$ sudo openssl req -x509 -nodes -days 730 -newkey "rsa:512" -subj '/C=US/ST=WA/L=Sea/O=Company Inc/OU=my-team' -keyout /etc/ssl/private/test1.cert.key -out /etc/ssl/certs/test1.cert.pem
I'm unable to simply enable SSL for a VirtualHost using a very simple configuration.I'm recently upgraded Ubuntu 12 to Ubuntu 14. apache was upgraded from 2.2 to 2.4.7 . I've checked the 2.4 docs for 2.2.->2.4 changes and reviewed my configuration scripts in depth.I can create an unencrypted VirtualHost (http) but not one an encrypted one (https) on port 8843. I can browse to the site just fine with http://server:8843 (I see the expected index.html file). If I try https://server:8843 I get "ssl_error_rx_record_too_long" error (using Firefox 33).I've tried many options within the configuration files. I haven't drastically changed any pre-configured apache configuration files. The apache2 service does see my changes but just seems to not enable SSL.Here is a selected summary of all the related files. Can anyone identify what I'm missing?----__/etc/apache2/apache2.conf__...ErrorLog ${APACHE_LOG_DIR}/error.logLogLevel debugIncludeOptional mods-enabled/*.loadIncludeOptional mods-enabled/*.confInclude ports.conf...IncludeOptional conf-enabled/*.confIncludeOptional sites-enabled/*.conf__/etc/apache2/mods-enabled/ssl.load__# Depends: setenvif mime socache_shmcbLoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so__/etc/apache2/mods-enabled/ssl.conf__<IfModule ssl_module># I've tried both of the following sets for SSLRandomSeedSSLRandomSeed startup builtinSSLRandomSeed connect builtinSSLRandomSeed startup file:/dev/urandom 512SSLRandomSeed connect file:/dev/urandom 512AddType application/x-x509-ca-cert .crtAddType application/x-pkcs7-crl .crl# tried with and without the next option#SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphraseSSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)SSLSessionCacheTimeout 300SSLCipherSuite allSSLProtocol all # tried this as 'HIGH:!aNULL:!MD5'SSLInsecureRenegotiation on # tried this on and offErrorLog /var/log/apache2/mod_ssl.logLogLevel debugSSLStrictSNIVHostCheck Off</IfModule>__/etc/apache2/sites-enabled/ssl-test__# tried with and without each of the following#LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so#LoadModule ssl_module modules/mod_ssl.soListen 8843<VirtualHost *:8843>ServerName myserverSSLEngine on # tried with this directive at the top and the bottom of this fileDocumentRoot /var/www/<Directory "/var/www/">Options Indexes FollowSymLinks MultiViewsAllowOverride NoneOrder allow,denyallow from allSSLRequireSSL # tried with and without this directive</Directory>ErrorLog ${APACHE_LOG_DIR}/ssl-test.logSSLCertificateFile /etc/ssl/certs/test1.cert.pemSSLCertificateKeyFile /etc/ssl/private/test1.cert.key# tried with and without all of the following directivesSSLCipherSuite HIGH:!aNULL:!MD5#SSLCipherSuite HIGHSSLProtocol -all +TLSv1 +SSLv3#SSLProtocol allSSLVerifyClient noneSSLProxyEngine offSSLRequireSSLSSLRandomSeed startup file:/dev/urandom 1024SSLRandomSeed connect file:/dev/urandom 1024</VirtualHost>__/etc/apache2/ports.conf__<IfModule ssl_module>Listen 8843</IfModule>The user that runs apache2 is user www-data .I have tested that www-data and root can access the key files /etc/ssl/certs/test1.cert.pem /etc/ssl/private/test1.cert.key .$ sudo -u www-data cp /etc/ssl/certs/test1.cert.pem /etc/ssl/private/test1.cert.key /tmp/I have checked that /usr/lib/apache2/modules/mod_ssl.so exists and is executable.$ sudo -u www-data ls -l /usr/lib/apache2/modules/mod_ssl.so-rwxr-xr-x 1 root root 211184 Jul 22 07:38 /usr/lib/apache2/modules/mod_ssl.soI have tailed the relevant apache2 logs and checked for errors. I see these SSL related message on startup. (including one skip message for 127.0.0.1:80, but then later there is a resuming message)[ssl:info] [pid 21186:tid 139942871500672] AH01887: Init: Initializing (virtual) servers for SSL[ssl:info] [pid 21186:tid 139942871500672] AH01876: mod_ssl/2.4.7 compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f[auth_digest:notice] [pid 21187:tid 139942871500672] AH01757: generating secret for digest authentication ...[auth_digest:debug] [pid 21187:tid 139942871500672] mod_auth_digest.c(250): AH01759: done[ssl:debug] [pid 21297:tid 140596905265024] ssl_engine_pphrase.c(181): AH02199: SSL not enabled on vhost 127.0.1.1:80, skipping SSL setup[socache_shmcb:debug] [pid 21297:tid 140596905265024] mod_socache_shmcb.c(389): AH00821: shmcb_init allocated 512000 bytes of shared memory...[ssl:info] [pid 21297:tid 140596905265024] AH01887: Init: Initializing (virtual) servers for SSL[ssl:info] [pid 21297:tid 140596905265024] AH01876: mod_ssl/2.4.7 compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f[mpm_worker:notice] [pid 21297:tid 140596905265024] AH00292: Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f configured -- resuming normal operations[mpm_worker:info] [pid 21297:tid 140596905265024] AH00293: Server built: Jul 22 2014 14:36:38[core:notice] [pid 21297:tid 140596905265024] AH00094: Command line: '/usr/sbin/apache2'[mpm_worker:debug] [pid 21297:tid 140596905265024] worker.c(1829): AH00294: Accept mutex: fcntl (default: sysvsem)The openssl binary runs and supports ciphers:$ openssl ciphersECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:...I check the apache2ctl binary compilations settings$ apache2ctl -VAH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this messageServer version: Apache/2.4.7 (Ubuntu)Server built: Jul 22 2014 14:36:38Server's Module Magic Number: 20120211:27Server loaded: APR 1.5.1-dev, APR-UTIL 1.5.3Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3Architecture: 64-bitServer MPM: workerthreaded: yes (fixed thread count)forked: yes (variable process count)Server compiled with....-D APR_HAS_SENDFILE-D APR_HAS_MMAP-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)-D APR_USE_SYSVSEM_SERIALIZE-D APR_USE_PTHREAD_SERIALIZE-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT-D APR_HAS_OTHER_CHILD-D AP_HAVE_RELIABLE_PIPED_LOGS-D DYNAMIC_MODULE_LIMIT=256-D HTTPD_ROOT="/etc/apache2"-D SUEXEC_BIN="/usr/lib/apache2/suexec"-D DEFAULT_PIDLOG="/var/run/apache2.pid"-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"-D DEFAULT_ERRORLOG="logs/error_log"-D AP_TYPES_CONFIG_FILE="mime.types"-D SERVER_CONFIG_FILE="apache2.conf"I checked apache2ctl settings$ apache2ctl -SAH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this messageVirtualHost configuration:ServerRoot: "/etc/apache2"Main DocumentRoot: "/var/www"Main ErrorLog: "/var/log/apache2/mod_ssl.log"Mutex authdigest-client: using_defaultsMutex ssl-stapling: using_defaultsMutex ssl-cache: using_defaultsMutex default: dir="/var/lock/apache2" mechanism=fcntlMutex mpm-accept: using_defaultsMutex authdigest-opaque: using_defaultsMutex watchdog-callback: using_defaultsPidFile: "/var/run/apache2/apache2.pid"Define: DUMP_VHOSTSDefine: DUMP_RUN_CFGDefine: ENABLE_USR_LIB_CGI_BINUser: name="www-data" id=33Group: name="www-data" id=33The apache2ctl syntax check is OK.$ apache2ctl -tAH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this messageSyntax OKThe file /etc/init.d/apache2 does start apache using /usr/sbin/apache2ctl (and not /usr/sbin/apache2 ).Any ideas on what I need to enable SSL for this VirtualHost ?Again, I can see HTTP response on 8443 but never HTTPS.
---JamesThomasMoon1979
|