid 25632:tid 140624693806848] SSL Library Error: error:0906D06C:PEM routines
:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertific
ateKeyFile?
[Wed Jun 04 08:53:25.140103 2014] [ssl:emerg] [pid 25632:tid 140624693806848] SSL Library Error: error:0906D06C:PEM routines
:PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertific
ateKeyFile?
[Wed Jun 04 08:53:25.140117 2014] [ssl:emerg] [pid 25632:tid 140624693806848] SSL Library Error: error:140A80B1:SSL routines
:SSL_CTX_check_private_key:no certificate assigned
[Wed Jun 04 08:53:25.140119 2014] [ssl:emerg] [pid 25632:tid 140624693806848] AH02312: Fatal error initialising mod_ssl, exi
ting.
AH00016: Configuration Failed


And then about "no certificate assigned":


[Wed Jun 04 12:40:06.290076 2014] [ssl:info] [pid 28856:tid 139884664497920] AH01887: Init: Initializing (virtual) servers for SSL
[Wed Jun 04 12:40:06.290128 2014] [ssl:info] [pid 28856:tid 139884664497920] AH01914: Configuring server 192.168.9.128:443 for SSL protocol
[Wed Jun 04 12:40:06.290254 2014] [ssl:debug] [pid 28856:tid 139884664497920] ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
[Wed Jun 04 12:40:06.290434 2014] [ssl:debug] [pid 28856:tid 139884664497920] ssl_util_ssl.c(343): AH02412: [192.168.9.128:443] Cert matches for name '192.168.9.128' [subject: emailAddress=asdfasdfasdf,CN=192.168.9.128,OU=PSO,O=Pivotal,L=Cologne,ST=NRW,C=DE / issuer: emailAddress=asdfasdfasdf,CN=192.168.9.128,OU=PSO,O=Pivotal,L=Cologne,ST=NRW,C=DE / serial: FA9224BF3448F91B / notbefore: Jun  4 10:36:48 2014 GMT / notafter: Jun  4 10:36:48 2015 GMT]
[Wed Jun 04 12:40:06.290445 2014] [ssl:info] [pid 28856:tid 139884664497920] AH02568: Certificate and private key 192.168.9.128:443:0 configured from /usr/local/apache2/conf/server.crt and /usr/local/apache2/conf/server.key
[Wed Jun 04 12:40:06.291154 2014] [ssl:debug] [pid 28856:tid 139884664497920] ssl_engine_init.c(1016): AH02540: Custom DH parameters (2048 bits) for 192.168.9.128:443 loaded from /usr/local/apache2/conf/server.crt
[Wed Jun 04 12:40:06.291246 2014] [ssl:debug] [pid 28856:tid 139884664497920] ssl_engine_init.c(1030): AH02541: ECDH curve prime256v1 for 192.168.9.128:443 specified in /usr/local/apache2/conf/server.crt
[Wed Jun 04 12:40:06.291253 2014] [ssl:info] [pid 28856:tid 139884664497920] AH01914: Configuring server 192.168.9.128:443 for SSL protocol
[Wed Jun 04 12:40:06.291321 2014] [ssl:debug] [pid 28856:tid 139884664497920] ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
[Wed Jun 04 12:40:06.291336 2014] [ssl:emerg] [pid 28856:tid 139884664497920] AH02572: Failed to configure at least one certificate and key for 192.168.9.128:443
[Wed Jun 04 12:40:06.291347 2014] [ssl:emerg] [pid 28856:tid 139884664497920] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Wed Jun 04 12:40:06.291352 2014] [ssl:emerg] [pid 28856:tid 139884664497920] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed



As you can see from the log, the /usr/local/apache2/conf/server.crt and /usr/local/apache2/conf/server.key files get recognized as expected


Regards,
Sergey

On Wed, Jun 4, 2014 at 12:57 PM, Balaji Katika <balaji.katika@xxxxxxxxx> wrote:
server.crt/server.key in your case translates to ca.crt/ca.key
Btw, ssl.crt and ssl.key are the names of the folder/directory here.

The author did refer to the newly copied files through step 6 in the article.
Btw, I hope you have updated the names of the crt/key files accordingly before starting the httpd server again (i.e., after generating new certificate/key using the article mentioned by me).

Can you paste the contents of the latest log ?



On Wed, Jun 4, 2014 at 4:18 PM, Sergey Shcherbakov <sergey.shcherbakov@xxxxxxxxx> wrote:
Hello Balaji!

Thanks for your comments! 
The SSLPassPhraseDialog is present in my config. 
I've followed the steps in your article and still get the same errors as above. I don't think that your steps are much different than those specified on CentOs HowTo and httpd docs pages (except that there is a shorter way to generate a passwordless certificate and a key: openssl req -new -x509 -nodes -out server.crt -keyout server.key -days 365. I've also tried to use the password protected key. The httpd asks for it on startup as expected and fails with the same error afterwards :(
I also didn't get the point of copying the server.crt and server.key to the ssl.crt and ssl.key and not referencing the new files from the config. Do I miss something here?


Thanks again!
Sergey


On Wed, Jun 4, 2014 at 11:03 AM, Balaji Katika <balaji.katika@xxxxxxxxx> wrote:
HI Sergey,

The issue seems to be with the certificate you've generated. Looks like you've forgotten/skipped some steps.
I think you've specified some passphrase for the certificate and apache is unable to locate that. Passphrase could be specified through SSLPassPhraseDialog which is missing in your configuration file.

Alternately, you could avoid this passphrase by stripping it from the certificate while generating certificate.
I had succesfully generated a self signed certificate by following steps at http://www.akadia.com/services/ssh_test_certificate.html


I would suggest to regenerate a new certificate using the instructions mentioned at the above link and test it again....





On Wed, Jun 4, 2014 at 1:54 PM, Sergey Shcherbakov <sergey.shcherbakov@xxxxxxxxx> wrote:

Hello all,

I cannot start the httpd 2.4.9 (tried 2.4.x too) on CentOS 6.5 with the simplest SSL config possible. The openssl version installed on the machine is OpenSSL 1.0.1e-fips 11 Feb 2013 (I've upgraded it using 'yum update' to the latest patched version as well)

I have compiled and installed the httpd 2.4.9 using the following commands:

./configure --enable-ssl --with-ssl=/usr/local/ssl/ --enable-proxy=shared --enable-proxy_wstunnel=shared --with-apr=apr-1.5.1/ --with-apr-util=apr-util-1.5.3/
make
make install

Now I'm generating the default self-signed certificate as described in the CentOS HowTo:

openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
cp ca.crt /etc/pki/tls/certs
cp ca.key /etc/pki/tls/private/ca.key
cp ca.csr /etc/pki/tls/private/ca.csr

Here is my httpd-ssl.conf file:

Listen 443
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/ca.crt
    SSLCertificateKeyFile /etc/pki/tls/private/ca.key
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/usr/local/apache2/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog "/usr/local/apache2/logs/ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

when I start httpd using bin/apachectl -k start I get following errors in the error_log:

Wed Jun 04 00:29:27.995654 2014] [ssl:info] [pid 24021:tid 139640404293376] AH01887: Init: Initializing (virtual) servers for SSL
[Wed Jun 04 00:29:27.995726 2014] [ssl:info] [pid 24021:tid 139640404293376] AH01914: Configuring server 192.168.9.128:443 for SSL protocol
[Wed Jun 04 00:29:27.995863 2014] [ssl:debug] [pid 24021:tid 139640404293376] ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
[Wed Jun 04 00:29:27.996111 2014] [ssl:debug] [pid 24021:tid 139640404293376] ssl_util_ssl.c(343): AH02412: [192.168.9.128:443] Cert matches for name '192.168.9.128' [subject: CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / issuer: CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / serial: AF04AF31799B7695 / notbefore: Jun  3 22:26:45 2014 GMT / notafter: Jun  3 22:26:45 2015 GMT]
[Wed Jun 04 00:29:27.996122 2014] [ssl:info] [pid 24021:tid 139640404293376] AH02568: Certificate and private key 192.168.9.128:443:0 configured from /etc/pki/tls/certs/ca.crt and /etc/pki/tls/private/ca.key
[Wed Jun 04 00:29:27.996209 2014] [ssl:info] [pid 24021:tid 139640404293376] AH01914: Configuring server 192.168.9.128:443 for SSL protocol
[Wed Jun 04 00:29:27.996280 2014] [ssl:debug] [pid 24021:tid 139640404293376] ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
[Wed Jun 04 00:29:27.996295 2014] [ssl:emerg] [pid 24021:tid 139640404293376] AH02572: Failed to configure at least one certificate and key for 192.168.9.128:443
[Wed Jun 04 00:29:27.996303 2014] [ssl:emerg] [pid 24021:tid 139640404293376] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Wed Jun 04 00:29:27.996308 2014] [ssl:emerg] [pid 24021:tid 139640404293376] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Wed Jun 04 00:29:27.996318 2014] [ssl:emerg] [pid 24021:tid 139640404293376] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Wed Jun 04 00:29:27.996321 2014] [ssl:emerg] [pid 24021:tid 139640404293376] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed

I then try to generate missing DH PARAMETERS and EC PARAMETERS:

openssl dhparam -outform PEM -out dhparam.pem 2048
openssl ecparam -out ec_param.pem -name prime256v1
cat dhparam.pem ec_param.pem >> /etc/pki/tls/certs/ca.crt

And it mitigates the error but the next comes out:

[Wed Jun 04 00:34:05.021438 2014] [ssl:info] [pid 24089:tid 140719371077376] AH01887: Init: Initializing (virtual) servers for SSL
[Wed Jun 04 00:34:05.021487 2014] [ssl:info] [pid 24089:tid 140719371077376] AH01914: Configuring server 192.168.9.128:443 for SSL protocol
[Wed Jun 04 00:34:05.021874 2014] [ssl:debug] [pid 24089:tid 140719371077376] ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
[Wed Jun 04 00:34:05.022050 2014] [ssl:debug] [pid 24089:tid 140719371077376] ssl_util_ssl.c(343): AH02412: [192.168.9.128:443] Cert matches for name '192.168.9.128' [subject: CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / issuer: CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / serial: AF04AF31799B7695 / notbefore: Jun  3 22:26:45 2014 GMT / notafter: Jun  3 22:26:45 2015 GMT]
[Wed Jun 04 00:34:05.022066 2014] [ssl:info] [pid 24089:tid 140719371077376] AH02568: Certificate and private key 192.168.9.128:443:0 configured from /etc/pki/tls/certs/ca.crt and /etc/pki/tls/private/ca.key
[Wed Jun 04 00:34:05.022285 2014] [ssl:debug] [pid 24089:tid 140719371077376] ssl_engine_init.c(1016): AH02540: Custom DH parameters (2048 bits) for 192.168.9.128:443 loaded from /etc/pki/tls/certs/ca.crt
[Wed Jun 04 00:34:05.022389 2014] [ssl:debug] [pid 24089:tid 140719371077376] ssl_engine_init.c(1030): AH02541: ECDH curve prime256v1 for 192.168.9.128:443 specified in /etc/pki/tls/certs/ca.crt
[Wed Jun 04 00:34:05.022397 2014] [ssl:info] [pid 24089:tid 140719371077376] AH01914: Configuring server 192.168.9.128:443 for SSL protocol
[Wed Jun 04 00:34:05.022464 2014] [ssl:debug] [pid 24089:tid 140719371077376] ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
[Wed Jun 04 00:34:05.022478 2014] [ssl:emerg] [pid 24089:tid 140719371077376] AH02572: Failed to configure at least one certificate and key for 192.168.9.128:443
[Wed Jun 04 00:34:05.022488 2014] [ssl:emerg] [pid 24089:tid 140719371077376] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Wed Jun 04 00:34:05.022491 2014] [ssl:emerg] [pid 24089:tid 140719371077376] AH02312: Fatal error initialising mod_ssl, exiting.

AH00016: Configuration Failed

I have tried to generate the simple certificate/key pair exactly as described in the httpd docs

Unfortunately, I still get exact same errors as above.

I've seen a bug report with the similar issue: https://issues.apache.org/bugzilla/show_bug.cgi?id=56410

But the openssl version I have is reported as working there. I've also tried to apply the patch from the report as well as build the latest 2.4.x branch with no success, I get the same errors as above.

I have also tried to create a short chain of certificates and set the root CA certificate using SSLCertificateChainFile directive. That didn't help either, I get exact same errors as above.

I'm not interested in setting up hardened security, etc. The only thing I need is to start httpd with the simplest SSL config possible to continue testing proxy config for the mod_proxy_wstunnel

Had anybody encountered and solved this issue?

Is my sequence for creating a self-signed certificate incorrect?

I'd appreciate any help very much!


Sergey





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux