Also, the RSA key files were generated with the following command: $ sudo openssl req -x509 -nodes -days 730 -newkey "rsa:512" -subj '/C=US/ST=WA/L=Sea/O=Company Inc/OU=my-team' -keyout /etc/ssl/private/test1.cert.key -out /etc/ssl/certs/test1.cert.pem
There were no apparent problems. On Tue, Dec 16, 2014 at 4:55 PM, J Tom Moon 79 < jtm.moon.forum.u...@gmail.com> wrote: > > I'm unable to simply enable SSL for a VirtualHost using a very simple > configuration. > > I'm recently upgraded Ubuntu 12 to Ubuntu 14. apache was upgraded from > 2.2 to 2.4.7 . I've checked the 2.4 docs for 2.2.->2.4 changes and > reviewed my configuration scripts in depth. > I can create an unencrypted VirtualHost (http) but not one an encrypted > one (https) on port 8843. I can browse to the site just fine with > http://server:8843 (I see the expected index.html file). If I try > https://server:8843 I get "ssl_error_rx_record_too_long" error (using > Firefox 33). > > I've tried many options within the configuration files. I haven't > drastically changed any pre-configured apache configuration files. The > apache2 service does see my changes but just seems to not enable SSL. > Here is a selected summary of all the related files. Can anyone identify > what I'm missing? > > ---- > > __/etc/apache2/apache2.conf__ > ... > ErrorLog ${APACHE_LOG_DIR}/error.log > LogLevel debug > IncludeOptional mods-enabled/*.load > IncludeOptional mods-enabled/*.conf > Include ports.conf > ... > IncludeOptional conf-enabled/*.conf > IncludeOptional sites-enabled/*.conf > > __/etc/apache2/mods-enabled/ssl.load__ > > # Depends: setenvif mime socache_shmcb > LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so > > > __/etc/apache2/mods-enabled/ssl.conf__ > <IfModule ssl_module> > # I've tried both of the following sets for SSLRandomSeed > SSLRandomSeed startup builtin > SSLRandomSeed connect builtin > SSLRandomSeed startup file:/dev/urandom 512 > SSLRandomSeed connect file:/dev/urandom 512 > > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl .crl > > # tried with and without the next option > #SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase > > SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) > SSLSessionCacheTimeout 300 > SSLCipherSuite all > SSLProtocol all # tried this as 'HIGH:!aNULL:!MD5' > SSLInsecureRenegotiation on # tried this on and off > ErrorLog /var/log/apache2/mod_ssl.log > LogLevel debug > SSLStrictSNIVHostCheck Off > </IfModule> > > __/etc/apache2/sites-enabled/ssl-test__ > # tried with and without each of the following > #LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so > #LoadModule ssl_module modules/mod_ssl.so > > Listen 8843 > <VirtualHost *:8843> > > ServerName myserver > SSLEngine on # tried with this directive at the top and the bottom of > this file > DocumentRoot /var/www/ > <Directory "/var/www/"> > Options Indexes FollowSymLinks MultiViews > AllowOverride None > Order allow,deny > allow from all > SSLRequireSSL # tried with and without this directive > </Directory> > ErrorLog ${APACHE_LOG_DIR}/ssl-test.log > SSLCertificateFile /etc/ssl/certs/test1.cert.pem > SSLCertificateKeyFile /etc/ssl/private/test1.cert.key > > # tried with and without all of the following directives > SSLCipherSuite HIGH:!aNULL:!MD5 > > #SSLCipherSuite HIGH > > SSLProtocol -all +TLSv1 +SSLv3 > > #SSLProtocol all > > SSLVerifyClient none > SSLProxyEngine off > SSLRequireSSL > SSLRandomSeed startup file:/dev/urandom 1024 > SSLRandomSeed connect file:/dev/urandom 1024 > > </VirtualHost> > > __/etc/apache2/ports.conf__ > <IfModule ssl_module> > Listen 8843 > </IfModule> > > The user that runs apache2 is user www-data . > I have tested that www-data and root can access the key files > /etc/ssl/certs/test1.cert.pem /etc/ssl/private/test1.cert.key . > > $ sudo -u www-data cp /etc/ssl/certs/test1.cert.pem > /etc/ssl/private/test1.cert.key /tmp/ > > > I have checked that /usr/lib/apache2/modules/mod_ssl.so exists and is > executable. > > $ sudo -u www-data ls -l /usr/lib/apache2/modules/mod_ssl.so > -rwxr-xr-x 1 root root 211184 Jul 22 07:38 > /usr/lib/apache2/modules/mod_ssl.so > > > I have tailed the relevant apache2 logs and checked for errors. I see > these SSL related message on startup. (including one skip message for > 127.0.0.1:80, but then later there is a resuming message) > > [ssl:info] [pid 21186:tid 139942871500672] AH01887: Init: Initializing > (virtual) servers for SSL > [ssl:info] [pid 21186:tid 139942871500672] AH01876: mod_ssl/2.4.7 > compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f > [auth_digest:notice] [pid 21187:tid 139942871500672] AH01757: generating > secret for digest authentication ... > [auth_digest:debug] [pid 21187:tid 139942871500672] > mod_auth_digest.c(250): AH01759: done > [ssl:debug] [pid 21297:tid 140596905265024] ssl_engine_pphrase.c(181): > AH02199: SSL not enabled on vhost 127.0.1.1:80, skipping SSL setup > [socache_shmcb:debug] [pid 21297:tid 140596905265024] > mod_socache_shmcb.c(389): AH00821: shmcb_init allocated 512000 bytes of > shared memory > ... > [ssl:info] [pid 21297:tid 140596905265024] AH01887: Init: Initializing > (virtual) servers for SSL > [ssl:info] [pid 21297:tid 140596905265024] AH01876: mod_ssl/2.4.7 > compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f > [mpm_worker:notice] [pid 21297:tid 140596905265024] AH00292: > Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f configured -- resuming normal > operations > [mpm_worker:info] [pid 21297:tid 140596905265024] AH00293: Server built: > Jul 22 2014 14:36:38 > [core:notice] [pid 21297:tid 140596905265024] AH00094: Command line: > '/usr/sbin/apache2' > [mpm_worker:debug] [pid 21297:tid 140596905265024] worker.c(1829): > AH00294: Accept mutex: fcntl (default: sysvsem) > > > The openssl binary runs and supports ciphers: > > $ openssl ciphers > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:... > > > I check the apache2ctl binary compilations settings > > $ apache2ctl -V > AH00558: apache2: Could not reliably determine the server's fully > qualified domain name, using 127.0.1.1. Set the 'ServerName' directive > globally to suppress this message > Server version: Apache/2.4.7 (Ubuntu) > Server built: Jul 22 2014 14:36:38 > Server's Module Magic Number: 20120211:27 > Server loaded: APR 1.5.1-dev, APR-UTIL 1.5.3 > Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3 > Architecture: 64-bit > Server MPM: worker > threaded: yes (fixed thread count) > forked: yes (variable process count) > Server compiled with.... > -D APR_HAS_SENDFILE > -D APR_HAS_MMAP > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > -D APR_USE_SYSVSEM_SERIALIZE > -D APR_USE_PTHREAD_SERIALIZE > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D APR_HAS_OTHER_CHILD > -D AP_HAVE_RELIABLE_PIPED_LOGS > -D DYNAMIC_MODULE_LIMIT=256 > -D HTTPD_ROOT="/etc/apache2" > -D SUEXEC_BIN="/usr/lib/apache2/suexec" > -D DEFAULT_PIDLOG="/var/run/apache2.pid" > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > -D DEFAULT_ERRORLOG="logs/error_log" > -D AP_TYPES_CONFIG_FILE="mime.types" > -D SERVER_CONFIG_FILE="apache2.conf" > > > I checked apache2ctl settings > > $ apache2ctl -S > AH00558: apache2: Could not reliably determine the server's fully > qualified domain name, using 127.0.1.1. Set the 'ServerName' directive > globally to suppress this message > VirtualHost configuration: > ServerRoot: "/etc/apache2" > Main DocumentRoot: "/var/www" > Main ErrorLog: "/var/log/apache2/mod_ssl.log" > Mutex authdigest-client: using_defaults > Mutex ssl-stapling: using_defaults > Mutex ssl-cache: using_defaults > Mutex default: dir="/var/lock/apache2" mechanism=fcntl > Mutex mpm-accept: using_defaults > Mutex authdigest-opaque: using_defaults > Mutex watchdog-callback: using_defaults > PidFile: "/var/run/apache2/apache2.pid" > Define: DUMP_VHOSTS > Define: DUMP_RUN_CFG > Define: ENABLE_USR_LIB_CGI_BIN > User: name="www-data" id=33 > Group: name="www-data" id=33 > > > The apache2ctl syntax check is OK. > > $ apache2ctl -t > AH00558: apache2: Could not reliably determine the server's fully > qualified domain name, using 127.0.1.1. Set the 'ServerName' directive > globally to suppress this message > Syntax OK > > > The file /etc/init.d/apache2 does start apache using /usr/sbin/apache2ctl > (and not /usr/sbin/apache2 ). > > > Any ideas on what I need to enable SSL for this VirtualHost ? > Again, I can see HTTP response on 8443 but never HTTPS. > > -- > -JamesThomasMoon1979 > -- -J Tom Moon 79
