LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   SSL on Apache2 host with multiple Virtual Hosts... (https://www.linuxquestions.org/questions/linux-server-73/ssl-on-apache2-host-with-multiple-virtual-hosts-4175562206/)

alavarre 12-23-2015 10:00 AM
SSL on Apache2 host with multiple Virtual Hosts...
 
I cannot connect to port 443 (https) on a server with multiple Virtual Hosts. Needless to say, I've spend hours googling, analyzing, experimenting before coming here. Below is a synopsis, can anyone please point out the obvious omission???

Basic problem:
https://www.ssllabs.com/ssltest/anal...privustech.com
• No secure protocols supported*- if you get this message, but you know that the site supports SSL, wait until the cache expires on its own, then try again, making sure the hostname you enter uses the "www" prefix (e.g., "www.ssllabs.com", not just "ssllabs.com").

======================

This is all quite maddening. I'm sure it's easy when you know how, but at present I do not know how. My logs show that it used to work (05/01/14) but following that log does not work now
http://genietvanhetleven.blogspot.com/2014/05/setting-up-sni-virtual-hosts-and-secure.html

I cannot get SSL to work on the URLs:
https://www.privustech.com
https://newportandbeyond.org

even though normal port 80 connections work just fine. These are all virtual hosts on an OpenSUSE 13.1 Apache server at 70.186.159.22.

Firefox returns
An error occurred during a connection to privustech.com. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

https://www.ssllabs.com/ssltest/anal...privustech.com
reports
• No secure protocols supported
----------
• We are not using a proxy server to my knowledge.
http://stackoverflow.com/questions/119336/ssl-error-rx-record-too-long-and-apache-ssl


• I have added the CA certificate to the browser(s) (Firefox, Chromium).

• The site (70.186.159.22) has eight virtual hosts:
privustech.com
www.privustech.com
truthcourage.org
www.truthcourage.org
genietvanhetleven.org
www.genietvanhetleven.org
newportandbeyond.org
www.newportandbeyond.org

All of them are set to listen *. I tried changing one to listen *:443, no change.

• SNI is enabled by default on openSUSE.
https://activedoc.opensuse.org/book/...he-http-server
yast2 defaults to identifying the virtual hosts by name, rather than IP:
Determine Request Server by HTTP Headers
although there is no explicit setting I can find in yast2 to specify settings for Named Based Virtual Hosts:
https://activedoc.opensuse.org/de/no...t.named_vhosts
so it may have to be configured by hand... This option is configured in the configuration file
/etc/apache2/listen.conf
All the *NameVirtualHost* entries are commented out.
I uncommented
Code:
NameVirtualHost
        Listen *:80
        Listen *:443
but no change.

• Apache2 is configured by /etc/apache2/httpd.conf*and its "
Code:
Include
"d subordinate xxx.conf files, in particular
/etc/apache2/ssl-global.conf
This file claims
Code:
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
So I should not have to enter entries into each vhost module, although I tried changing one host from
Code:
listen *
to
Code:
listen *:443
and it didn't make any difference.
/etc/apache2/listen.conf contains
Code:
#NameVirtualHost *
Listen *:80
Listen *:443
• I have enabled SSL in yast2 http-server by enabling the ssl module under yast2 http-server →Server Modules

• The system is opensuse 13.1. The configurator (yast2 http-server) claims to overwrite any manual changes to the configuration file httpd.conf and its included files, including /etc/apache2/listen.conf and /etc/apache2/ssl-global.conf. However, yast2 http-server does not apparently have any way to set the document locations, so I do so manually in /etc/apache2/ssl-global.conf. I have placed verified and validated keys and certs in the right places, and edited the included /etc/apache2/ssl-global.conf to point to them correctly:
Code:
SSLCertificateFile /etc/apache2/ssl.crt/privustech.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/privustech.key
SSLCertificateChainFile /etc/apache2/ssl.crt/startssl_ca.pem
SSLCACertificatePath /etc/apache2/ssl.crt/
SSLCACertificateFile  /etc/apache2/ssl.crt/startssl_ca.pem
• I have tried both self-signed and StartSSL-signed documents:
xxx.key
xxx.crt
xxx_ca.pem
They all both verify (key-cert combination) and chain verify (key-cert-CA cert).
Code:
openssl verify ...
• The server is happy with the configuration files
Code:
apachectl configtest
                Syntax OK
and happily restarts after any amendments to the .conf files.

• All the readings I've done say to include:
Code:
SSLEngine On
But this switch does not appear in either /etc/apache2/httpd.conf or /etc/apache2/ssl-global.conf, not even commented out, so may be deprecated.

• The key and certs reside in
/etc/apache2/:
ssl.crt/
ssl.key/
I'm sure the answer is easy, but I haven't found it.

Thanks in advance, Andy

linuxtech99 12-25-2015 11:56 AM
Were you able to telnet to port 443 locally on the server?
Quote:
telnet localhost 443 or telnet 70.186.159.22 443
If so, did you make sure the hostbases firewalls like iptables and network firewalls are allowed to talk to port 443?

If port 443 is not listening inside the hosts, what do you see in ssl_error.log file?

fmattheus 12-28-2015 05:46 AM
Your server is listening to port 443. Can easily be tested by telnetting to port 443

Code:
> telnet privustech.com 443
Trying 70.186.159.22...
Connected to privustech.com.
Escape character is '^]'.
But https doesn't work, as you said. However http on port 443 DOES work.
Code:
> wget http://privustech.com:443/
--2015-12-28 12:38:49--  http://privustech.com:443/
Resolving privustech.com (privustech.com)... 70.186.159.22
Connecting to privustech.com (privustech.com)|70.186.159.22|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 345 [text/html]
Saving to: index.html
You need to setup a separate Virtualhost for the domain in question and enable SSL in that Virtualhost.

Create a file like /etc/apache2/sites-available/www.privustech.com_ssl.conf and the contents need to look something like the following.
Code:
<VirtualHost *:443>
    ServerName www.privustech.com

    SSLEngine On
    SSLCertificateFile      ssl/www.privustech.com.crt
    SSLCertificateKeyFile  ssl/www.privustech.com.key
    SSLCertificateChainFile ssl/digicert.intermediates.crt
</VirtualHost>
And then enable that virtualhost with something like
Code:
# a2ensite www.privustech.com_ssl


All times are GMT -5. The time now is 01:37 AM.