SSL not working with Apache
 

Hi all,
I've been trying to enable SSL in a Apache+Debian server.

I already enable the ssl module, I added the 443 port in the ports.conf and I added a virtual host for the 443 port, as follows.

NameVirtualHost *:443

<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName www2.domain.com
DocumentRoot /var/www/

ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

</VirtualHost>

The certificate is installed also.

After I restart Apache, the error log don't show anything unusual. The only showed is this:
Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 mod_ssl/2.2.3 OpenSSL/0.9.8c configured -- resuming normal operations

Still, I can't open any pages with https protocol, only with http.

Any ideas of what may be the problem?

Thanks in advance

Firewall? Try a iptables -L and see if you're allowing or blocking the port.

I am not exactly sure if Debian has this or not.

Try httpd -t to test the syntax in httpd.conf and ssl.conf files for any errors that you might miss. Also, I believe you can also dump the virtual host to test with the httpd -D

I am not sure if you have the name resolved properly. Did you try accessing the site with ip address just in case? I remember when I first setup Apache and didn't have the ip address of the server listed in the dns, so the url didn't work.

hi. i am new to linux and this stuff, but i think i may help.
i can see that you have only installed the certificate? so is this certificate belong to a known CA? if not? you should install the root in the browser and add the root certficate in the apache configuration file. (look at the ssl.conf in /etc/httpd/conf.d/ssl.conf) and continue the configuration in this file). another thing that you must know that the apache take the configuration from all the file in the httpd configuration directory, so you shouldn't run the ssl engine twice.
if the root certificate is not added to the browser, there is an error happens and may think that you couldn't done the configuration. hope that i helped.
one last thing. the Common name of the certificate should be the name of your website.

Hi,
thanks for the answers.

There is no rule in the firewall, I don't added any yet. I tried to accept any connections, for testing, but it doesn't work also. Here's my iptables

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:https

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:https

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:https

As suggested also, I tried apache2 -t to test the sintax, but it says it is ok.

I tried apache2 -t -D DUMP_VHOSTS to dump the virtual hosts and here's the reply:

VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443 is a NameVirtualHost
default server www2.domain.com (/etc/apache2/sites-enabled/ssl-default:3)
port 443 namevhost www2.domain.com (/etc/apache2/sites-enabled/ssl-default:3)
*:80 is a NameVirtualHost
default server www2.domain.com (/etc/apache2/sites-enabled/000-default:3)
port 80 namevhost www2.domain.com (/etc/apache2/sites-enabled/000-default:3)
Syntax OK

It seems ok.

The DNS works ok also, i can access through the IP address.

If i go through http://www.domain.com it works.
But it doesn't with https://...

Damn, this is killing me...

this page helped me

Hi another1, thanks for the reply.

I not quite sure if I understand what do you mean by "you should install the root in the browser". When I open the page it should ask me if I want to accept the certificate or not, right? I created one for testing purposes.

I started the SSLEngine and added the certificate file only in the virtual host. I took them off and put it on the ssl.conf to clean up my conscience but it didn't work either.

I'll take a look in the link you send me now.

thanks.

Where is your SSLCertificateKeyFile directive? Did you generate a private key?

juninho04,

What is the output of /var/log/httpd/error_log

Colonboy

The private key was include in the certificate file. I tried put them in different files and include the SSLCertificateKeyFile directive, but didn't work as well.

Colonboy, the error log doen't show anything unusual. Here's what I got when I restart apache:

[Thu May 07 06:10:28 2009] [notice] caught SIGTERM, shutting down
[Thu May 07 06:10:30 2009] [notice] Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 mod_ssl/2.2.3 OpenSSL/0.9.8c configured -- resuming normal operations

Well, I tried apache2 -l to see the installed modules and here's what I got:

Compiled in modules:
core.c
mod_log_config.c
mod_logio.c
prefork.c
http_core.c
mod_so.c

Shouldn't mod_ssl.c be listed here?

To included mod_ssl I enter a2enmod ssl and them I force reload.

Is there another way to do this?

edit: Another thing is that when I restart Apache the ssl_engine log doesn't show anything. Is it possible that the engine is not being initialized?

The -l switch only shows compiled in modules. You probably are dynamically loading it in your configuration file via LoadModule.

Besides, if mod_ssl wasn't being loaded, you should fail a syntactical check when you try to turn the SSL engine on (for example).

Maybe we need to revisit some basics here. From the server, what output does -

# netstat -ltn

- show?

From your client machine, does tcp port 443 on the server appear to be open to you?

Check with nmap or netcat -- e.g.:

# nc -zvw 1 server.ip.here 443

Hi anomie, thanks for the reply again.

Here's what I got with # netstat -ltn

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 IP.ADRESS:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53246 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN

But when entered the second command you gave me (# nc -zvw 1 server.ip.here 443) I got a connection timeout.

What should I do to open the port? I thought that only adding listen 443 in the ports.conf would be enough.

Thanks.

Well, here's what we know:

• The httpd daemon is listening for connections on tcp 443 (per your last post).
• Your server's iptables ruleset does not appear to be the problem.
• You can access http (tcp 80), so that suggests that the IP configuration is set up correctly.
• httpd's error_log is not reporting any problems, so it is likely your request is never reaching tcp 443.

What next? Are there any packet filtering devices sitting between you and the server? Are you running a host-level firewall on the client that could be blocking connections to remote tcp 443?

---

edit: To help prove a point about the cause here, install lynx on your server and try accessing https://localhost.

Well, it worked with lynx.
There's nothing on the client side, because I can reach others ssl servers without problems.

So I guess, something in my host may be blocking the 443 port.

I'm going to contact them tomorrow morning.

Just in case, is there other thing that may be causing this problem?

Thanks once again.