After carefully doing everything right, it seems that I am doing
something wrong, but I have no idea what. I'm trying to get my
webserver to accept https: connections. I carefully populated
my ssl-crt and ssl-key directories with all the right files, as
far as I can tell. I also put all the right configuration
information into ssl-global.conf, as far as I can tell:
DocumentRoot "/usr/local/apache2/SSL"
# Note that the FQDN and server hostname must go here - clients will not be able to connect, otherwise!
ServerName m5.chicago.il.us:443
ServerAdmin
webmaster@m5.chicago.il.us
# Here, I am allowing only "high" and "medium" security key lengths.
SSLCipherSuite HIGH:MEDIUM
# Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2.
SSLProtocol all -SSLv2
# Server Certificate:
SSLCertificateFile /etc/apache2/ssl.crt/mars-server.crt
# Server Private Key:
SSLCertificateKeyFile /etc/apache2/ssl.key/mars-server.key
# Server Certificate Chain:
SSLCertificateChainFile /etc/apache2/ssl.crt/my-ca.crt
# Certificate Authority (CA):
SSLCACertificateFile /etc/apache2/ssl.crt/my-ca.crt
# This is needed so that you can use auto-indexing for some directories in the
# /usr/local/apache2/SSL directory branch. This can be handy if you would like to have
# a list of sensitive files for people to download.
<Directory "/usr/local/apache2/SSL">
Options Indexes
AllowOverride None
Allow from from all
Order allow,deny
</Directory>
But something is clearly wrong. When I invoke
/etc/init.d/apache2 stop
/etc/init.d/apache2 sslstart
("sslstart", rather than "start", starts the server with -DSSL, which is
needed because ssl-global.conf is conditional on <IfDefine SSL>), I expect
to be prompted for the passphrase, but I am not. That's my first sign that
something is wrong. Then, when I connect to
https://n5.chicago.il.us I get
the familiar error page:
Secure Connection Failed
An error occurred during a connection to m5.chicago.il.us.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
which, despite the apparent specificity of the error, really means nothing
more than "something in SSL isn't working -- now go figure out what".
One useful bit of diagnistic information is that my server is listening
to Port 443 in an unencrypted manner. In other words, I am able to
connect to my server at
http://m5.chicago.il.us:443 -- and when I do,
I get my regular root document, I do not get the root document in the
SSL directory.
I've already typed the error message into my favorite search engine, but
haven't got any useful results. There does seem to be a consensus out
there that virtual hosting can mess you up unless you're doing it just
right, but to eliminate that possiblity, I got rid of all of my virtual
hosting, by putting it all inside <IfDefine Bogus> and </IfDefine>. This
is not a permanent solution, because I need my virtual hosting, but it
doesn't matter, because it didn't make a difference.
More information: listen.conf contains "Listen 443" inside what appear to
be the appropriate conditionals:
<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_ssl.c>
Listen 443
</IfModule>
</IfDefine>
</IfDefine>
and these are also the conditionals that surround everything in
ssl-global.conf. The conditionals must be evaluating as true, because
the above-cited line in listen.conf, and
ServerName m5.chicago.il.us:443
inside ssl-global.conf are the only lines in any of my configuration files
that even mention Port 443 (excepts for lines involving virtual hosting
that are currently commented out inside an <IfDefine Bogus>). If those
conditionals weren't evaluating as true, my server wouldn't even be
listening on Port 443.
So, what is the list of things that I could be doing wrong?
And as long as you've read this far, I have another question that's been
bugging me, albeit a far less important one. I can't get /server-status
to work. I have the appropriate lines in mod_status.conf:
<IfModule mod_status.c>
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from localhost
Allow from 127.0.0.1
</Location>
</IfModule>
but whenever I connect to
http://127.0.0.1/server-status I get the error:
Not Found
The requested URL /server-status was not found on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an
ErrorDocument to handle the request.
_________________________________________________________________________
Apache/2.0.54 (Linux/SUSE) Server at 127.0.0.1 Port 443
and as of today, there's an additional weirdness to bring to your
attention. Do you see where it's saying that the error message is
coming from Port 443? It never used to work, but it never used to say
that the error was coming from Port 443. What's that all about? When
I explicitly connect to other listened-to ports, e.g.,
http://127.0.0.1:8080/server-status, the error comes from Port 8080, or
from port 8000, but when I explicitly connect to Port 80, or implicitly
connect to Port 80 by not specifying a port number, or exlicitly connect
to Port 443, then the error message claims to be coming from Port 443.
So what's going on there?
The search engines sent me to websites that speak again about virtual
hosting messing up the /server-status handler, but I (hopefully
temporarily) got rid of all my virtual hosting, as I mentioned earlier.
I still can't get the /server-status handler to speak to me. So what's
going on?
Thank you in advance for your replies. If you do reply, please send a note
to
jay@m5.chicago.il.us (that's jay at m5 dot chicago dot il dot us, in
case this forum doesn't display e-mail addresses) so I'll know to check
this forum for your reply. It will be much appreciated.
Jay F. Shachter
(1-773) 7613784