I'm having some issues getting SSL to work over Apache2 on a Ubuntu 10.04 server. I've tried hours worth of different iterations of making certificates and configuring virtual hosts to no avail. Here is where I'm at now-
I can access my web server at "http://me.net" port 80 just fine.
I can access my server over SSL using "https://[myserver-ip]"
I cannot access my server over SSL using "https://me.net"
"openssl s_client -connect me.net:443" returns:
Code:
CONNECTED(00000003)
depth=0 /CN=mail.me.net
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=mail.me.net
verify return:1
---
Certificate chain
0 s:/CN=mail.me.net
i:/CN=mail.me.net
---
Server certificate
-----BEGIN CERTIFICATE-----
[shows cert]
-----END CERTIFICATE-----
subject=/CN=mail.me.net
issuer=/CN=mail.me.net
---
No client certificate CA names sent
---
SSL handshake has read 1006 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: [shows session id]
Session-ID-ctx:
Master-Key: [shows master key]
Key-Arg : None
Start Time: 1340892388
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
here's the ssl.conf I'm using to configure the virtual host:
Code:
NameVirtualHost *:443
<virtualhost *:443>
ServerAdmin webmaster@localhost
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
DocumentRoot /var/www/
<directory />
Options FollowSymLinks
AllowOverride None
</directory>
<directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
# Commented out for Ubuntu
#RedirectMatch ^/$ /apache2-default/
</directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ "/usr/share/doc/"
<directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</directory>
</virtualhost>
The error.log was useless and shows absolutely nothing so I enabled what's supposed to be debug level logging for mod_ssl and get this when I restart apache:
Code:
[Thu Jun 28 07:12:54 2012] [info] Init: Seeding PRNG with 656 bytes of entropy
[Thu Jun 28 07:12:54 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Thu Jun 28 07:12:54 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Thu Jun 28 07:12:54 2012] [info] Init: Initializing (virtual) servers for SSL
[Thu Jun 28 07:12:54 2012] [info] mod_ssl/2.2.14 compiled against Server: Apache/2.2.14, Library: OpenSSL/0.9.8k
[Thu Jun 28 07:12:54 2012] [info] Init: Seeding PRNG with 656 bytes of entropy
[Thu Jun 28 07:12:54 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Thu Jun 28 07:12:54 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Thu Jun 28 07:12:54 2012] [debug] ssl_scache_shmcb.c(253): shmcb_init allocated 512000 bytes of shared memory
[Thu Jun 28 07:12:54 2012] [debug] ssl_scache_shmcb.c(272): for 511920 bytes (512000 including header), recommending 32 subcaches, 133 indexes each
[Thu Jun 28 07:12:54 2012] [debug] ssl_scache_shmcb.c(306): shmcb_init_memory choices follow
[Thu Jun 28 07:12:54 2012] [debug] ssl_scache_shmcb.c(308): subcache_num = 32
[Thu Jun 28 07:12:54 2012] [debug] ssl_scache_shmcb.c(310): subcache_size = 15992
[Thu Jun 28 07:12:54 2012] [debug] ssl_scache_shmcb.c(312): subcache_data_offset = 3208
[Thu Jun 28 07:12:54 2012] [debug] ssl_scache_shmcb.c(314): subcache_data_size = 12784
[Thu Jun 28 07:12:54 2012] [debug] ssl_scache_shmcb.c(316): index_num = 133
[Thu Jun 28 07:12:54 2012] [info] Shared memory session cache initialised
[Thu Jun 28 07:12:54 2012] [info] Init: Initializing (virtual) servers for SSL
[Thu Jun 28 07:12:54 2012] [info] mod_ssl/2.2.14 compiled against Server: Apache/2.2.14, Library: OpenSSL/0.9.8k
[Thu Jun 28 07:12:54 2012] [debug] proxy_util.c(1806): proxy: grabbed scoreboard slot 0 in child 6309 for worker proxy:reverse
[Thu Jun 28 07:12:54 2012] [debug] proxy_util.c(1922): proxy: initialized single connection worker 0 in child 6309 for (*)
[Thu Jun 28 07:12:54 2012] [notice] Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.17 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k configured -- resuming normal operations
[Thu Jun 28 07:12:54 2012] [info] Server built: Mar 5 2012 16:42:17
[Thu Jun 28 07:12:54 2012] [debug] prefork.c(1013): AcceptMutex: sysvsem (default: sysvsem)
[Thu Jun 28 07:12:54 2012] [debug] proxy_util.c(1806): proxy: grabbed scoreboard slot 0 in child 6307 for worker proxy:reverse
[Thu Jun 28 07:12:54 2012] [debug] proxy_util.c(1825): proxy: worker proxy:reverse already initialized
[Thu Jun 28 07:12:54 2012] [debug] proxy_util.c(1922): proxy: initialized single connection worker 0 in child 6307 for (*)
[Thu Jun 28 07:12:54 2012] [debug] proxy_util.c(1806): proxy: grabbed scoreboard slot 0 in child 6310 for worker proxy:reverse
[Thu Jun 28 07:12:54 2012] [debug] proxy_util.c(1825): proxy: worker proxy:reverse already initialized
[Thu Jun 28 07:12:54 2012] [debug] proxy_util.c(1922): proxy: initialized single connection worker 0 in child 6310 for (*)
[Thu Jun 28 07:12:54 2012] [debug] proxy_util.c(1806): proxy: grabbed scoreboard slot 0 in child 6308 for worker proxy:reverse
[Thu Jun 28 07:12:54 2012] [debug] proxy_util.c(1825): proxy: worker proxy:reverse already initialized
[Thu Jun 28 07:12:54 2012] [debug] proxy_util.c(1922): proxy: initialized single connection worker 0 in child 6308 for (*)
[Thu Jun 28 07:12:54 2012] [debug] proxy_util.c(1806): proxy: grabbed scoreboard slot 0 in child 6311 for worker proxy:reverse
[Thu Jun 28 07:12:54 2012] [debug] proxy_util.c(1825): proxy: worker proxy:reverse already initialized
[Thu Jun 28 07:12:54 2012] [debug] proxy_util.c(1922): proxy: initialized single connection worker 0 in child 6311 for (*)
Unfortunately this "debugging log" shows absolutely no errors when I try and fail to access the server using the url "https//me.net" to which chrome says "the connection attempt was rejected".
With apache off my netstat -a | egrep 'Proto|LISTEN' shows
Quote:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 mail.me.net:domain *:* LISTEN
tcp 0 0 localhost:domain *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 localhost:953 *:* LISTEN
tcp 0 0 *:microsoft-ds *:* LISTEN
tcp 0 0 *:netbios-ssn *:* LISTEN
tcp 0 0 *:6736 *:* LISTEN
tcp6 0 0 [::]:domain [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 localhost:ipp [::]:* LISTEN
tcp6 0 0 localhost:953 [::]:* LISTEN
|
I would appreciate any ideas to debug this thing as reinstalling the server to try to fix this would be many hours of suck.
