https: connections not working on Apache; also, server-status doesn't work
 

After carefully doing everything right, it seems that I am doing
something wrong, but I have no idea what. I'm trying to get my
webserver to accept https: connections. I carefully populated
my ssl-crt and ssl-key directories with all the right files, as
far as I can tell. I also put all the right configuration
information into ssl-global.conf, as far as I can tell:


DocumentRoot "/usr/local/apache2/SSL"

# Note that the FQDN and server hostname must go here - clients will not be able to connect, otherwise!
ServerName m5.chicago.il.us:443
ServerAdmin webmaster@m5.chicago.il.us

# Here, I am allowing only "high" and "medium" security key lengths.
SSLCipherSuite HIGH:MEDIUM

# Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2.
SSLProtocol all -SSLv2

# Server Certificate:
SSLCertificateFile /etc/apache2/ssl.crt/mars-server.crt

# Server Private Key:
SSLCertificateKeyFile /etc/apache2/ssl.key/mars-server.key

# Server Certificate Chain:
SSLCertificateChainFile /etc/apache2/ssl.crt/my-ca.crt

# Certificate Authority (CA):
SSLCACertificateFile /etc/apache2/ssl.crt/my-ca.crt
# This is needed so that you can use auto-indexing for some directories in the
# /usr/local/apache2/SSL directory branch. This can be handy if you would like to have
# a list of sensitive files for people to download.
<Directory "/usr/local/apache2/SSL">
Options Indexes
AllowOverride None
Allow from from all
Order allow,deny
</Directory>



But something is clearly wrong. When I invoke
/etc/init.d/apache2 stop
/etc/init.d/apache2 sslstart
("sslstart", rather than "start", starts the server with -DSSL, which is
needed because ssl-global.conf is conditional on <IfDefine SSL>), I expect
to be prompted for the passphrase, but I am not. That's my first sign that
something is wrong. Then, when I connect to https://n5.chicago.il.us I get
the familiar error page:


Secure Connection Failed


An error occurred during a connection to m5.chicago.il.us.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)


which, despite the apparent specificity of the error, really means nothing
more than "something in SSL isn't working -- now go figure out what".

One useful bit of diagnistic information is that my server is listening
to Port 443 in an unencrypted manner. In other words, I am able to
connect to my server at http://m5.chicago.il.us:443 -- and when I do,
I get my regular root document, I do not get the root document in the
SSL directory.

I've already typed the error message into my favorite search engine, but
haven't got any useful results. There does seem to be a consensus out
there that virtual hosting can mess you up unless you're doing it just
right, but to eliminate that possiblity, I got rid of all of my virtual
hosting, by putting it all inside <IfDefine Bogus> and </IfDefine>. This
is not a permanent solution, because I need my virtual hosting, but it
doesn't matter, because it didn't make a difference.

More information: listen.conf contains "Listen 443" inside what appear to
be the appropriate conditionals:

<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_ssl.c>

Listen 443

</IfModule>
</IfDefine>
</IfDefine>

and these are also the conditionals that surround everything in
ssl-global.conf. The conditionals must be evaluating as true, because
the above-cited line in listen.conf, and

ServerName m5.chicago.il.us:443

inside ssl-global.conf are the only lines in any of my configuration files
that even mention Port 443 (excepts for lines involving virtual hosting
that are currently commented out inside an <IfDefine Bogus>). If those
conditionals weren't evaluating as true, my server wouldn't even be
listening on Port 443.

So, what is the list of things that I could be doing wrong?

And as long as you've read this far, I have another question that's been
bugging me, albeit a far less important one. I can't get /server-status
to work. I have the appropriate lines in mod_status.conf:

<IfModule mod_status.c>
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from localhost
Allow from 127.0.0.1
</Location>
</IfModule>

but whenever I connect to http://127.0.0.1/server-status I get the error:


Not Found

The requested URL /server-status was not found on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an
ErrorDocument to handle the request.

_________________________________________________________________________


Apache/2.0.54 (Linux/SUSE) Server at 127.0.0.1 Port 443


and as of today, there's an additional weirdness to bring to your
attention. Do you see where it's saying that the error message is
coming from Port 443? It never used to work, but it never used to say
that the error was coming from Port 443. What's that all about? When
I explicitly connect to other listened-to ports, e.g.,
http://127.0.0.1:8080/server-status, the error comes from Port 8080, or
from port 8000, but when I explicitly connect to Port 80, or implicitly
connect to Port 80 by not specifying a port number, or exlicitly connect
to Port 443, then the error message claims to be coming from Port 443.
So what's going on there?

The search engines sent me to websites that speak again about virtual
hosting messing up the /server-status handler, but I (hopefully
temporarily) got rid of all my virtual hosting, as I mentioned earlier.
I still can't get the /server-status handler to speak to me. So what's
going on?

Thank you in advance for your replies. If you do reply, please send a note
to jay@m5.chicago.il.us (that's jay at m5 dot chicago dot il dot us, in
case this forum doesn't display e-mail addresses) so I'll know to check
this forum for your reply. It will be much appreciated.

Jay F. Shachter
(1-773) 7613784

Hi -

For purposes of debugging, I would suggest the following:

1. Yes, absolutely take virtual hosts out of the picture.
You should be able to go back to virtual hosts once everything ELSE is working correctly.

2. Start Apache with LogLevel set to DEBUG.
Make sure Wireshark is installed.
That way, you should be able to:
a) log everything that happens in the Apache server
b) capture everything that goes across the wire to/from the server

3. Look at some of the (various different!) suggestions here:
http://stackoverflow.com/questions/1...and-apache-ssl

4. This is a REALLY good link (too bad it's in Powerpoint :-( ):

AU2_Blok_SSL_Troubleshooting_with_Wireshark_and_Tshark.pps

'Hope that helps .. PSM

Everything Is Working Now -- You Need VirtualHost For It To Work
 

Well, here I am answering my own question, for the sake of any
readers who may be interested, but I do end with an unanswered
question of my own, to which I welcome any and all replies.

The major reason why the https: connections were not working
before is that you need virtual hosting for them to work. The
SSL-specific directives in the Apache configuration files have
to be included between <VirtualHost *:443> and </VirtualHost>.
In addition, there was a minor reason, to wit, I needed one more
SSL-specific directive, "SSLEngine on". I did that, and uncommented
my other virtual hosting directives, and now all my old functionality
has been restored, and https: connections are now working too, and
are being served from the SSL-specific DocumentRoot. I even got
server-status and server-info to work, although that may be due
to something else I did.

I do have one remaining question, though. My error logs are riddled
with the message
Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
The messages are consuming more disk space than I can afford, and
they are also annoying. I inquired of my favorite search engine,
and obtained the information that it is a Suse-specific error message,
having to do with a misconfiguration of AppArmor. More than that
I am not told, except to use yast2. I cannot use yast2, because
it messes up my hand-edited configuration files. So, what actions
must I take to eliminate this annoying error message from my Apache
error logs? Thank you in advance for your replies.