Hi all,
I am new to this list, and relatively new to working with SSL on Apache.
I am having some problems getting a new install up and running. I am hoping
that someone can give me some pointers on what is wrong. I will try to include
as much relevant info as I can, but please let me know if I left something out.
I am running: Linux Slackware 3.5 Kernel 2.0.34
Apache 1.3.1
SSLeay 0.9.0b
mod_ssl-2.0.8-1.3.1
I have got everything compiled and built--the web server still works as it used to
w/o SSL installed. The only problem I had with installation, is that I cannot do
a make certificate. When doing a make certificate, I get the following:
Generating test certificate signed by Snake Oil CA [TEST]
WARNING: Do not use this for real-life/production systems
______________________________________________________________________
STEP 1: Generating RSA private key (1024 bit) [server.key]
The process then just sits there for a long time. I have let it sit over an
hour and never got anywhere with it.
I have, however, created a key, a CSR, and a CRT manually using ssleay. I
did this using the commands presented in the FAQ for mod_ssl. I placed the
files in the appropriate directories in /usr/local/apache/etc and also
modified the httpd.conf file. Basically, the problem is this...when
I run /usr/local/apache/sbin/httpd -DSSL it never prompts me for the pass
phrase for the cert and the process just dies. If I run w/o defining SSL
thankfully I can still have my server up and running normally. This is
the error that gets entered into the error_log-ssl file:
[Mon Oct 19 16:11:25 1998] [crit] (22)Invalid argument: mod_ssl: Failed to read
private key file /usr/loca
l/apache/etc/ssl.key/inetsolve.key
[Mon Oct 19 16:11:25 1998] [error] SSLeay: error:0906406D:PEM
routines:DEF_CALLBACK:problems getting passw
ord
[Mon Oct 19 16:11:25 1998] [error] SSLeay: error:0906A068:PEM
routines:PEM_do_header:bad password read
I am including my httpd.conf file below, whole, minus a bunch of virtual hosts which
would just waste space in this email message.
Any help given would be appreciated!
Thanks
Jay Ribak
[EMAIL PROTECTED]
HTTPD.CONF file included below:
# -FrontPage- version=2.0
##
## httpd.conf -- Apache HTTP server configuration file
##
# This is the main server configuration file. See URL http://www.apache.org/
# for instructions.
# Do NOT simply read the instructions in here without understanding
# what they do, if you are unsure consult the online docs. You have been
# warned.
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Please read the file README.DSO in the Apache 1.3 distribution for more
# details about the DSO mechanism and run `httpd -l' for the list of already
# built-in (statically linked and thus always available) modules in your httpd
# binary.
#
# Example:
# LoadModule foo_module libexec/mod_foo.so
# ServerType is either inetd, or standalone.
ServerType standalone
# If you are running from inetd, go to "ServerAdmin".
# Port: The port the standalone listens to. For ports < 1023, you will
# need httpd to be run as root initially.
Port 80
##
## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>
# HostnameLookups: Log the names of clients or just their IP numbers
# e.g. www.apache.org (on) or 204.62.129.132 (off)
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on.
HostnameLookups off
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
# User/Group: The name (or #number) of the user/group to run httpd as.
# On SCO (ODT 3) use User nouser and Group nogroup
# On HPUX you may not be able to use shared memory as nobody, and the
# suggested workaround is to create a user www and use that user.
# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
# when the value of (unsigned)Group is above 60000;
# don't use Group on these systems!
User nobody
Group nogroup
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.
ServerAdmin [EMAIL PROTECTED]
# ServerRoot: The directory the server's config, error, and log files
# are kept in.
# NOTE! If you intend to place this on a NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation,
# you will save yourself a lot of trouble.
ServerRoot /usr/local/apache
ResourceConfig etc/srm.conf
AccessConfig etc/access.conf
# BindAddress: You can support virtual hosts with this option. This option
# is used to tell the server which IP address to listen to. It can either
# contain "*", an IP address, or a fully qualified Internet domain name.
# See also the VirtualHost directive.
BindAddress *
# ErrorLog: The location of the error log file. If this does not start
# with /, ServerRoot is prepended to it.
ErrorLog /usr/local/apache/var/log/error_log
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# The location of the access logfile (Common Logfile Format).
# If this does not start with /, ServerRoot is prepended to it.
CustomLog /usr/local/apache/var/log/access_log common
# If you would like to have an agent and referer logfile uncomment the
# following directives.
#CustomLog /usr/local/apache/var/log/referer_log referer
#CustomLog /usr/local/apache/var/log/agent_log agent
# If you prefer a single logfile with access, agent and referer information
# (Combined Logfile Format) you can use the following directive.
CustomLog /usr/local/apache/var/log/access_log combined
# PidFile: The file the server should log its pid to
PidFile /usr/local/apache/var/run/httpd.pid
# ScoreBoardFile: File used to store internal server process information.
# Not all architectures require this. But if yours does (you'll know because
# this file is created when you run Apache) then you *must* ensure that
# no two invocations of Apache share the same scoreboard file.
ScoreBoardFile /usr/local/apache/var/run/httpd.scoreboard
# The LockFile directive sets the path to the lockfile used when Apache
# is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or
# USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at
# its default value. The main reason for changing it is if the logs
# directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL
# DISK. The PID of the main server process is automatically appended to
# the filename.
#
#LockFile /usr/local/apache/var/run/httpd.lock
# ServerName allows you to set a host name which is sent back to clients for
# your server if it's different than the one the program would get (i.e. use
# "www" instead of the host's real name).
#
# Note: You cannot just invent host names and hope they work. The name you
# define here must be a valid DNS name for your host. If you don't understand
# this, ask your network administrator.
ServerName www.inetsolve.com
# UseCanonicalName: (new for 1.3) With this setting turned on, whenever
# Apache needs to construct a self-referencing URL (a url that refers back
# to the server the response is coming from) it will use ServerName and
# Port to form a "canonical" name. With this setting off, Apache will
# use the hostname:port that the client supplied, when possible. This
# also affects SERVER_NAME and SERVER_PORT in CGIs.
UseCanonicalName on
# CacheNegotiatedDocs: By default, Apache sends Pragma: no-cache with each
# document that was negotiated on the basis of content. This asks proxy
# servers not to cache the document. Uncommenting the following line disables
# this behavior, and proxies will be allowed to cache the documents.
#CacheNegotiatedDocs
# Timeout: The number of seconds before receives and sends time out
Timeout 300
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
KeepAlive On
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We reccomend you leave this number high, for maximum performance.
MaxKeepAliveRequests 100
# KeepAliveTimeout: Number of seconds to wait for the next request
KeepAliveTimeout 15
# Server-pool size regulation. Rather than making you guess how many
# server processes you need, Apache dynamically adapts to the load it
# sees --- that is, it tries to maintain enough server processes to
# handle the current load, plus a few spare servers to handle transient
# load spikes (e.g., multiple simultaneous requests from a single
# Netscape browser).
# It does this by periodically checking how many servers are waiting
# for a request. If there are fewer than MinSpareServers, it creates
# a new spare. If there are more than MaxSpareServers, some of the
# spares die off. These values are probably OK for most sites ---
MinSpareServers 5
MaxSpareServers 10
# Number of servers to start --- should be a reasonable ballpark figure.
StartServers 5
# Limit on total number of servers running, i.e., limit on the number
# of clients who can simultaneously connect --- if this limit is ever
# reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW.
# It is intended mainly as a brake to keep a runaway server from taking
# Unix with it as it spirals down...
MaxClients 150
# MaxRequestsPerChild: the number of requests each child process is
# allowed to process before the child dies.
# The child will exit so as to avoid problems after prolonged use when
# Apache (and maybe the libraries it uses) leak. On most systems, this
# isn't really needed, but a few (such as Solaris) do have notable leaks
# in the libraries.
MaxRequestsPerChild 30
# Proxy Server directives. Uncomment the following line to
# enable the proxy server:
#ProxyRequests On
# To enable the cache as well, edit and uncomment the following lines:
#CacheRoot /usr/local/apache/var/proxy
#CacheSize 5
#CacheGcInterval 4
#CacheMaxExpire 24
#CacheLastModifiedFactor 0.1
#CacheDefaultExpire 1
#NoCache a_domain.com another_domain.edu joes.garage_sale.com
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the VirtualHost command
#Listen 3000
#Listen 12.34.56.78:80
# VirtualHost: Allows the daemon to respond to requests for more than one
# server address, if your server machine is configured to accept IP packets
# for multiple addresses. This can be accomplished with the ifconfig
# alias flag, or through kernel patches like VIF.
# Any httpd.conf or srm.conf directive may go into a VirtualHost command.
# See also the BindAddress entry.
NameVirtualHost 208.220.170.253
# ****************************************************
# Virtual Host settings for Inetsolve.com's subdomain
# customers. This way users can access things by
# subdomain.inetsolve.com, instead of www.inetsolve.com/~subdomain
# ****************************************************
<VirtualHost 208.220.170.253>
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/twisted/public_html
ServerName twisted.inetsolve.com
ErrorLog /home/twisted/public_html/error_log
TransferLog /home/twisted/public_html/access_log
</VirtualHost>
# *********************************************************
# Virtual Host Settings for WebServePro and its
# subdomain customers. For some reason, customers
# want www.theirname.webservepro.com as well as
# theirname.webservepro.com, so each one is listed twice.
# *********************************************************
<VirtualHost 208.220.170.253>
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/wsp/public_html
ServerName www.webservepro.com
ErrorLog /home/wsp/public_html/error_log
TransferLog /home/wsp/public_html/access_log
</VirtualHost>
# TONS OF VIRTUAL HOSTS REMOVED HERE TO SAVE SPACE
# ################################################
<IfModule mod_ssl.c>
# we disable SSL globally
SSLDisable
# configure the path/port for the SSL session cache server[RECOMMENDED].
# Additionally sets the session cache timeout, in seconds (set to 15 for
# testing, use a higher value in real life) [RECOMMENDED]
SSLCacheServerPath /usr/local/apache/sbin/ssl_gcache
SSLCacheServerPort 12345
SSLSessionCacheTimeout 300
<IfDefine SSL>
<VirtualHost _default_:443>
# setup the general virtual server configuration
DocumentRoot /usr/local/apache/share/htdocs
ServerName www.inetsolve.com
ServerAdmin [EMAIL PROTECTED]
ErrorLog /usr/local/apache/var/log/error_log-ssl
TransferLog /usr/local/apache/var/log/access_log-ssl
# enable SSL for this virtual host
SSLEnable
# this forbids access except when SSL is in use. Very handy for defending
# against configuration errors that expose stuff that should be protected
SSLRequireSSL
# point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time. [RECOMMENDED]
SSLCertificateFile /usr/local/apache/etc/ssl.crt/inetsolve.crt
# if the key is not combined with the certificate, use this
# directive to point at the key file. [OPTIONAL]
SSLCertificateKeyFile /usr/local/apache/etc/ssl.key/inetsolve.key
# set the CA certificate verification path where
# to find CA certificates for client authentication or
# alternatively one huge file containing all of them
# (file must be PEM encoded) [OPTIONAL]
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /usr/local/apache/etc/ssl.crt
#SSLCACertificateFile /usr/local/apache/etc/ssl.crt/ca-bundle.crt
# set client verification level: [RECOMMENDED]
# 0|none: no certificate is required
# 1|optional: the client may present a valid certificate
# 2|require: the client must present a valid certificate
# 3|optional_no_ca: the client may present a valid certificate
# but it is not required to have a valid CA
SSLVerifyClient none
# set how deeply to verify the certificate issuer chain
# before deciding the certificate is not valid. [OPTIONAL]
#SSLVerifyDepth 10
# list the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list. [OPTIONAL]
#SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA
# these two can be used on a per-directory basis to require or
# ban specific ciphers. Note that (at least in the current version)
# SSL will not attempt to renegotiate if a cipher is banned
# (or not required). [OPTIONAL]
#SSLRequireCipher RC4-MD5
#SSLBanCipher RC4-MD5
# translate the client X.509 into a Basic Authorisation.
# This means that the standard Auth/DBMAuth methods can be used for
# access control. The user name is the `one line' version of
# the client's X.509 certificate. Note that no password is
# obtained from the user. Every entry in the user file needs
# this password: `xxj31ZMTZzkVA'. [OPTIONAL]
#SSLFakeBasicAuth
# a home for miscellaneous rubbish generated by SSL. Much of it
# is duplicated in the error log file. Put this somewhere where
# it cannot be used for symlink attacks on a real server (i.e.
# somewhere where only root can write). [RECOMMENDED]
SSLLogFile /usr/local/apache/var/log/ssl_misc_log
# define custom SSL logging [RECOMMENDED]
CustomLog /usr/local/apache/var/log/ssl_log "%t %h %{version}c %{cipher}c
%{subjectdn}c %{issuerdn}c \"%r\" %b"
</VirtualHost>
</IfDefine>
</IfModule>
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
