LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 12-23-2015, 10:00 AM   #1
alavarre
LQ Newbie
 
Registered: May 2009
Posts: 4

Rep: Reputation: 0
SSL on Apache2 host with multiple Virtual Hosts...


I cannot connect to port 443 (https) on a server with multiple Virtual Hosts. Needless to say, I've spend hours googling, analyzing, experimenting before coming here. Below is a synopsis, can anyone please point out the obvious omission???

Basic problem:
https://www.ssllabs.com/ssltest/anal...privustech.com
No secure protocols supported*- if you get this message, but you know that the site supports SSL, wait until the cache expires on its own, then try again, making sure the hostname you enter uses the "www" prefix (e.g., "www.ssllabs.com", not just "ssllabs.com").

======================

This is all quite maddening. I'm sure it's easy when you know how, but at present I do not know how. My logs show that it used to work (05/01/14) but following that log does not work now
http://genietvanhetleven.blogspot.com/2014/05/setting-up-sni-virtual-hosts-and-secure.html

I cannot get SSL to work on the URLs:
https://www.privustech.com
https://newportandbeyond.org

even though normal port 80 connections work just fine. These are all virtual hosts on an OpenSUSE 13.1 Apache server at 70.186.159.22.

Firefox returns
An error occurred during a connection to privustech.com. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

https://www.ssllabs.com/ssltest/anal...privustech.com
reports
No secure protocols supported
----------
We are not using a proxy server to my knowledge.
http://stackoverflow.com/questions/119336/ssl-error-rx-record-too-long-and-apache-ssl


I have added the CA certificate to the browser(s) (Firefox, Chromium).

The site (70.186.159.22) has eight virtual hosts:
privustech.com
www.privustech.com
truthcourage.org
www.truthcourage.org
genietvanhetleven.org
www.genietvanhetleven.org
newportandbeyond.org
www.newportandbeyond.org

All of them are set to listen *. I tried changing one to listen *:443, no change.

SNI is enabled by default on openSUSE.
https://activedoc.opensuse.org/book/...he-http-server
yast2 defaults to identifying the virtual hosts by name, rather than IP:
Determine Request Server by HTTP Headers
although there is no explicit setting I can find in yast2 to specify settings for Named Based Virtual Hosts:
https://activedoc.opensuse.org/de/no...t.named_vhosts
so it may have to be configured by hand... This option is configured in the configuration file
/etc/apache2/listen.conf
All the *NameVirtualHost* entries are commented out.
I uncommented
Code:
NameVirtualHost
	Listen *:80
	Listen *:443
but no change.

Apache2 is configured by /etc/apache2/httpd.conf*and its "
Code:
Include
"d subordinate xxx.conf files, in particular
/etc/apache2/ssl-global.conf
This file claims
Code:
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
So I should not have to enter entries into each vhost module, although I tried changing one host from
Code:
listen *
to
Code:
listen *:443
and it didn't make any difference.
/etc/apache2/listen.conf contains
Code:
#NameVirtualHost *
Listen *:80
Listen *:443
I have enabled SSL in yast2 http-server by enabling the ssl module under yast2 http-server →Server Modules

The system is opensuse 13.1. The configurator (yast2 http-server) claims to overwrite any manual changes to the configuration file httpd.conf and its included files, including /etc/apache2/listen.conf and /etc/apache2/ssl-global.conf. However, yast2 http-server does not apparently have any way to set the document locations, so I do so manually in /etc/apache2/ssl-global.conf. I have placed verified and validated keys and certs in the right places, and edited the included /etc/apache2/ssl-global.conf to point to them correctly:
Code:
SSLCertificateFile /etc/apache2/ssl.crt/privustech.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/privustech.key
SSLCertificateChainFile /etc/apache2/ssl.crt/startssl_ca.pem
SSLCACertificatePath /etc/apache2/ssl.crt/
SSLCACertificateFile  /etc/apache2/ssl.crt/startssl_ca.pem
I have tried both self-signed and StartSSL-signed documents:
xxx.key
xxx.crt
xxx_ca.pem
They all both verify (key-cert combination) and chain verify (key-cert-CA cert).
Code:
openssl verify ...
The server is happy with the configuration files
Code:
apachectl configtest
		Syntax OK
and happily restarts after any amendments to the .conf files.

All the readings I've done say to include:
Code:
SSLEngine On
But this switch does not appear in either /etc/apache2/httpd.conf or /etc/apache2/ssl-global.conf, not even commented out, so may be deprecated.

The key and certs reside in
/etc/apache2/:
ssl.crt/
ssl.key/

I'm sure the answer is easy, but I haven't found it.

Thanks in advance, Andy
 
Old 12-25-2015, 11:56 AM   #2
linuxtech99
Member
 
Registered: Jan 2015
Posts: 35

Rep: Reputation: 4
Were you able to telnet to port 443 locally on the server?
Quote:
telnet localhost 443 or telnet 70.186.159.22 443
If so, did you make sure the hostbases firewalls like iptables and network firewalls are allowed to talk to port 443?

If port 443 is not listening inside the hosts, what do you see in ssl_error.log file?
 
Old 12-28-2015, 05:46 AM   #3
fmattheus
Member
 
Registered: Nov 2015
Posts: 104

Rep: Reputation: 38
Your server is listening to port 443. Can easily be tested by telnetting to port 443

Code:
> telnet privustech.com 443
Trying 70.186.159.22...
Connected to privustech.com.
Escape character is '^]'.
But https doesn't work, as you said. However http on port 443 DOES work.
Code:
> wget http://privustech.com:443/
--2015-12-28 12:38:49--  http://privustech.com:443/
Resolving privustech.com (privustech.com)... 70.186.159.22
Connecting to privustech.com (privustech.com)|70.186.159.22|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 345 [text/html]
Saving to: index.html
You need to setup a separate Virtualhost for the domain in question and enable SSL in that Virtualhost.

Create a file like /etc/apache2/sites-available/www.privustech.com_ssl.conf and the contents need to look something like the following.
Code:
<VirtualHost *:443>
    ServerName www.privustech.com

    SSLEngine On
    SSLCertificateFile      ssl/www.privustech.com.crt
    SSLCertificateKeyFile   ssl/www.privustech.com.key
    SSLCertificateChainFile ssl/digicert.intermediates.crt
</VirtualHost>
And then enable that virtualhost with something like
Code:
# a2ensite www.privustech.com_ssl
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
apache2 reverse proxy setting up 2 virtual hosts + ssl sana.ga Linux - Networking 0 06-14-2012 04:41 AM
How to set up multiple SSL sites for multiple IP based and name based Virtual Hosts. Rohit_4739 Linux - Server 11 02-28-2011 08:28 AM
NameVirtualHost *:80 has no virtual hosts apache2 hosting multiple sites without DNS tkmsr Linux - Server 9 06-21-2010 10:27 AM
Multiple SSL Virtual Hosts with Apache/mod_ssl/SNI ddenton Linux - Server 3 12-03-2008 02:20 AM
Apache2, SSL, 2 Virtual Hosts franticbob Linux - Software 0 04-07-2004 09:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 11:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration