Help setting up SSL

blizunt7 · 02-01-2008, 08:01 PM

Hey all,
Trying to set up a virtual SSL host:
What am I doing wrong?

httpd.conf:

Code:

Listen 80

NameVirtualHost 172.16.113.10:80
NameVirtualHost 172.16.113.11:443

<VirtualHost 172.16.113.11:443>
    DocumentRoot PATH
    ServerName www.name.com
    SSLCertificateFile /etc/ssl/crt/name.crt
    SSLCertificateKeyFile /etc/ssl/crt/name.key
    SSLCertificateFile /etc/ssl/crt/name.ca-bundle
</VirtualHost>

ssl.conf:

Code:

Listen 443
SSLEngine on

and those certificates exists.
BUt The page is not loading.
I get an error code: 12233

Thanks so much!

gilead · 02-02-2008, 12:13 AM

I haven't seen an error like that - is it displayed in the browser? Can you check Apache's logs and see if there's more info there?

blizunt7 · 02-02-2008, 11:57 AM

Hey,
Error Log:

Code:

[Fri Feb 01 21:41:09 2008] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?

And its a browser error message:

baldur_the_god · 02-02-2008, 12:14 PM

the problem is right there in your error log. it says your server name your certificate does not match the server name on your computer...thus the error. When you configure it, the server names have to match otherwise it looks like there are shinanigans going on between the two compturs. When you configure your certificate, you must use the same name as your server...

blizunt7 · 02-02-2008, 12:22 PM

Thanks, But the server name defined in where?
This is a web server hosting multiple sites. This particular ssl host is just another site on the box.

When i created my certificate, I did use the server name that I have defined within the virtual host.
Did I miss something?

blizunt7 · 02-02-2008, 12:26 PM

Ok, the Certificate did not have WWW and my servername in httpd.conf was definied as WWW.host.com

I changed Servername to without "www" and restarted apache, but still same error. Hmmm

baldur_the_god · 02-02-2008, 12:28 PM

in /etc/hosts you have a defined server name in there...also i think there is one is /etc/sysconfig/networking or something like that...when you are doing your ssl cert, all the names have to be the same...when you connect to the server, it sends a name...when your cert file is sent, it has a name...if these do not match the error occurs.

baldur

baldur_the_god · 02-02-2008, 12:31 PM

since it says localhost...it is probably your /etc/hosts file that is configured wrong...

youripaddress yourhostname

check out configure /etc/hosts

baldur

blizunt7 · 02-02-2008, 12:42 PM

Ah ha, yes of course. However I added the IP address of my secure site (which is an IP alias) with the domain I used to register my certificate with.
Still getting the same error "12233", however now there is nothing in my SSL_error_log. Logging level is set to Debug.

Is there anything I need to do to reload /etc/hosts??
I thought it was named, but its not a running service.

blizunt7 · 02-02-2008, 12:44 PM

Without rebooting the network daemon??
Its a live production server.
Thanks

blizunt7 · 02-02-2008, 03:32 PM

Hope someone can help me please.
Still not getting to secure site:
Heres current status:

httpd.conf:

Code:

<VirtualHost 172.16.113.11:443>
    DocumentRoot PATH/estore
    ServerName name.com
    ServerAdmin email

    ErrorLog /etc/httpd/logs/ssl_error_log
    TransferLog /etc/httpd/logs/ssl_access_log
    LogLevel debug

    SSLEngine on
    SSLCertificateFile /etc/ssl/crt/domain.crt
    SSLCertificateKeyFile /etc/ssl/crt/domain.key
    SSLCertificateChainFile /etc/ssl/crt/domain.ca-bundle
</VirtualHost>

I do "apachectl graceful" and restart my browser.
When I browse to the WAN IP (https://IP), I get a certificate, and I can view the certificate. But when I hit "ok" the page does not load, it just hangs. Here is the last few lines of the log file:

Code:

:
:
[Sat Feb 02 16:07:07 2008] [debug] ssl_engine_io.c(1662): | 01b0: e2 c9 87 cb 1c d3 59 32-f4 59 d8 f4 fe 89 4f 86  ......Y2.Y....O. | [Sat Feb 02 16:07:07 2008] [debug] ssl_engine_io.c(1668): +-------------------------------------------------------------------------+
[Sat Feb 02 16:07:07 2008] [info] Initial (No.1) HTTPS request received for child 0 (server SERVER.com:443) [Sat Feb 02 16:07:07 2008] [debug] ssl_engine_kernel.c(1745): OpenSSL: Write: SSL negotiation finished successfully [Sat Feb 02 16:07:07 2008] [info] Connection to child 0 closed with standard shutdown(server SERVER.com:443, client 75.74.16.196)

When I connect to https://domain.com. I do not get prompted for a certificate, and nothing happens.

Thanks for the help

gilead · 02-02-2008, 04:27 PM

Do you have a Directory entry for your DocumentRoot? For example:

Code:

  <Directory "PATH/estore">
    SSLRequireSSL
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
  </Directory>

I'd also recommend using apachectl -k stop && apachectl -k start and checking the logs again in case anything strange happened with apachectl graceful (open connections aren't aborted and log files aren't closed immediately).

blizunt7 · 02-03-2008, 10:42 AM

I wasnt aware I needed a directory entry for the Secure site??

gilead · 02-03-2008, 01:36 PM

It depends. If you have an "upstream" directive that forbids access to that directory, then you need to explicitly allow it. If, for example, your default root level access is deny (as the Apache docs recommend) like the following, then you will need it:

Code:

<Directory />
  Order Deny,Allow
  Deny from All
</Directory>

blizunt7 · 02-03-2008, 04:07 PM

Hey, Thanks for the reply.
Before I installed my SSL certs, and change the virtual host to 443, the directory was readable, and accesable via http. So i would have to believe there is no directive restricting it.