On Fri, Nov 06, 1998, Brad Cox wrote:
> Hi. I'm trying to add mod_ssl-2.0.13-1.3.3/SSLeay-0.9.0b/rsaref-2.0 onto a
> heavily used and working mod_perl-1.16/apache_1.3.3 installation. Testing
> the new build is problematic because every time I install the new build,
> vanilla http: access stops working and users start complaining.
Why don't you use a different port? You can easily run more than one Apache
instance on the same machine as long as you use different IP ports. And when
you've a smart enough OS you can even use the same ports but different IPs
(configure more IPs on the ethernet card). That's what I use for testing
sometimes.
> I am obviously confused by the installation instructions. Can someone please
> help?
You say you're confused by installation instructions but your problems are
actually run-time/configuration problems. Where there problems at the
installation steps, too?
> Latest problem is that when I turn on the new httpd, https:// works (but
> with an error message regarding invalid certificates) but http:// will not
> respond (presumably causing the unknown protocol msg below)
>
> Here's the ssl.log
>
> [05/Nov/1998:18:02:11 -0500] Cipher: EXP-RC4-MD5
> SSLeay: error:140760F8:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> SSLeay: error:140760F8:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> [05/Nov/1998:18:02:38 -0500] Cipher: EXP-RC4-MD5
> SSLeay: error:0906D06C:PEM routines:PEM_read_bio:no start line
> SSLeay: error:0906D06C:PEM routines:PEM_read_bio:no start line
> [05/Nov/1998:20:38:45 -0500] Cipher: EXP-RC4-MD5
>
> Here's ssl_error.log
>
> [Thu Nov 5 18:36:30 1998] [crit] (2)No such file or directory: mod_ssl: Failed to
>read private key file /usr/local/apache/conf/ssl.crt/server.crt
> [Thu Nov 5 18:36:30 1998] [error] SSLeay: error:0906D06C:PEM
>routines:PEM_read_bio:no start line
> [Thu Nov 5 18:36:45 1998] [crit] (2)No such file or directory: mod_ssl: Failed to
>read private key file /usr/local/apache/conf/ssl.crt/server.crt
> [Thu Nov 5 18:36:45 1998] [error] SSLeay: error:0906D06C:PEM
>routines:PEM_read_bio:no start line
> [Thu Nov 5 20:29:56 1998] [error] (2)No such file or directory: mod_ssl: Can't open
>SSL server certificate file /usr/local/apache/conf/ssl.crt/server.csr, nor
>/usr/local/ssl/certs//usr/local/apache/conf/ssl.crt/server.csr
Yeah, looks like you have two problems: The first is that your server.key
cannot be read by SSLeay as the error message indicates. This file should be
readable by SSLeay when you use "ssleay rsa -noout -text -in server.key". If
it isn't readable, create a new server.crt/server.key pair with `make
certificate'.
The second problem is that "unknown protocol" error. Usually you get this when
accessing the SSL port via HTTP instead of HTTPS. Make sure you access the
port with the correct URL schemes.
>[...]
> # SLVerifyClient none
> # SSLMutex file:/usr/local/apache/var/run/ssl.mutex
> # SSLSessionCache /usr/local/apache/var/run/ssl.scache
> # SSLEngine on
> </VirtualHost>
> </IfDefine>
>
> The commented-out lines were mentioned in Rolf's slides but aren't accepted
> by the software (but I have the latest version, right?)
As I said on the BugDB-reply, the slide contents is already for mod_ssl 2.1
while you're currently trying 2.0. The latest 2.0 version is 2.0.14 (and in a
few hours 2.0.15), BTW.
> Here are the files in /usr/local/apache/conf (presummably ssl.* is created
> by make certificates? It is quite difficult to know for sure; there is very
> similar stuff in ../etc, ../../ssl, and so forth. God only knows how many
> different certificates exist by now in various obscure directories). The dox
> have been of very help.
Wait! When you run `make certificate' at the top-level of apache_1.3.3/ you
get the cert stuff only once: Inside apache_1.3.3/conf/ssl.*/*. And this stuff
is installed on `make install'. When you have more it looks like you confused
yourself while testing and this is the problem for your incorrect server.key
file. Start from scratch with fresh source trees and follow the INSTALL steps
_exactly_. When it then works do your own stuff based on the new experience.
But start with the default INSTALL procedure and the pre-configured httpd.conf
file. You try too much at your first step with SSL.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
