SSL on Apache2 host with multiple Virtual Hosts...
I cannot connect to port 443 (https) on a server with multiple Virtual Hosts. Needless to say, I've spend hours googling, analyzing, experimenting before coming here. Below is a synopsis, can anyone please point out the obvious omission???
Basic problem: https://www.ssllabs.com/ssltest/anal...privustech.com • No secure protocols supported*- if you get this message, but you know that the site supports SSL, wait until the cache expires on its own, then try again, making sure the hostname you enter uses the "www" prefix (e.g., "www.ssllabs.com", not just "ssllabs.com"). ====================== This is all quite maddening. I'm sure it's easy when you know how, but at present I do not know how. My logs show that it used to work (05/01/14) but following that log does not work now http://genietvanhetleven.blogspot.com/2014/05/setting-up-sni-virtual-hosts-and-secure.html I cannot get SSL to work on the URLs: https://www.privustech.com https://newportandbeyond.org even though normal port 80 connections work just fine. These are all virtual hosts on an OpenSUSE 13.1 Apache server at 70.186.159.22. Firefox returns An error occurred during a connection to privustech.com. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. https://www.ssllabs.com/ssltest/anal...privustech.com reports • No secure protocols supported ---------- • We are not using a proxy server to my knowledge. http://stackoverflow.com/questions/119336/ssl-error-rx-record-too-long-and-apache-ssl • I have added the CA certificate to the browser(s) (Firefox, Chromium). • The site (70.186.159.22) has eight virtual hosts: privustech.com www.privustech.com truthcourage.org www.truthcourage.org genietvanhetleven.org www.genietvanhetleven.org newportandbeyond.org www.newportandbeyond.org All of them are set to listen *. I tried changing one to listen *:443, no change. • SNI is enabled by default on openSUSE. https://activedoc.opensuse.org/book/...he-http-server yast2 defaults to identifying the virtual hosts by name, rather than IP: Determine Request Server by HTTP Headers although there is no explicit setting I can find in yast2 to specify settings for Named Based Virtual Hosts: https://activedoc.opensuse.org/de/no...t.named_vhosts so it may have to be configured by hand... This option is configured in the configuration file /etc/apache2/listen.conf All the *NameVirtualHost* entries are commented out. I uncommented Code:
NameVirtualHost • Apache2 is configured by /etc/apache2/httpd.conf*and its " Code:
Include /etc/apache2/ssl-global.conf This file claims Code:
## All SSL configuration in this context applies both to Code:
listen * Code:
listen *:443 /etc/apache2/listen.conf contains Code:
#NameVirtualHost * • The system is opensuse 13.1. The configurator (yast2 http-server) claims to overwrite any manual changes to the configuration file httpd.conf and its included files, including /etc/apache2/listen.conf and /etc/apache2/ssl-global.conf. However, yast2 http-server does not apparently have any way to set the document locations, so I do so manually in /etc/apache2/ssl-global.conf. I have placed verified and validated keys and certs in the right places, and edited the included /etc/apache2/ssl-global.conf to point to them correctly: Code:
SSLCertificateFile /etc/apache2/ssl.crt/privustech.crt xxx.key xxx.crt xxx_ca.pem They all both verify (key-cert combination) and chain verify (key-cert-CA cert). Code:
openssl verify ... Code:
apachectl configtest • All the readings I've done say to include: Code:
SSLEngine On • The key and certs reside in /etc/apache2/: ssl.crt/ ssl.key/ I'm sure the answer is easy, but I haven't found it. Thanks in advance, Andy |
Were you able to telnet to port 443 locally on the server?
Quote:
If port 443 is not listening inside the hosts, what do you see in ssl_error.log file? |
Your server is listening to port 443. Can easily be tested by telnetting to port 443
Code:
> telnet privustech.com 443 Code:
> wget http://privustech.com:443/ Create a file like /etc/apache2/sites-available/www.privustech.com_ssl.conf and the contents need to look something like the following. Code:
<VirtualHost *:443> Code:
# a2ensite www.privustech.com_ssl |
All times are GMT -5. The time now is 01:37 AM. |