Thanks again, Richard,I missed this message due to a series of 12-hour days during last week's OASIS Symposium.
I apologize. I'm still working my way out of the backup. I appreciate your follow-through very much,
Answers inline. At 11:46 AM -0700 5/9/06, Richard de Vries wrote:
Are you using a seperate configuration file for your SSL instance? Let's start with a couple of basic things. 1) Do you have the SSL configuration between <IfModule XXXX> tags?. If so, what is your XXXX set to in this case?
There is no SSL configuration between<IfModule XXXX> tags. I have Apache2.0 in RHEL 4, so I have an ssl.conf file in directory /etc/httpd/conf.d.
2) SSLCertificateFile and SSLCertificateKeyFile point to valid files right? Can you do a ls -al on that file location?
Yes.
3) Sometimes, some programs refuse to enable SSL if the certificates are publicly readable. How are your permissions on these files?
[root@XXXX ssl.crt]# ls -al total 40 drwx------ 2 root root 4096 May 13 08:06 . drwxr-xr-x 7 root root 4096 May 13 08:23 .. -rw-r--r-- 1 root root 1773 May 8 17:22 cacert.pem -rw-r--r-- 1 root root 1522 Feb 28 2005 Makefile.crt -rw------- 1 root root 1497 May 8 21:27 server.crt [root@XXX ssl.crt]# cd .. [root@@XXX conf]# cd ssl.key [root@XXX ssl.key]# ls -al total 48 drwx------ 2 root root 4096 Feb 28 2005 . drwxr-xr-x 7 root root 4096 May 13 08:23 .. -rw-r--r-- 1 root root 1751 May 8 17:18 privkey.pem -rw------- 1 root root 963 May 8 21:23 server.key [root@XXX ssl.key]#
Let's start with these steps, then work ourselves thru your configuration. I don't think re-installing apache would necesarrily fix anything.
There are the permissions. You're right, re-installing wouldn't change this. ????
Thanks again, Rex
Richard --- Rex Brooks <rexb@xxxxxxxxxxxxxx> wrote:Thanks Richard, I appreciate that you took the time to answer. So far you are the only one. This installation is on RedHat Enterprise Linux4 and Apache2.0 and I have tried the Key-Certificate generation instructions detailed in the System Administration Guide Ch. 26.6-26.8, I tried the freebsd instructions at the url you advised, and what happened was that the certificate signing request could not open the key. I have also downloaded and tried with openssl-0.9.8b. I was able to generate the server.key and server.crt but httpd still does not start. The Admin Guide instructions also result in what ought to be a valid server key in the ssl.key directory and a server.crt in the ssl.crt directory as specified in the ssl.conf file in the /etc/httpd/conf directory, but httpd still does not start Here is the terminal output when attempting to start httpd: [root@c-xxx-xxx-xxx-xxx ~]# service httpd start Starting httpd: [Mon May 08 06:20:21 2006] [warn] The Alias directive in /etc/httpd/conf/httpd.conf at line 557 will probably never match because it overlaps an earlier AliasMatch. Warning: DocumentRoot [/home/xxx/jakarta-tomcat-5.0.28] does not exist[FAILED][root@c-xxx-xxx-xxx-xxx ~]# Here is the httpd error_log for that sequence: [Mon May 08 06:20:21 2006] [notice] core dump file size limit raised to 4294967295 bytes [Mon May 08 06:20:22 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Mon May 08 06:20:22 2006] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] It's beginning to look like I will have to reinstall apache. Regards, Rex >what error are you getting? > >Try following the instructions at this URL. They've> >always worked for me:> http://www.corserv.com/freebsd/apache-ssl-howto.html > >--- Rex Brooks <rexb@xxxxxxxxxxxxxx> wrote: > >> Please see my previous post for details. >> >> I said that mod_ssl was not installed, but a double >> check showed that it is. >> >> My question is only about filenames for >> SSLCertificateFile and/or >> SSLCertificateKeyFile. >> >> ApacheSSL Documentation says at >> http://www.apache-ssl.org/docs.html#SSLCertificateFile: >> >> This is your PEM-encoded server certificate >> (strictly, it is what >> SSLeay calls PEM, which isn't really). >> >> Example: >> >> SSLCertificateFile >> /usr/local/apache/certs/my.server.pem >> >> What the process described in RedHat Sys. Admin. >> Guide Ch. 26.6-26.8 >> produces in the file ssl.conf located in >> /etc/httpd/conf.d/ used to >> configure SSL support is: >> >> SSLCertificateFile >> /etc/httpd/conf/ssl.crt/server.crt >> >> and >> >> SSLCertificateKeyFile >> /etc/httpd/conf/ssl.key/server.key >> >> There is a file named server.crt in the specified >> location, and an >> server.key file in its corresponding location. Could >> this lack of a >> PEM-encoded server certificate, however it is >> produced, the root >> cause of httpd start failure? >> >> I have downloaded and installed openssl-0.9.8b and I >> have also now >> generated a privkey.pem and a cacert.pem and I have >> put them in the >> same directories as the ssl.conf file specified, and >> edited that file >> to reflect that, rebooted and httpd still fails to >> start. >> >> >> Regards, >> Rex Brooks >> >> >> -- >> Rex Brooks >> President, CEO >> Starbourne Communications Design >> GeoAddress: 1361-A Addison >> Berkeley, CA 94702 >> Tel: 510-849-2309 >> >> --------------------------------------------------------------------- >> The official User-To-User support forum of the >> Apache HTTP Server Project. >> See <URL:http://httpd.apache.org/userslist.html> for >> more info. >> To unsubscribe, e-mail: > > users-unsubscribe@xxxxxxxxxxxxxxxx >> " from the digest: >> users-digest-unsubscribe@xxxxxxxxxxxxxxxx >> For additional commands, e-mail: >> users-help@xxxxxxxxxxxxxxxx >> >> > > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com -- Rex Brooks President, CEO Starbourne Communications Design GeoAddress: 1361-A Addison Berkeley, CA 94702 Tel: 510-849-2309---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
-- Rex Brooks President, CEO Starbourne Communications Design GeoAddress: 1361-A Addison Berkeley, CA 94702 Tel: 510-849-2309 --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|