Haven't seen any mention of ca.crt/ca.key yet. Where do these come from? Alright, I see now. The ssl.crt and ssl.key are preexisting folders in the example. I don't have them created after installing the httpd. So I left the generated server.crt and server.key in the /usr/local/apache2/conf folder and referenced them from the conf/extra/httpd-ssl.conf as in my initial example:
SSLCertificateFile "/usr/local/apache2/conf/server.crt" SSLCertificateKeyFile "/usr/local/apache2/conf/server.key" (that was the case in the very beginning, I have made a error when copying over the config into the original email) The error message after generating the certificate following the steps in the article in log remains the same: At first about missing parameters: [Wed Jun 04 08:53:25.139183 2014] [ssl:info] [pid 25632:tid 140624693806848] AH01887: Init: Initializing (virtual) servers f or SSL [Wed Jun 04 08:53:25.139281 2014] [ssl:info] [pid 25632:tid 140624693806848] AH01914: Configuring server 192.168.9.128:443 f or SSL protocol [Wed Jun 04 08:53:25.139443 2014] [ssl:debug] [pid 25632:tid 140624693806848] ssl_engine_init.c(312): AH01893: Configuring T LS extension handling [Wed Jun 04 08:53:25.139789 2014] [ssl:debug] [pid 25632:tid 140624693806848] ssl_util_ssl.c(343): AH02412: [192.168.9.128:4 43] Cert matches for name '192.168.9.128' [subject: emailAddress= sshcherba...@gopivotal.com,CN=192.168.9.128,OU=PSO,O=Pivota l,L=Cologne,ST=NRW,C=DE / issuer: emailAddress=sshcherba...@gopivotal.com ,CN=192.168.9.128,OU=PSO,O=Pivotal,L=Cologne,ST=NRW ,C=DE / serial: DC21155C099C4F91 / notbefore: Jun 4 06:52:34 2014 GMT / notafter: Jun 4 06:52:34 2015 GMT] [Wed Jun 04 08:53:25.139802 2014] [ssl:info] [pid 25632:tid 140624693806848] AH02568: Certificate and private key 192.168.9. 128:443:0 configured from /usr/local/apache2/conf/server.crt and /usr/local/apache2/conf/server.key [Wed Jun 04 08:53:25.139971 2014] [ssl:info] [pid 25632:tid 140624693806848] AH01914: Configuring server 192.168.9.128:443 f or SSL protocol [Wed Jun 04 08:53:25.140044 2014] [ssl:debug] [pid 25632:tid 140624693806848] ssl_engine_init.c(312): AH01893: Configuring T LS extension handling [Wed Jun 04 08:53:25.140059 2014] [ssl:emerg] [pid 25632:tid 140624693806848] AH02572: Failed to configure at least one cert ificate and key for 192.168.9.128:443 [Wed Jun 04 08:53:25.140066 2014] [ssl:emerg] [pid 25632:tid 140624693806848] SSL Library Error: error:0906D06C:PEM routines :PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertific ateKeyFile? [Wed Jun 04 08:53:25.140103 2014] [ssl:emerg] [pid 25632:tid 140624693806848] SSL Library Error: error:0906D06C:PEM routines :PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertific ateKeyFile? [Wed Jun 04 08:53:25.140117 2014] [ssl:emerg] [pid 25632:tid 140624693806848] SSL Library Error: error:140A80B1:SSL routines :SSL_CTX_check_private_key:no certificate assigned [Wed Jun 04 08:53:25.140119 2014] [ssl:emerg] [pid 25632:tid 140624693806848] AH02312: Fatal error initialising mod_ssl, exi ting. AH00016: Configuration Failed And then about "no certificate assigned": [Wed Jun 04 12:40:06.290076 2014] [ssl:info] [pid 28856:tid 139884664497920] AH01887: Init: Initializing (virtual) servers for SSL [Wed Jun 04 12:40:06.290128 2014] [ssl:info] [pid 28856:tid 139884664497920] AH01914: Configuring server 192.168.9.128:443 for SSL protocol [Wed Jun 04 12:40:06.290254 2014] [ssl:debug] [pid 28856:tid 139884664497920] ssl_engine_init.c(312): AH01893: Configuring TLS extension handling [Wed Jun 04 12:40:06.290434 2014] [ssl:debug] [pid 28856:tid 139884664497920] ssl_util_ssl.c(343): AH02412: [192.168.9.128:443] Cert matches for name '192.168.9.128' [subject: emailAddress=asdfasdfasdf,CN=192.168.9.128,OU=PSO,O=Pivotal,L=Cologne,ST=NRW,C=DE / issuer: emailAddress=asdfasdfasdf,CN=192.168.9.128,OU=PSO,O=Pivotal,L=Cologne,ST=NRW,C=DE / serial: FA9224BF3448F91B / notbefore: Jun 4 10:36:48 2014 GMT / notafter: Jun 4 10:36:48 2015 GMT] [Wed Jun 04 12:40:06.290445 2014] [ssl:info] [pid 28856:tid 139884664497920] AH02568: Certificate and private key 192.168.9.128:443:0 configured from /usr/local/apache2/conf/server.crt and /usr/local/apache2/conf/server.key [Wed Jun 04 12:40:06.291154 2014] [ssl:debug] [pid 28856:tid 139884664497920] ssl_engine_init.c(1016): AH02540: Custom DH parameters (2048 bits) for 192.168.9.128:443 loaded from /usr/local/apache2/conf/server.crt [Wed Jun 04 12:40:06.291246 2014] [ssl:debug] [pid 28856:tid 139884664497920] ssl_engine_init.c(1030): AH02541: ECDH curve prime256v1 for 192.168.9.128:443 specified in /usr/local/apache2/conf/server.crt [Wed Jun 04 12:40:06.291253 2014] [ssl:info] [pid 28856:tid 139884664497920] AH01914: Configuring server 192.168.9.128:443 for SSL protocol [Wed Jun 04 12:40:06.291321 2014] [ssl:debug] [pid 28856:tid 139884664497920] ssl_engine_init.c(312): AH01893: Configuring TLS extension handling [Wed Jun 04 12:40:06.291336 2014] [ssl:emerg] [pid 28856:tid 139884664497920] AH02572: Failed to configure at least one certificate and key for 192.168.9.128:443 [Wed Jun 04 12:40:06.291347 2014] [ssl:emerg] [pid 28856:tid 139884664497920] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned [Wed Jun 04 12:40:06.291352 2014] [ssl:emerg] [pid 28856:tid 139884664497920] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed As you can see from the log, the /usr/local/apache2/conf/server.crt and /usr/local/apache2/conf/server.key files get recognized as expected Regards, Sergey On Wed, Jun 4, 2014 at 12:57 PM, Balaji Katika <balaji.kat...@gmail.com> wrote: > server.crt/server.key in your case translates to ca.crt/ca.key > Btw, ssl.crt and ssl.key are the names of the folder/directory here. > > The author did refer to the newly copied files through step 6 in the > article. > Btw, I hope you have updated the names of the crt/key files accordingly > before starting the httpd server again (i.e., after generating new > certificate/key using the article mentioned by me). > > Can you paste the contents of the latest log ? > > > > On Wed, Jun 4, 2014 at 4:18 PM, Sergey Shcherbakov < > sergey.shcherba...@gmail.com> wrote: > >> Hello Balaji! >> >> Thanks for your comments! >> The SSLPassPhraseDialog is present in my config. >> I've followed the steps in your article and still get the same errors as >> above. I don't think that your steps are much different than those >> specified on CentOs HowTo and httpd docs pages (except that there is a >> shorter way to generate a passwordless certificate and a key: openssl >> req -new -x509 -nodes -out server.crt -keyout server.key -days 365. I've >> also tried to use the password protected key. The httpd asks for it on >> startup as expected and fails with the same error afterwards :( >> I also didn't get the point of copying the server.crt and server.key to >> the ssl.crt and ssl.key and not referencing the new files from the config. >> Do I miss something here? >> >> >> Thanks again! >> Sergey >> >> >> On Wed, Jun 4, 2014 at 11:03 AM, Balaji Katika <balaji.kat...@gmail.com> >> wrote: >> >>> HI Sergey, >>> >>> The issue seems to be with the certificate you've generated. Looks like >>> you've forgotten/skipped some steps. >>> I think you've specified some passphrase for the certificate and apache >>> is unable to locate that. Passphrase could be specified through >>> SSLPassPhraseDialog which is missing in your configuration file. >>> >>> Alternately, you could avoid this passphrase by stripping it from the >>> certificate while generating certificate. >>> I had succesfully generated a self signed certificate by following steps >>> at http://www.akadia.com/services/ssh_test_certificate.html >>> >>> >>> I would suggest to regenerate a new certificate using the instructions >>> mentioned at the above link and test it again.... >>> >>> >>> >>> >>> >>> On Wed, Jun 4, 2014 at 1:54 PM, Sergey Shcherbakov < >>> sergey.shcherba...@gmail.com> wrote: >>> >>>> Hello all, >>>> >>>> I cannot start the httpd 2.4.9 (tried 2.4.x too) on CentOS 6.5 with the >>>> simplest SSL config possible. The openssl version installed on the machine >>>> is OpenSSL 1.0.1e-fips 11 Feb 2013 (I've upgraded it using 'yum >>>> update' to the latest patched version as well) >>>> >>>> I have compiled and installed the httpd 2.4.9 using the following >>>> commands: >>>> >>>> ./configure --enable-ssl --with-ssl=/usr/local/ssl/ --enable-proxy=shared >>>> --enable-proxy_wstunnel=shared --with-apr=apr-1.5.1/ >>>> --with-apr-util=apr-util-1.5.3/ >>>> make >>>> make install >>>> >>>> Now I'm generating the default self-signed certificate as described in >>>> the CentOS HowTo: >>>> >>>> openssl genrsa -out ca.key 2048 >>>> openssl req -new -key ca.key -out ca.csr >>>> openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt >>>> cp ca.crt /etc/pki/tls/certs >>>> cp ca.key /etc/pki/tls/private/ca.key >>>> cp ca.csr /etc/pki/tls/private/ca.csr >>>> >>>> Here is my httpd-ssl.conf file: >>>> >>>> Listen 443 >>>> SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 >>>> SSLPassPhraseDialog builtin >>>> SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)" >>>> SSLSessionCacheTimeout 300 >>>> <VirtualHost *:443> >>>> SSLEngine on >>>> SSLCertificateFile /etc/pki/tls/certs/ca.crt >>>> SSLCertificateKeyFile /etc/pki/tls/private/ca.key >>>> <FilesMatch "\.(cgi|shtml|phtml|php)$"> >>>> SSLOptions +StdEnvVars >>>> </FilesMatch> >>>> <Directory "/usr/local/apache2/cgi-bin"> >>>> SSLOptions +StdEnvVars >>>> </Directory> >>>> BrowserMatch "MSIE [2-5]" \ >>>> nokeepalive ssl-unclean-shutdown \ >>>> downgrade-1.0 force-response-1.0 >>>> CustomLog "/usr/local/apache2/logs/ssl_request_log" \ >>>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" >>>> </VirtualHost> >>>> >>>> when I start httpd using bin/apachectl -k start I get following errors >>>> in the error_log: >>>> >>>> Wed Jun 04 00:29:27.995654 2014] [ssl:info] [pid 24021:tid >>>> 139640404293376] AH01887: Init: Initializing (virtual) servers for SSL >>>> [Wed Jun 04 00:29:27.995726 2014] [ssl:info] [pid 24021:tid >>>> 139640404293376] AH01914: Configuring server 192.168.9.128:443 for SSL >>>> protocol >>>> [Wed Jun 04 00:29:27.995863 2014] [ssl:debug] [pid 24021:tid >>>> 139640404293376] ssl_engine_init.c(312): AH01893: Configuring TLS >>>> extension handling >>>> [Wed Jun 04 00:29:27.996111 2014] [ssl:debug] [pid 24021:tid >>>> 139640404293376] ssl_util_ssl.c(343): AH02412: [192.168.9.128:443] Cert >>>> matches for name '192.168.9.128' [subject: >>>> CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / issuer: >>>> CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / serial: >>>> AF04AF31799B7695 / notbefore: Jun 3 22:26:45 2014 GMT / notafter: Jun 3 >>>> 22:26:45 2015 GMT] >>>> [Wed Jun 04 00:29:27.996122 2014] [ssl:info] [pid 24021:tid >>>> 139640404293376] AH02568: Certificate and private key 192.168.9.128:443:0 >>>> configured from /etc/pki/tls/certs/ca.crt and /etc/pki/tls/private/ca.key >>>> [Wed Jun 04 00:29:27.996209 2014] [ssl:info] [pid 24021:tid >>>> 139640404293376] AH01914: Configuring server 192.168.9.128:443 for SSL >>>> protocol >>>> [Wed Jun 04 00:29:27.996280 2014] [ssl:debug] [pid 24021:tid >>>> 139640404293376] ssl_engine_init.c(312): AH01893: Configuring TLS >>>> extension handling >>>> [Wed Jun 04 00:29:27.996295 2014] [ssl:emerg] [pid 24021:tid >>>> 139640404293376] AH02572: Failed to configure at least one certificate and >>>> key for 192.168.9.128:443 >>>> [Wed Jun 04 00:29:27.996303 2014] [ssl:emerg] [pid 24021:tid >>>> 139640404293376] SSL Library Error: error:0906D06C:PEM >>>> routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file >>>> contents or format - or even just a forgotten SSLCertificateKeyFile? >>>> [Wed Jun 04 00:29:27.996308 2014] [ssl:emerg] [pid 24021:tid >>>> 139640404293376] SSL Library Error: error:0906D06C:PEM >>>> routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file >>>> contents or format - or even just a forgotten SSLCertificateKeyFile? >>>> [Wed Jun 04 00:29:27.996318 2014] [ssl:emerg] [pid 24021:tid >>>> 139640404293376] SSL Library Error: error:140A80B1:SSL >>>> routines:SSL_CTX_check_private_key:no certificate assigned >>>> [Wed Jun 04 00:29:27.996321 2014] [ssl:emerg] [pid 24021:tid >>>> 139640404293376] AH02312: Fatal error initialising mod_ssl, exiting. >>>> AH00016: Configuration Failed >>>> >>>> I then try to generate missing DH PARAMETERS and EC PARAMETERS: >>>> >>>> openssl dhparam -outform PEM -out dhparam.pem 2048 >>>> openssl ecparam -out ec_param.pem -name prime256v1 >>>> cat dhparam.pem ec_param.pem >> /etc/pki/tls/certs/ca.crt >>>> >>>> And it mitigates the error but the next comes out: >>>> >>>> [Wed Jun 04 00:34:05.021438 2014] [ssl:info] [pid 24089:tid >>>> 140719371077376] AH01887: Init: Initializing (virtual) servers for SSL >>>> [Wed Jun 04 00:34:05.021487 2014] [ssl:info] [pid 24089:tid >>>> 140719371077376] AH01914: Configuring server 192.168.9.128:443 for SSL >>>> protocol >>>> [Wed Jun 04 00:34:05.021874 2014] [ssl:debug] [pid 24089:tid >>>> 140719371077376] ssl_engine_init.c(312): AH01893: Configuring TLS >>>> extension handling >>>> [Wed Jun 04 00:34:05.022050 2014] [ssl:debug] [pid 24089:tid >>>> 140719371077376] ssl_util_ssl.c(343): AH02412: [192.168.9.128:443] Cert >>>> matches for name '192.168.9.128' [subject: >>>> CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / issuer: >>>> CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / serial: >>>> AF04AF31799B7695 / notbefore: Jun 3 22:26:45 2014 GMT / notafter: Jun 3 >>>> 22:26:45 2015 GMT] >>>> [Wed Jun 04 00:34:05.022066 2014] [ssl:info] [pid 24089:tid >>>> 140719371077376] AH02568: Certificate and private key 192.168.9.128:443:0 >>>> configured from /etc/pki/tls/certs/ca.crt and /etc/pki/tls/private/ca.key >>>> [Wed Jun 04 00:34:05.022285 2014] [ssl:debug] [pid 24089:tid >>>> 140719371077376] ssl_engine_init.c(1016): AH02540: Custom DH parameters >>>> (2048 bits) for 192.168.9.128:443 loaded from /etc/pki/tls/certs/ca.crt >>>> [Wed Jun 04 00:34:05.022389 2014] [ssl:debug] [pid 24089:tid >>>> 140719371077376] ssl_engine_init.c(1030): AH02541: ECDH curve prime256v1 >>>> for 192.168.9.128:443 specified in /etc/pki/tls/certs/ca.crt >>>> [Wed Jun 04 00:34:05.022397 2014] [ssl:info] [pid 24089:tid >>>> 140719371077376] AH01914: Configuring server 192.168.9.128:443 for SSL >>>> protocol >>>> [Wed Jun 04 00:34:05.022464 2014] [ssl:debug] [pid 24089:tid >>>> 140719371077376] ssl_engine_init.c(312): AH01893: Configuring TLS >>>> extension handling >>>> [Wed Jun 04 00:34:05.022478 2014] [ssl:emerg] [pid 24089:tid >>>> 140719371077376] AH02572: Failed to configure at least one certificate and >>>> key for 192.168.9.128:443 >>>> [Wed Jun 04 00:34:05.022488 2014] [ssl:emerg] [pid 24089:tid >>>> 140719371077376] SSL Library Error: error:140A80B1:SSL >>>> routines:SSL_CTX_check_private_key:no certificate assigned >>>> [Wed Jun 04 00:34:05.022491 2014] [ssl:emerg] [pid 24089:tid >>>> 140719371077376] AH02312: Fatal error initialising mod_ssl, exiting. >>>> >>>> AH00016: Configuration Failed >>>> >>>> I have tried to generate the simple certificate/key pair exactly as >>>> described in the httpd docs >>>> <http://httpd.apache.org/docs/2.4/ssl/ssl_faq.html#selfcert> >>>> >>>> Unfortunately, I still get exact same errors as above. >>>> >>>> I've seen a bug report with the similar issue: >>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=56410 >>>> >>>> But the openssl version I have is reported as working there. I've also >>>> tried to apply the patch from the report as well as build the latest 2.4.x >>>> branch with no success, I get the same errors as above. >>>> >>>> I have also tried to create a short chain of certificates and set the >>>> root CA certificate using SSLCertificateChainFile directive. That didn't >>>> help either, I get exact same errors as above. >>>> >>>> I'm not interested in setting up hardened security, etc. The only thing >>>> I need is to start httpd with the simplest SSL config possible to continue >>>> testing proxy config for the mod_proxy_wstunnel >>>> >>>> Had anybody encountered and solved this issue? >>>> >>>> Is my sequence for creating a self-signed certificate incorrect? >>>> >>>> I'd appreciate any help very much! >>>> >>>> >>>> Sergey >>>> >>> >>> >> >
