Apache/2.2.4 openSUSE10.3 not listening on port 443 even ssl_module is present
 

openSUSE 10.3 (i586)
Server version: Apache/2.2.4 (Linux/SUSE)
Server built: Nov 9 2007 14:06:03

I have googled a lot before posting here. The problem is apache doen't listen to port 443 when it is started as follows

apache2ctl start
it only listens on port 80
and logs says as follows

[Tue Apr 08 16:51:05 2008] [info] Init: Seeding PRNG with 0 bytes of entropy
[Tue Apr 08 16:51:05 2008] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Apr 08 16:51:06 2008] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Apr 08 16:51:06 2008] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Tue Apr 08 16:51:06 2008] [info] Init: Initializing (virtual) servers for SSL
[Tue Apr 08 16:51:06 2008] [info] Server: Apache/2.2.4, Interface: mod_ssl/2.2.4, Library: OpenSSL/0.9.8e
[Tue Apr 08 16:51:06 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Tue Apr 08 16:51:06 2008] [info] Init: Seeding PRNG with 0 bytes of entropy
[Tue Apr 08 16:51:06 2008] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Apr 08 16:51:06 2008] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Apr 08 16:51:06 2008] [info] Init: Initializing (virtual) servers for SSL
[Tue Apr 08 16:51:06 2008] [info] Server: Apache/2.2.4, Interface: mod_ssl/2.2.4, Library: OpenSSL/0.9.8e
[Tue Apr 08 16:51:06 2008] [notice] Apache/2.2.4 (Linux/SUSE) mod_ssl/2.2.4 OpenSSL/0.9.8e PHP/5.2.5 with Suhosin-Patch configured -- resuming normal operations
[Tue Apr 08 16:51:06 2008] [info] Server built: Nov 9 2007 14:06:03
[Tue Apr 08 16:51:06 2008] [debug] prefork.c(991): AcceptMutex: sysvsem (default: sysvsem)

Question is, in the above logs it mentions SSL then why is it not listening for it?

Whereas httpd2 -D SSL -S confirms that configs are ok

VirtualHost configuration:
X.29.75.96:443 secure.x.x.com (/etc/apache2/vhosts.d/vhost-ssl.conf:37)
wildcard NameVirtualHosts and _default_ servers:
*:80 vhost.x.x.com (/etc/apache2/vhosts.d/vhost.conf:15)
Syntax OK

Is this the normal behaviour (not to listen for 443, while all SSL config are fine)when starting apache using apache2ctl start
I think it should be listening for both port 80 and 443 when apache config is fine.
Or do we need to explicitly tell apache as follows?
apache2ctl -D SSL -k start

netstat -atop| grep LIST
tcp 0 0 *:mysql *:* LISTEN 8375/mysqld off (0.00/0/0)
tcp 0 0 *:www-http *:* LISTEN 10241/httpd2 off (0.00/0/0)
tcp 0 0 *:https *:* LISTEN 10241/httpd2 off (0.00/0/0)

log says as follows

[Tue Apr 08 16:52:53 2008] [info] Init: Seeding PRNG with 136 bytes of entropy
[Tue Apr 08 16:52:53 2008] [info] Loading certificate & private key of SSL-aware server
[Tue Apr 08 16:52:53 2008] [debug] ssl_engine_pphrase.c(469): unencrypted RSA private key - pass phrase not required
[Tue Apr 08 16:52:53 2008] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Apr 08 16:52:53 2008] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Apr 08 16:52:53 2008] [info] Init: Initializing (virtual) servers for SSL
[Tue Apr 08 16:52:53 2008] [info] Configuring server for SSL protocol
[Tue Apr 08 16:52:53 2008] [debug] ssl_engine_init.c(405): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Apr 08 16:52:53 2008] [debug] ssl_engine_init.c(601): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Tue Apr 08 16:52:53 2008] [debug] ssl_engine_init.c(729): Configuring RSA server certificate
[Tue Apr 08 16:52:53 2008] [debug] ssl_engine_init.c(768): Configuring RSA server private key
[Tue Apr 08 16:52:53 2008] [info] Server: Apache/2.2.4, Interface: mod_ssl/2.2.4, Library: OpenSSL/0.9.8e
[Tue Apr 08 16:52:53 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Tue Apr 08 16:52:53 2008] [info] Init: Seeding PRNG with 136 bytes of entropy
[Tue Apr 08 16:52:53 2008] [info] Loading certificate & private key of SSL-aware server
[Tue Apr 08 16:52:53 2008] [debug] ssl_engine_pphrase.c(469): unencrypted RSA private key - pass phrase not required
[Tue Apr 08 16:52:53 2008] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Apr 08 16:52:54 2008] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Apr 08 16:52:54 2008] [debug] ssl_scache_shmcb.c(374): shmcb_init allocated 512000 bytes of shared memory
[Tue Apr 08 16:52:54 2008] [debug] ssl_scache_shmcb.c(554): entered shmcb_init_memory()
[Tue Apr 08 16:52:54 2008] [debug] ssl_scache_shmcb.c(576): for 512000 bytes, recommending 4266 indexes
[Tue Apr 08 16:52:54 2008] [debug] ssl_scache_shmcb.c(619): shmcb_init_memory choices follow
[Tue Apr 08 16:52:54 2008] [debug] ssl_scache_shmcb.c(621): division_mask = 0x1F
[Tue Apr 08 16:52:54 2008] [debug] ssl_scache_shmcb.c(623): division_offset = 64
[Tue Apr 08 16:52:54 2008] [debug] ssl_scache_shmcb.c(625): division_size = 15998
[Tue Apr 08 16:52:54 2008] [debug] ssl_scache_shmcb.c(627): queue_size = 1604
[Tue Apr 08 16:52:54 2008] [debug] ssl_scache_shmcb.c(629): index_num = 133
[Tue Apr 08 16:52:54 2008] [debug] ssl_scache_shmcb.c(631): index_offset = 8
[Tue Apr 08 16:52:54 2008] [debug] ssl_scache_shmcb.c(633): index_size = 12
[Tue Apr 08 16:52:54 2008] [debug] ssl_scache_shmcb.c(635): cache_data_offset = 8
[Tue Apr 08 16:52:54 2008] [debug] ssl_scache_shmcb.c(637): cache_data_size = 14386
[Tue Apr 08 16:52:54 2008] [debug] ssl_scache_shmcb.c(650): leaving shmcb_init_memory()
[Tue Apr 08 16:52:54 2008] [info] Shared memory session cache initialised
[Tue Apr 08 16:52:54 2008] [info] Init: Initializing (virtual) servers for SSL
[Tue Apr 08 16:52:54 2008] [info] Configuring server for SSL protocol
[Tue Apr 08 16:52:54 2008] [debug] ssl_engine_init.c(405): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Apr 08 16:52:54 2008] [debug] ssl_engine_init.c(601): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Tue Apr 08 16:52:54 2008] [debug] ssl_engine_init.c(729): Configuring RSA server certificate
[Tue Apr 08 16:52:54 2008] [debug] ssl_engine_init.c(768): Configuring RSA server private key
[Tue Apr 08 16:52:54 2008] [info] Server: Apache/2.2.4, Interface: mod_ssl/2.2.4, Library: OpenSSL/0.9.8e
[Tue Apr 08 16:52:54 2008] [notice] Apache/2.2.4 (Linux/SUSE) mod_ssl/2.2.4 OpenSSL/0.9.8e PHP/5.2.5 with Suhosin-Patch configured -- resuming normal operations
[Tue Apr 08 16:52:54 2008] [info] Server built: Nov 9 2007 14:06:03
[Tue Apr 08 16:52:54 2008] [debug] prefork.c(991): AcceptMutex: sysvsem (default: sysvsem)


Is there any directive I have missed in the config which is preventing to listen on port 443 if apache2ctl start is used?
And apparently it is not using the certificate I have mentioned, apache logs says Generating temporary....... key, Why is that?




My current config is as follows
grep -v '#' httpd.conf| more

Include /etc/apache2/uid.conf

Include /etc/apache2/server-tuning.conf

ErrorLog /var/log/apache2/error_log

Include /etc/apache2/sysconfig.d/loadmodule.conf

Include /etc/apache2/listen.conf

Include /etc/apache2/mod_log_config.conf

Include /etc/apache2/sysconfig.d/global.conf

Include /etc/apache2/mod_status.conf
Include /etc/apache2/mod_info.conf

Include /etc/apache2/mod_usertrack.conf

Include /etc/apache2/mod_autoindex-defaults.conf

TypesConfig /etc/apache2/mime.types
DefaultType text/plain
Include /etc/apache2/mod_mime-defaults.conf

Include /etc/apache2/errors.conf

Include /etc/apache2/ssl-global.conf

<Directory />
Options None
AllowOverride None
Order deny,allow
Deny from all
</Directory>

AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
DirectoryIndex index.html index.html.var index.htm index.shtml index.cgi index.php index.php5 index.php4 index.php3 index.pl
index.html.var index.aspx default.aspx

Include /etc/apache2/default-server.conf

Include /etc/apache2/vhosts.d/*.conf
******************************************

grep -v '#' sysconfig.d/global.conf| more

Timeout 300
ServerSignature on
UseCanonicalName off
ServerTokens OS
LogLevel debug
CustomLog /var/log/apache2/access_log combined
***************************************************

grep -v '#' vhosts.d/vhost-ssl.conf | more

<IfDefine SSL>
<IfDefine !NOSSL>

<VirtualHost secure.x.x.com:443>
DocumentRoot "/srv/www/htdocs/secure.x.x.com"
ServerName secure.x.x.com:443
ServerAdmin myemail@email.com
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /etc/apache2/ssl.crt/secure.x.x.com.crt

SSLCertificateKeyFile /etc/apache2/ssl.key/secure.x.x.com.key

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/srv/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog /var/log/apache2/ssl_request_log ssl_combined

</VirtualHost>

</IfDefine>
</IfDefine>


*********************************************************
totterdown:/etc/apache2 # grep -v '#' vhosts.d/vhost.conf| more
<VirtualHost *:80>
ServerAdmin myemail
ServerName vhost.x.x.com

DocumentRoot /srv/www/vhosts/vhost.x.x.com

ErrorLog /var/log/apache2/vhost.x.x.com-error_log
CustomLog /var/log/apache2/vhost.x.x.com-access_log combined

HostnameLookups Off

UseCanonicalName Off

ServerSignature On

ScriptAlias /cgi-bin/ "/srv/www/vhosts/dummy-host.example.com/cgi-bin/"

<Directory "/srv/www/vhosts/dummy-host.example.com/cgi-bin">
AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>

<IfModule mod_userdir.c>
UserDir public_html
Include /etc/apache2/mod_userdir.conf
</IfModule>

<Directory "/srv/www/vhosts/vhost.x.x.com">

Options Indexes FollowSymLinks

AllowOverride None

Order allow,deny
Allow from all

</Directory>

</VirtualHost>

********************************************************************

grep -v '#' ssl-global.conf| more

<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_ssl.c>

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 600

SSLMutex default

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

</IfModule>
</IfDefine>
</IfDefine>
*****************************************************
apache2ctl -M
ssl_module (shared)
****************************
apache2ctl -l
core.c
prefork.c
http_core.c
mod_so.c
************************************************

apache2ctl -V
Server version: Apache/2.2.4 (Linux/SUSE)
Server built: Nov 9 2007 14:06:03
Server's Module Magic Number: 20051115:5
Server loaded: APR 1.2.9, APR-Util 1.2.8
Compiled using: APR 1.2.9, APR-Util 1.2.8
Architecture: 32-bit
Server MPM: Prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/srv/www"
-D SUEXEC_BIN="/usr/sbin/suexec2"
-D DEFAULT_PIDLOG="/var/run/httpd2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="/var/run/accept.lock"
-D DEFAULT_ERRORLOG="/var/log/apache2/error_log"
-D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
-D SERVER_CONFIG_FILE="/etc/apache2/httpd.conf"

The 3rd line of the netstat output indicates that port 443 (https) is listening. Try: https://localhost to see if you can connect locally.

Regards

May be I didn't explain my question properly
That is correct, I can see https listening and responding to my telnet
telnet 127.0.0.1 443
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

when
apache2ctl -D SSL -k start
is used to start apache

Whereas in the normal start it ignores ssl configuration.
apache2ctl start

Is that behavior normal?
secondly why is it not showing that it has loaded secure.x.x.com.crt and secure.x.x.key when started with apache2ctl -D SSL -k start

It only shows RSA key in the logs while I am not using secure.x.x.com.crt and secure.x.x.com.key in my config


grep -v '#' vhosts.d/vhost-ssl.conf | more

<IfDefine SSL>
<IfDefine !NOSSL>

<VirtualHost secure.x.x.com:443>
DocumentRoot "/srv/www/htdocs/secure.x.x.com"
ServerName secure.x.x.com:443
ServerAdmin myemail@email.com
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /etc/apache2/ssl.crt/secure.x.x.com.crt

SSLCertificateKeyFile /etc/apache2/ssl.key/secure.x.x.com.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/srv/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog /var/log/apache2/ssl_request_log ssl_combined

</VirtualHost>

</IfDefine>
</IfDefine>

Running "apache2ctl start" should start apache in both normal and secure mode. Since your apache configuration is split in many configuration files, I guess you have to addin one of them, most likely in ssl-global.conf

It is already listening on 80 and 443

cat listen.conf | grep -v '#'

Listen 80
<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_ssl.c>
Listen 443
</IfModule>
</IfDefine>
</IfDefine>
NameVirtualHost x.x.x.x(server ip address)
**********************************************

Is it something because of ssl is loaded as a module not as a compiled module?

totterdown:/etc/apache2 # apache2ctl -M
which: no w3m in (/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/usr/games:/usr/lib/mit/bin:/usr/lib/mit/sbin)
Loaded Modules:
core_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
actions_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_file_module (shared)
authz_host_module (shared)
authz_groupfile_module (shared)
authz_default_module (shared)
authz_user_module (shared)
authn_dbm_module (shared)
autoindex_module (shared)
cgi_module (shared)
dir_module (shared)
env_module (shared)
expires_module (shared)
include_module (shared)
log_config_module (shared)
mime_module (shared)
negotiation_module (shared)
setenvif_module (shared)
ssl_module (shared)
suexec_module (shared)
userdir_module (shared)
php5_module (shared)
Syntax OK
totterdown:/etc/apache2 # apache2ctl -l
which: no w3m in (/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/usr/games:/usr/lib/mit/bin:/usr/lib/mit/sbin)
Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c

No it does not make any difference since you load the ssl module:
Try to remove the tags: <IfDefine SSL><IfDefine !NOSSL> and the closing </IfDefine></IfDefine> and see if it works.

Do not change anything there...
How do you start apache?
Use the 'startssl' command and everything will be ok:

/etc/init.d/apache2 startssl

PS. Not sure if this parameter will be passed during the server startup... Will it run with the "-D SSL" option on the server reboot? There's a change that only HTTP will be up after reboot.