https: connections not working on Apache; also, server-status doesn't work
After carefully doing everything right, it seems that I am doing
something wrong, but I have no idea what. I'm trying to get my webserver to accept https: connections. I carefully populated my ssl-crt and ssl-key directories with all the right files, as far as I can tell. I also put all the right configuration information into ssl-global.conf, as far as I can tell: DocumentRoot "/usr/local/apache2/SSL" # Note that the FQDN and server hostname must go here - clients will not be able to connect, otherwise! ServerName m5.chicago.il.us:443 ServerAdmin webmaster@m5.chicago.il.us # Here, I am allowing only "high" and "medium" security key lengths. SSLCipherSuite HIGH:MEDIUM # Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2. SSLProtocol all -SSLv2 # Server Certificate: SSLCertificateFile /etc/apache2/ssl.crt/mars-server.crt # Server Private Key: SSLCertificateKeyFile /etc/apache2/ssl.key/mars-server.key # Server Certificate Chain: SSLCertificateChainFile /etc/apache2/ssl.crt/my-ca.crt # Certificate Authority (CA): SSLCACertificateFile /etc/apache2/ssl.crt/my-ca.crt # This is needed so that you can use auto-indexing for some directories in the # /usr/local/apache2/SSL directory branch. This can be handy if you would like to have # a list of sensitive files for people to download. <Directory "/usr/local/apache2/SSL"> Options Indexes AllowOverride None Allow from from all Order allow,deny </Directory> But something is clearly wrong. When I invoke /etc/init.d/apache2 stop /etc/init.d/apache2 sslstart ("sslstart", rather than "start", starts the server with -DSSL, which is needed because ssl-global.conf is conditional on <IfDefine SSL>), I expect to be prompted for the passphrase, but I am not. That's my first sign that something is wrong. Then, when I connect to https://n5.chicago.il.us I get the familiar error page: Secure Connection Failed An error occurred during a connection to m5.chicago.il.us. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) which, despite the apparent specificity of the error, really means nothing more than "something in SSL isn't working -- now go figure out what". One useful bit of diagnistic information is that my server is listening to Port 443 in an unencrypted manner. In other words, I am able to connect to my server at http://m5.chicago.il.us:443 -- and when I do, I get my regular root document, I do not get the root document in the SSL directory. I've already typed the error message into my favorite search engine, but haven't got any useful results. There does seem to be a consensus out there that virtual hosting can mess you up unless you're doing it just right, but to eliminate that possiblity, I got rid of all of my virtual hosting, by putting it all inside <IfDefine Bogus> and </IfDefine>. This is not a permanent solution, because I need my virtual hosting, but it doesn't matter, because it didn't make a difference. More information: listen.conf contains "Listen 443" inside what appear to be the appropriate conditionals: <IfDefine SSL> <IfDefine !NOSSL> <IfModule mod_ssl.c> Listen 443 </IfModule> </IfDefine> </IfDefine> and these are also the conditionals that surround everything in ssl-global.conf. The conditionals must be evaluating as true, because the above-cited line in listen.conf, and ServerName m5.chicago.il.us:443 inside ssl-global.conf are the only lines in any of my configuration files that even mention Port 443 (excepts for lines involving virtual hosting that are currently commented out inside an <IfDefine Bogus>). If those conditionals weren't evaluating as true, my server wouldn't even be listening on Port 443. So, what is the list of things that I could be doing wrong? And as long as you've read this far, I have another question that's been bugging me, albeit a far less important one. I can't get /server-status to work. I have the appropriate lines in mod_status.conf: <IfModule mod_status.c> <Location /server-status> SetHandler server-status Order deny,allow Deny from all Allow from localhost Allow from 127.0.0.1 </Location> </IfModule> but whenever I connect to http://127.0.0.1/server-status I get the error: Not Found The requested URL /server-status was not found on this server. Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request. _________________________________________________________________________ Apache/2.0.54 (Linux/SUSE) Server at 127.0.0.1 Port 443 and as of today, there's an additional weirdness to bring to your attention. Do you see where it's saying that the error message is coming from Port 443? It never used to work, but it never used to say that the error was coming from Port 443. What's that all about? When I explicitly connect to other listened-to ports, e.g., http://127.0.0.1:8080/server-status, the error comes from Port 8080, or from port 8000, but when I explicitly connect to Port 80, or implicitly connect to Port 80 by not specifying a port number, or exlicitly connect to Port 443, then the error message claims to be coming from Port 443. So what's going on there? The search engines sent me to websites that speak again about virtual hosting messing up the /server-status handler, but I (hopefully temporarily) got rid of all my virtual hosting, as I mentioned earlier. I still can't get the /server-status handler to speak to me. So what's going on? Thank you in advance for your replies. If you do reply, please send a note to jay@m5.chicago.il.us (that's jay at m5 dot chicago dot il dot us, in case this forum doesn't display e-mail addresses) so I'll know to check this forum for your reply. It will be much appreciated. Jay F. Shachter (1-773) 7613784 |
Hi -
For purposes of debugging, I would suggest the following: 1. Yes, absolutely take virtual hosts out of the picture. You should be able to go back to virtual hosts once everything ELSE is working correctly. 2. Start Apache with LogLevel set to DEBUG. Make sure Wireshark is installed. That way, you should be able to: a) log everything that happens in the Apache server b) capture everything that goes across the wire to/from the server 3. Look at some of the (various different!) suggestions here: http://stackoverflow.com/questions/1...and-apache-ssl 4. This is a REALLY good link (too bad it's in Powerpoint :-( ): AU2_Blok_SSL_Troubleshooting_with_Wireshark_and_Tshark.pps 'Hope that helps .. PSM |
Everything Is Working Now -- You Need VirtualHost For It To Work
Well, here I am answering my own question, for the sake of any
readers who may be interested, but I do end with an unanswered question of my own, to which I welcome any and all replies. The major reason why the https: connections were not working before is that you need virtual hosting for them to work. The SSL-specific directives in the Apache configuration files have to be included between <VirtualHost *:443> and </VirtualHost>. In addition, there was a minor reason, to wit, I needed one more SSL-specific directive, "SSLEngine on". I did that, and uncommented my other virtual hosting directives, and now all my old functionality has been restored, and https: connections are now working too, and are being served from the SSL-specific DocumentRoot. I even got server-status and server-info to work, although that may be due to something else I did. I do have one remaining question, though. My error logs are riddled with the message Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' The messages are consuming more disk space than I can afford, and they are also annoying. I inquired of my favorite search engine, and obtained the information that it is a Suse-specific error message, having to do with a misconfiguration of AppArmor. More than that I am not told, except to use yast2. I cannot use yast2, because it messes up my hand-edited configuration files. So, what actions must I take to eliminate this annoying error message from my Apache error logs? Thank you in advance for your replies. |
All times are GMT -5. The time now is 02:19 AM. |