I'm unable to simply enable SSL for a VirtualHost using a very simple configuration.
I'm recently upgraded Ubuntu 12 to Ubuntu 14. apache was upgraded from 2.2 to 2.4.7 . I've checked the 2.4 docs for 2.2.->2.4 changes and reviewed my configuration scripts in depth. I can create an unencrypted VirtualHost (http) but not one an encrypted one (https) on port 8843. I can browse to the site just fine with http://server:8843 (I see the expected index.html file). If I try https://server:8843 I get "ssl_error_rx_record_too_long" error (using Firefox 33). I've tried many options within the configuration files. I haven't drastically changed any pre-configured apache configuration files. The apache2 service does see my changes but just seems to not enable SSL. Here is a selected summary of all the related files. Can anyone identify what I'm missing? ---- __/etc/apache2/apache2.conf__ ... ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel debug IncludeOptional mods-enabled/*.load IncludeOptional mods-enabled/*.conf Include ports.conf ... IncludeOptional conf-enabled/*.conf IncludeOptional sites-enabled/*.conf __/etc/apache2/mods-enabled/ssl.load__ # Depends: setenvif mime socache_shmcb LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so __/etc/apache2/mods-enabled/ssl.conf__ <IfModule ssl_module> # I've tried both of the following sets for SSLRandomSeed SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect file:/dev/urandom 512 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # tried with and without the next option #SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 SSLCipherSuite all SSLProtocol all # tried this as 'HIGH:!aNULL:!MD5' SSLInsecureRenegotiation on # tried this on and off ErrorLog /var/log/apache2/mod_ssl.log LogLevel debug SSLStrictSNIVHostCheck Off </IfModule> __/etc/apache2/sites-enabled/ssl-test__ # tried with and without each of the following #LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so #LoadModule ssl_module modules/mod_ssl.so Listen 8843 <VirtualHost *:8843> ServerName myserver SSLEngine on # tried with this directive at the top and the bottom of this file DocumentRoot /var/www/ <Directory "/var/www/"> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all SSLRequireSSL # tried with and without this directive </Directory> ErrorLog ${APACHE_LOG_DIR}/ssl-test.log SSLCertificateFile /etc/ssl/certs/test1.cert.pem SSLCertificateKeyFile /etc/ssl/private/test1.cert.key # tried with and without all of the following directives SSLCipherSuite HIGH:!aNULL:!MD5 #SSLCipherSuite HIGH SSLProtocol -all +TLSv1 +SSLv3 #SSLProtocol all SSLVerifyClient none SSLProxyEngine off SSLRequireSSL SSLRandomSeed startup file:/dev/urandom 1024 SSLRandomSeed connect file:/dev/urandom 1024 </VirtualHost> __/etc/apache2/ports.conf__ <IfModule ssl_module> Listen 8843 </IfModule> The user that runs apache2 is user www-data . I have tested that www-data and root can access the key files /etc/ssl/certs/test1.cert.pem /etc/ssl/private/test1.cert.key . $ sudo -u www-data cp /etc/ssl/certs/test1.cert.pem /etc/ssl/private/test1.cert.key /tmp/ I have checked that /usr/lib/apache2/modules/mod_ssl.so exists and is executable. $ sudo -u www-data ls -l /usr/lib/apache2/modules/mod_ssl.so -rwxr-xr-x 1 root root 211184 Jul 22 07:38 /usr/lib/apache2/modules/mod_ssl.so I have tailed the relevant apache2 logs and checked for errors. I see these SSL related message on startup. (including one skip message for 127.0.0.1:80, but then later there is a resuming message) [ssl:info] [pid 21186:tid 139942871500672] AH01887: Init: Initializing (virtual) servers for SSL [ssl:info] [pid 21186:tid 139942871500672] AH01876: mod_ssl/2.4.7 compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f [auth_digest:notice] [pid 21187:tid 139942871500672] AH01757: generating secret for digest authentication ... [auth_digest:debug] [pid 21187:tid 139942871500672] mod_auth_digest.c(250): AH01759: done [ssl:debug] [pid 21297:tid 140596905265024] ssl_engine_pphrase.c(181): AH02199: SSL not enabled on vhost 127.0.1.1:80, skipping SSL setup [socache_shmcb:debug] [pid 21297:tid 140596905265024] mod_socache_shmcb.c(389): AH00821: shmcb_init allocated 512000 bytes of shared memory ... [ssl:info] [pid 21297:tid 140596905265024] AH01887: Init: Initializing (virtual) servers for SSL [ssl:info] [pid 21297:tid 140596905265024] AH01876: mod_ssl/2.4.7 compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f [mpm_worker:notice] [pid 21297:tid 140596905265024] AH00292: Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f configured -- resuming normal operations [mpm_worker:info] [pid 21297:tid 140596905265024] AH00293: Server built: Jul 22 2014 14:36:38 [core:notice] [pid 21297:tid 140596905265024] AH00094: Command line: '/usr/sbin/apache2' [mpm_worker:debug] [pid 21297:tid 140596905265024] worker.c(1829): AH00294: Accept mutex: fcntl (default: sysvsem) The openssl binary runs and supports ciphers: $ openssl ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:... I check the apache2ctl binary compilations settings $ apache2ctl -V AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message Server version: Apache/2.4.7 (Ubuntu) Server built: Jul 22 2014 14:36:38 Server's Module Magic Number: 20120211:27 Server loaded: APR 1.5.1-dev, APR-UTIL 1.5.3 Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3 Architecture: 64-bit Server MPM: worker threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/etc/apache2" -D SUEXEC_BIN="/usr/lib/apache2/suexec" -D DEFAULT_PIDLOG="/var/run/apache2.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="mime.types" -D SERVER_CONFIG_FILE="apache2.conf" I checked apache2ctl settings $ apache2ctl -S AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message VirtualHost configuration: ServerRoot: "/etc/apache2" Main DocumentRoot: "/var/www" Main ErrorLog: "/var/log/apache2/mod_ssl.log" Mutex authdigest-client: using_defaults Mutex ssl-stapling: using_defaults Mutex ssl-cache: using_defaults Mutex default: dir="/var/lock/apache2" mechanism=fcntl Mutex mpm-accept: using_defaults Mutex authdigest-opaque: using_defaults Mutex watchdog-callback: using_defaults PidFile: "/var/run/apache2/apache2.pid" Define: DUMP_VHOSTS Define: DUMP_RUN_CFG Define: ENABLE_USR_LIB_CGI_BIN User: name="www-data" id=33 Group: name="www-data" id=33 The apache2ctl syntax check is OK. $ apache2ctl -t AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message Syntax OK The file /etc/init.d/apache2 does start apache using /usr/sbin/apache2ctl (and not /usr/sbin/apache2 ). Any ideas on what I need to enable SSL for this VirtualHost ? Again, I can see HTTP response on 8443 but never HTTPS. -- -JamesThomasMoon1979
