Re: Re: apache 2.4 enable SSL for simple VirtualHost *:8843

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

"simple configuration you say"?

I would certainly try to simplify it much more. You have many Ifmodules and repeated directives and many directives you don't even need, as well as dated ones, so to try to make it work better start by removing all unnecessary stuff.

I would simply delete ALL that and try something simpler like this:

# Listen to force ipv4 and make sure this isn't your issue
Listen 0.0.0.0:8443


# Now Basic secure ssl config for 2.4 with all the stuff you will probably need in most cases 
# (don't try insecurerenegotiation again), I tried to make this directives based on your previous paths:

## SSL Server config
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
LoadModule socache_shmcb_module /usr/lib/apache2/modules/mod_socache_shmcb.so
SSLProtocol all -SSLv3 -SSLv2
SSLCompression off
SSLCipherSuite TLSv1.2:HIGH:!MEDIUM:!LOW:!SSLv2:!aNULL:!EXP:!eNULL:!PSK
SSLHonorCipherOrder on
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLSessionCache shmcb:${APACHE_LOG_DIR}/ssl_gcache_data(512000)


### 
# and now the SSL virtualhost
# SSLPassPhrase and all that will be needed IF your key is encrypted.
<VirtualHost *:8443>
    ServerName myserver
    DocumentRoot /var/www
    CustomLog ${APACHE_LOG_DIR}/myserver-ssl.log
    ErrorLog ${APACHE_LOG_DIR}/myserver-ssl-error.log

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/test1.cert.pem
    SSLCertificateKeyFile /etc/ssl/private/test1.cert.key

    # last but not least use the 2.4 access directives with "Require"
           <Directory /var/www>
          Options Indexes FollowSymLinks MultiViews
     AllowOverride None
     Require all granted
</Directory>
</VirtualHost>

Once you have all this set up make sure the virtualhost shows up in "apachectl -S" otherwise it is probably your config not loading the virtualhost even though you may think it is doing so. At least the logs you showed only mention  127.0.1.1:80

IMHO, It is always better to resort to one single configuration file for everything if the server is just a couple of virtualhosts.

Regards



2014-12-17 2:01 GMT+01:00 J Tom Moon 79 <jtm.moon.forum.user@xxxxxxxxx>:
Also, the RSA key files were generated with the following command:
  $ sudo openssl req -x509 -nodes -days 730 -newkey "rsa:512" -subj '/C=US/ST=WA/L=Sea/O=Company Inc/OU=my-team' -keyout /etc/ssl/private/test1.cert.key -out /etc/ssl/certs/test1.cert.pem
There were no apparent problems.

On Tue, Dec 16, 2014 at 4:55 PM, J Tom Moon 79 <jtm.moon.forum.user@xxxxxxxxx> wrote:
I'm unable to simply enable SSL for a VirtualHost using a very simple configuration.

I'm recently upgraded Ubuntu 12 to Ubuntu 14.  apache was upgraded from 2.2 to 2.4.7 .  I've checked the 2.4 docs for 2.2.->2.4 changes and reviewed my configuration scripts in depth.
I can create an unencrypted VirtualHost (http) but not one an encrypted one (https) on port 8843.  I can browse to the site just fine with http://server:8843 (I see the expected index.html file).  If I try https://server:8843 I get "ssl_error_rx_record_too_long" error (using Firefox 33).

I've tried many options within the configuration files.  I haven't drastically changed any pre-configured apache configuration files.  The apache2 service does see my changes but just seems to not enable SSL.
Here is a selected summary of all the related files.  Can anyone identify what I'm missing?

----

__/etc/apache2/apache2.conf__
  ...
  ErrorLog ${APACHE_LOG_DIR}/error.log
  LogLevel debug
  IncludeOptional mods-enabled/*.load
  IncludeOptional mods-enabled/*.conf
  Include ports.conf
  ...
  IncludeOptional conf-enabled/*.conf
  IncludeOptional sites-enabled/*.conf

__/etc/apache2/mods-enabled/ssl.load__
  # Depends: setenvif mime socache_shmcb
  LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so

__/etc/apache2/mods-enabled/ssl.conf__
  <IfModule ssl_module>
  # I've tried both of the following sets for SSLRandomSeed
  SSLRandomSeed startup builtin
  SSLRandomSeed connect builtin
  SSLRandomSeed startup file:/dev/urandom 512
  SSLRandomSeed connect file:/dev/urandom 512
  
  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl .crl
  
  # tried with and without the next option
  #SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
  
  SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
  SSLSessionCacheTimeout 300
  SSLCipherSuite all
  SSLProtocol all     # tried this as 'HIGH:!aNULL:!MD5'
  SSLInsecureRenegotiation on   # tried this on and off
  ErrorLog /var/log/apache2/mod_ssl.log
  LogLevel debug
  SSLStrictSNIVHostCheck Off 
  </IfModule>

__/etc/apache2/sites-enabled/ssl-test__
  # tried with and without each of the following
  #LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
  #LoadModule ssl_module modules/mod_ssl.so
  
  Listen 8843
  <VirtualHost *:8843>
  ServerName myserver
  SSLEngine on  # tried with this directive at the top and the bottom of this file
  DocumentRoot /var/www/
  <Directory "/var/www/">
       Options Indexes FollowSymLinks MultiViews
       AllowOverride None
       Order allow,deny
       allow from all
       SSLRequireSSL  # tried with and without this directive
  </Directory>
  ErrorLog ${APACHE_LOG_DIR}/ssl-test.log
  SSLCertificateFile /etc/ssl/certs/test1.cert.pem
  SSLCertificateKeyFile /etc/ssl/private/test1.cert.key
  
  # tried with and without all of the following directives
  SSLCipherSuite HIGH:!aNULL:!MD5
  #SSLCipherSuite HIGH
  SSLProtocol -all +TLSv1 +SSLv3
  #SSLProtocol all
  SSLVerifyClient none  
  SSLProxyEngine off   
  SSLRequireSSL   
  SSLRandomSeed startup file:/dev/urandom 1024  
  SSLRandomSeed connect file:/dev/urandom 1024
  </VirtualHost>

__/etc/apache2/ports.conf__
  <IfModule ssl_module>
  Listen 8843
  </IfModule>

The user that runs apache2 is user www-data .  
I have tested that www-data and root can access the key files /etc/ssl/certs/test1.cert.pem /etc/ssl/private/test1.cert.key .
  $ sudo -u www-data cp /etc/ssl/certs/test1.cert.pem /etc/ssl/private/test1.cert.key /tmp/

I have checked that /usr/lib/apache2/modules/mod_ssl.so exists and is executable.
  $ sudo -u www-data ls -l /usr/lib/apache2/modules/mod_ssl.so
  -rwxr-xr-x 1 root root 211184 Jul 22 07:38 /usr/lib/apache2/modules/mod_ssl.so

I have tailed the relevant apache2 logs and checked for errors.  I see these SSL related message on startup. (including one skip message for 127.0.0.1:80, but then later there is a resuming message)
  [ssl:info] [pid 21186:tid 139942871500672] AH01887: Init: Initializing (virtual) servers for SSL
  [ssl:info] [pid 21186:tid 139942871500672] AH01876: mod_ssl/2.4.7 compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
  [auth_digest:notice] [pid 21187:tid 139942871500672] AH01757: generating secret for digest authentication ...
  [auth_digest:debug] [pid 21187:tid 139942871500672] mod_auth_digest.c(250): AH01759: done
  [ssl:debug] [pid 21297:tid 140596905265024] ssl_engine_pphrase.c(181): AH02199: SSL not enabled on vhost 127.0.1.1:80, skipping SSL setup
  [socache_shmcb:debug] [pid 21297:tid 140596905265024] mod_socache_shmcb.c(389): AH00821: shmcb_init allocated 512000 bytes of shared memory
  ...
  [ssl:info] [pid 21297:tid 140596905265024] AH01887: Init: Initializing (virtual) servers for SSL
  [ssl:info] [pid 21297:tid 140596905265024] AH01876: mod_ssl/2.4.7 compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
  [mpm_worker:notice] [pid 21297:tid 140596905265024] AH00292: Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f configured -- resuming normal operations
  [mpm_worker:info] [pid 21297:tid 140596905265024] AH00293: Server built: Jul 22 2014 14:36:38
  [core:notice] [pid 21297:tid 140596905265024] AH00094: Command line: '/usr/sbin/apache2'
  [mpm_worker:debug] [pid 21297:tid 140596905265024] worker.c(1829): AH00294: Accept mutex: fcntl (default: sysvsem)

The openssl binary runs and supports ciphers:
  $ openssl ciphers
  ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:...

I check the apache2ctl binary compilations settings
  $ apache2ctl -V
  AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress   this message
  Server version: Apache/2.4.7 (Ubuntu)
  Server built:   Jul 22 2014 14:36:38
  Server's Module Magic Number: 20120211:27
  Server loaded:  APR 1.5.1-dev, APR-UTIL 1.5.3
  Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3
  Architecture:   64-bit
  Server MPM:     worker
    threaded:     yes (fixed thread count)
      forked:     yes (variable process count)
  Server compiled with....
   -D APR_HAS_SENDFILE
   -D APR_HAS_MMAP
   -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
   -D APR_USE_SYSVSEM_SERIALIZE
   -D APR_USE_PTHREAD_SERIALIZE
   -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
   -D APR_HAS_OTHER_CHILD
   -D AP_HAVE_RELIABLE_PIPED_LOGS
   -D DYNAMIC_MODULE_LIMIT=256
   -D HTTPD_ROOT="/etc/apache2"
   -D SUEXEC_BIN="/usr/lib/apache2/suexec"
   -D DEFAULT_PIDLOG="/var/run/apache2.pid"
   -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
   -D DEFAULT_ERRORLOG="logs/error_log"
   -D AP_TYPES_CONFIG_FILE="mime.types"
   -D SERVER_CONFIG_FILE="apache2.conf"

I checked apache2ctl settings
  $ apache2ctl -S
  AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
  VirtualHost configuration:
  ServerRoot: "/etc/apache2"
  Main DocumentRoot: "/var/www"
  Main ErrorLog: "/var/log/apache2/mod_ssl.log"
  Mutex authdigest-client: using_defaults
  Mutex ssl-stapling: using_defaults
  Mutex ssl-cache: using_defaults
  Mutex default: dir="/var/lock/apache2" mechanism=fcntl 
  Mutex mpm-accept: using_defaults
  Mutex authdigest-opaque: using_defaults
  Mutex watchdog-callback: using_defaults
  PidFile: "/var/run/apache2/apache2.pid"
  Define: DUMP_VHOSTS
  Define: DUMP_RUN_CFG
  Define: ENABLE_USR_LIB_CGI_BIN
  User: name="www-data" id=33
  Group: name="www-data" id=33

The apache2ctl syntax check is OK.
  $ apache2ctl -t
  AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
  Syntax OK

The file /etc/init.d/apache2 does start apache using /usr/sbin/apache2ctl (and not /usr/sbin/apache2 ).


Any ideas on what I need to enable SSL for this VirtualHost ?
Again, I can see HTTP response on 8443 but never HTTPS.

--
-JamesThomasMoon1979


--
-J Tom Moon 79
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux