That was a typo. We are using *:443 This is what I perceive to be the significant part of the error_log file with LogLevel debug. No entries in either of the ssl log files ... [Wed May 13 11:13:17.158332 2015] [ssl:debug] [pid x:tid x] ssl_engine_kernel.c(224): [client x] AH02034: Initial (No.1) HTTPS request received for child 70 (server baseserver.abc.com:443) [Wed May 13 11:13:17.158412 2015] [authz_core:debug] [pid 31858:tid 140398848632576] mod_authz_core.c(809): [client 10.254.79.196:59301] AH01626: authorization result of Require all granted: granted . . [Wed May 13 11:13:17.158486 2015] [proxy_fcgi:debug] [pid x:tid x] mod_proxy_fcgi.c(124): [client x] AH01060: set r->filename to proxy:fcgi://127.0.0.1:9000/www/docs//index.php [Wed May 13 11:13:17.158512 2015] [proxy:debug] [pid x:tid x] mod_proxy.c(1117): [client x] AH01143: Running scheme fcgi handler (attempt 0) [Wed May 13 11:13:17.158518 2015] [proxy_ajp:debug] [pid x:tid x] mod_proxy_ajp.c(713): [client x] AH00894: declining URL fcgi://127.0.0.1:9000/www/docs//index.php [Wed May 13 11:13:17.158522 2015] [proxy_fcgi:debug] [pid x:tid x] mod_proxy_fcgi.c(948): [client x] AH01076: url: fcgi://127.0.0.1:9000/www/docs//index.php proxyname: (null) proxyport: 0 [Wed May 13 11:13:17.158527 2015] [proxy_fcgi:debug] [pid x:tid x] mod_proxy_fcgi.c(955): [client x] AH01078: serving URL fcgi://127.0.0.1:9000/www//index.php [Wed May 13 11:13:17.158533 2015] [proxy:debug] [pid 31858:tid 140398848632576] proxy_util.c(2200): AH00942: FCGI: has acquired connection for (127.0.0.1) [Wed May 13 11:13:17.158538 2015] [proxy:debug] [pid x:tid x] proxy_util.c(2253): [client x] AH00944: connecting fcgi://127.0.0.1:9000/www/docs//index.php to 127.0.0.1:9000 [Wed May 13 11:13:17.158545 2015] [proxy:debug] [pid 31858:tid x] proxy_util.c(2419): [client x] AH00947: connected /www/docs//index.php to 127.0.0.1:9000 [Wed May 13 11:13:17.160089 2015] [proxy:debug] [pid 31858:tid x] proxy_util.c(2215): AH00943: FCGI: has released connection for (127.0.0.1) [Wed May 13 11:13:17.162875 2015] [ssl:debug] [pid x:tid x] ssl_engine_io.c(992): [client x] AH02001: Connection closed to child 70 with standard shutdown (server baseserver.abc.com:443) On 5/12/15 5:52 PM, "Yann Ylavic" <ylavic.dev@xxxxxxxxx> wrote: >You should then see "activity" with LogLevel debug, where does this leads? > >(Note regarding *:443, you indicated *.443 -with a dot- in the >original message, was that a typo?) > >On Tue, May 12, 2015 at 11:32 PM, Rose, John B <jbrose@xxxxxxx> wrote: >> We checked netstat -an while attempting the https thru the browser. It >> seems to be getting to the server. >> >> tcp 0 0 xxx.xxx.xxx.xxx:443 yyy.yyy.yyy.yyy:35948 >>TIME_WAIT >> tcp 0 0 xxx.xxx.xxx.xxx:443 yyy.yyy.yyy.yyy:36375 >> FIN_WAIT2 >> Etc. >> >> >> On 5/12/15 5:13 PM, "Yann Ylavic" <ylavic.dev@xxxxxxxxx> wrote: >> >>>Can't it be that the LB does not let the connection pass through? >>>If the LB is not an SSL end point, it may block based on the Server >>>Name Indication (SNI)? >>>On the httpd side, maybe you could look at the network level if the >>>connection with the client is established (netstat, tcpdump, ...). >>> >>>On Tue, May 12, 2015 at 11:02 PM, Rose, John B <jbrose@xxxxxxx> wrote: >>>> It is not generating an entry in the Apache log files. Unless we have >>>> missed it. But we believe have looked thru them thoroughly. >>>> >>>> On 5/12/15 4:01 PM, "Yann Ylavic" <ylavic.dev@xxxxxxxxx> wrote: >>>> >>>>>Can you see the connection arrive, somehow timeout, and finally be >>>>>logged on the Apache server? >>>>> >>>>>On Tue, May 12, 2015 at 9:53 PM, Rose, John B <jbrose@xxxxxxx> wrote: >>>>>> Yann >>>>>> >>>>>> All efforts appreciated. >>>>>> >>>>>> First.abc.com goes thru a load balancer >>>>>> >>>>>> http://first.abc.com >>>>>> >>>>>> Works fine. >>>>>> >>>>>> https://first.abc.com >>>>>> >>>>>> does not >>>>>> >>>>>> If I understand your question correctly. >>>>>> >>>>>> John >>>>>> >>>>>> >>>>>> >>>>>> On 5/12/15 3:40 PM, "Yann Ylavic" <ylavic.dev@xxxxxxxxx> wrote: >>>>>> >>>>>>>Probably a silly question, but, is first.abc.com accessible (dns, >>>>>>>route, ...) from the client host? >>>>>>> >>>>>>>Regards, >>>>>>>Yann. >>>>>>> >>>>>>>On Tue, May 12, 2015 at 9:12 PM, Rose, John B <jbrose@xxxxxxx> >>>>>>>wrote: >>>>>>>> We gave that a try based on your recommendation, but it did not >>>>>>>>change >>>>>>>>the >>>>>>>> result. >>>>>>>> >>>>>>>> We are still looking for an answer. >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>> On 5/12/15 12:03 PM, "Jack Swan" <john.swan@xxxxxxxxxx> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>>Occasionally we've had the spinning connecting problem here during >>>>>>>>>some >>>>>>>>>of our development. >>>>>>>>>You might try clearing/deleting any certificates for that >>>>>>>>>particular >>>>>>>>>host >>>>>>>>>in Firefox. >>>>>>>>> >>>>>>>>>Tools->Options - Advanced. Select View Certificates and >>>>>>>>>delete/distruct >>>>>>>>>the certs for that host. >>>>>>>>> >>>>>>>>>Maybe that'll work. It did for us. >>>>>>>>> >>>>>>>>>----- Original Message ----- >>>>>>>>>From: jbrose@xxxxxxx >>>>>>>>>To: users@xxxxxxxxxxxxxxxx >>>>>>>>>Sent: Tuesday, May 12, 2015 11:47:24 AM GMT -05:00 US/Canada >>>>>>>>>Eastern >>>>>>>>>Subject: Re: SSL not working for ServerAlias through >>>>>>>>>load >>>>>>>>>balancer >>>>>>>>> >>>>>>>>>In Firefox we get the spinning "ConnectingŠ" indicator in the tab, >>>>>>>>>and >>>>>>>>>it >>>>>>>>>never advances any further. >>>>>>>>> >>>>>>>>>On 5/12/15 11:27 AM, "Rich Bowen" <rbowen@xxxxxxxxxxx> wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>On 05/12/2015 10:40 AM, Rose, John B wrote: >>>>>>>>>>> Red Hat 7 Apache 2.4 >>>>>>>>>>> >>>>>>>>>>> We are using name based virtual hosts SSL configuration. >>>>>>>>>>> >>>>>>>>>>> Which is working except not for one of our ServerAlias that >>>>>>>>>>>goes >>>>>>>>>>>thru a >>>>>>>>>>> load balancer >>>>>>>>>>> >>>>>>>>>>> Not using SSL works fine. We can access all these via the >>>>>>>>>>>browser Š >>>>>>>>>>> >>>>>>>>>>> http://baseserver.sub.abc.com >>>>>>>>>>> http://first.sub.abc.com >>>>>>>>>>> http://first.abc.com >>>>>>>>>>> >>>>>>>>>>> Using SSL we can go to these successfully Š >>>>>>>>>>> >>>>>>>>>>> https://baseserver.sub.abc.com >>>>>>>>>>> https://First.sub.abc.com >>>>>>>>>>> >>>>>>>>>>> But not this Š >>>>>>>>>>> >>>>>>>>>>> https://first.abc.com >>>>>>>>>>> >>>>>>>>>>> Here is our config Š >>>>>>>>>>> >>>>>>>>>>> Have tried these .. >>>>>>>>>>> <VirtualHost *.443> >>>>>>>>>>> and >>>>>>>>>>> <VirtualHost first.sub.abc.com:443> >>>>>>>>>>> and >>>>>>>>>>> <VirtualHost first.abc.com:443> >>>>>>>>>>> >>>>>>>>>>> ServerName baseserver.sub.abc.com >>>>>>>>>>> ServerAlias first.sub.abc.com >>>>>>>>>>> ServerAlias first.abc.com >>>>>>>>>>> >>>>>>>>>>> SSLEngine on >>>>>>>>>>> DocumentRoot "/www/docs" >>>>>>>>>>> >>>>>>>>>>> <Directory "/www/docs"> >>>>>>>>>>> Š >>>>>>>>>>> </Directory> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ProxyPassMatch ^/(.*\.php(/.*)?)$ >>>>>>>>>>>fcgi://127.0.0.1:9000/www/docs/ >>>>>>>>>>> DirectoryIndex index.php index.html >>>>>>>>>>> >>>>>>>>>>> SSL Certificate stuff Š >>>>>>>>>>> >>>>>>>>>>> </VirtualHost> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Any suggestions why the Load Balanced SSL ServerAlias. >>>>>>>>>>> https://first.abc.com, is not working? >>>>>>>>>> >>>>>>>>>>Can you elaborate on "not working"? What exactly happens? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>-- >>>>>>>>>>Rich Bowen - rbowen@xxxxxxxxxxx - @rbowen >>>>>>>>>>http://apachecon.com/ - @apachecon >>>>>>>>>> >>>>>>>>>>----------------------------------------------------------------- >>>>>>>>>>-- >>>>>>>>>>-- >>>>>>>>>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>>>>>>>>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>------------------------------------------------------------------ >>>>>>>>>-- >>>>>>>>>- >>>>>>>>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>>>>>>>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >>>>>>>>> >>>>>>>>> >>>>>>>>>------------------------------------------------------------------ >>>>>>>>>-- >>>>>>>>>- >>>>>>>>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>>>>>>>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>------------------------------------------------------------------- >>>>>>>>-- >>>>>>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>>>>>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >>>>>>>> >>>>>>> >>>>>>>-------------------------------------------------------------------- >>>>>>>- >>>>>>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>>>>>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>>--------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>>>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >>>>>> >>>>> >>>>>--------------------------------------------------------------------- >>>>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>>>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >>>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >>>> >>> >>>--------------------------------------------------------------------- >>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|