apache 2.4 enable SSL for simple VirtualHost *:8843 (Apache Users)

I'm unable to simply enable SSL for a VirtualHost using a very simple configuration.

I'm recently upgraded Ubuntu 12 to Ubuntu 14. apache was upgraded from 2.2 to 2.4.7 . I've checked the 2.4 docs for 2.2.->2.4 changes and reviewed my configuration scripts in depth.

I can create an unencrypted VirtualHost (http) but not one an encrypted one (https) on port 8843. I can browse to the site just fine with http://server:8843 (I see the expected index.html file). If I try https://server:8843 I get "ssl_error_rx_record_too_long" error (using Firefox 33).

I've tried many options within the configuration files. I haven't drastically changed any pre-configured apache configuration files. The apache2 service does see my changes but just seems to not enable SSL.

Here is a selected summary of all the related files. Can anyone identify what I'm missing?

----

__/etc/apache2/apache2.conf__

...

ErrorLog ${APACHE_LOG_DIR}/error.log

LogLevel debug

IncludeOptional mods-enabled/*.load

IncludeOptional mods-enabled/*.conf

Include ports.conf

...

IncludeOptional conf-enabled/*.conf

IncludeOptional sites-enabled/*.conf

__/etc/apache2/mods-enabled/ssl.load__

# Depends: setenvif mime socache_shmcb
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so

__/etc/apache2/mods-enabled/ssl.conf__

# I've tried both of the following sets for SSLRandomSeed

SSLRandomSeed startup builtin

SSLRandomSeed connect builtin

SSLRandomSeed startup file:/dev/urandom 512

SSLRandomSeed connect file:/dev/urandom 512

AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl .crl

# tried with and without the next option

#SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase

SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)

SSLSessionCacheTimeout 300

SSLCipherSuite all

SSLProtocol all # tried this as 'HIGH:!aNULL:!MD5'

SSLInsecureRenegotiation on # tried this on and off

ErrorLog /var/log/apache2/mod_ssl.log

LogLevel debug

SSLStrictSNIVHostCheck Off

</IfModule>

__/etc/apache2/sites-enabled/ssl-test__

# tried with and without each of the following

#LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so

#LoadModule ssl_module modules/mod_ssl.so

Listen 8843

  ServerName myserver
  SSLEngine on # tried with this directive at the top and the bottom of this file
  DocumentRoot /var/www/
  <Directory "/var/www/">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
    SSLRequireSSL # tried with and without this directive
  </Directory>
  ErrorLog ${APACHE_LOG_DIR}/ssl-test.log
  SSLCertificateFile /etc/ssl/certs/test1.cert.pem
  SSLCertificateKeyFile /etc/ssl/private/test1.cert.key

  # tried with and without all of the following directives
  SSLCipherSuite HIGH:!aNULL:!MD5

#SSLCipherSuite HIGH

SSLProtocol -all +TLSv1 +SSLv3

#SSLProtocol all

  SSLVerifyClient none
  SSLProxyEngine off
  SSLRequireSSL
  SSLRandomSeed startup file:/dev/urandom 1024
  SSLRandomSeed connect file:/dev/urandom 1024

</VirtualHost>

__/etc/apache2/ports.conf__

Listen 8843

</IfModule>

The user that runs apache2 is user www-data .

I have tested that www-data and root can access the key files /etc/ssl/certs/test1.cert.pem /etc/ssl/private/test1.cert.key .

$ sudo -u www-data cp /etc/ssl/certs/test1.cert.pem /etc/ssl/private/test1.cert.key /tmp/

I have checked that /usr/lib/apache2/modules/mod_ssl.so exists and is executable.

$ sudo -u www-data ls -l /usr/lib/apache2/modules/mod_ssl.so
-rwxr-xr-x 1 root root 211184 Jul 22 07:38 /usr/lib/apache2/modules/mod_ssl.so

I have tailed the relevant apache2 logs and checked for errors. I see these SSL related message on startup. (including one skip message for 127.0.0.1:80, but then later there is a resuming message)

[ssl:info] [pid 21186:tid 139942871500672] AH01887: Init: Initializing (virtual) servers for SSL
[ssl:info] [pid 21186:tid 139942871500672] AH01876: mod_ssl/2.4.7 compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
[auth_digest:notice] [pid 21187:tid 139942871500672] AH01757: generating secret for digest authentication ...
[auth_digest:debug] [pid 21187:tid 139942871500672] mod_auth_digest.c(250): AH01759: done
[ssl:debug] [pid 21297:tid 140596905265024] ssl_engine_pphrase.c(181): AH02199: SSL not enabled on vhost 127.0.1.1:80, skipping SSL setup
[socache_shmcb:debug] [pid 21297:tid 140596905265024] mod_socache_shmcb.c(389): AH00821: shmcb_init allocated 512000 bytes of shared memory
...
[ssl:info] [pid 21297:tid 140596905265024] AH01887: Init: Initializing (virtual) servers for SSL
[ssl:info] [pid 21297:tid 140596905265024] AH01876: mod_ssl/2.4.7 compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
[mpm_worker:notice] [pid 21297:tid 140596905265024] AH00292: Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f configured -- resuming normal operations
[mpm_worker:info] [pid 21297:tid 140596905265024] AH00293: Server built: Jul 22 2014 14:36:38
[core:notice] [pid 21297:tid 140596905265024] AH00094: Command line: '/usr/sbin/apache2'
[mpm_worker:debug] [pid 21297:tid 140596905265024] worker.c(1829): AH00294: Accept mutex: fcntl (default: sysvsem)

The openssl binary runs and supports ciphers:

$ openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:...

I check the apache2ctl binary compilations settings

$ apache2ctl -V
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
Server version: Apache/2.4.7 (Ubuntu)
Server built: Jul 22 2014 14:36:38
Server's Module Magic Number: 20120211:27
Server loaded: APR 1.5.1-dev, APR-UTIL 1.5.3
Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3
Architecture: 64-bit
Server MPM: worker
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/apache2"
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="mime.types"
-D SERVER_CONFIG_FILE="apache2.conf"

I checked apache2ctl settings

$ apache2ctl -S
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www"
Main ErrorLog: "/var/log/apache2/mod_ssl.log"
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33

The apache2ctl syntax check is OK.

$ apache2ctl -t
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK

The file /etc/init.d/apache2 does start apache using /usr/sbin/apache2ctl (and not /usr/sbin/apache2 ).

Any ideas on what I need to enable SSL for this VirtualHost ?

Again, I can see HTTP response on 8443 but never HTTPS.

-JamesThomasMoon1979