Issue With modSSL

scrupul0us · 02-01-2006, 06:24 PM

I have the mod installed and it is running, however firefox gives me an error when i try to load my homepage in HTTPS... the access_log gives no error and heres a snippet of the ssl_engine_log:

Code:

[01/Feb/2006 19:34:18 07650] [info]  Server: Apache/1.3.33, Interface: mod_ssl/2.8.24, Library: OpenSSL/0.9.7g
[01/Feb/2006 19:34:18 07650] [info]  Init: 1st startup round (still not detached)
[01/Feb/2006 19:34:18 07650] [info]  Init: Initializing OpenSSL library
[01/Feb/2006 19:34:18 07650] [info]  Init: Seeding PRNG with 136 bytes of entropy
[01/Feb/2006 19:34:18 07650] [info]  Init: Generating temporary RSA private keys (512/1024 bits)
[01/Feb/2006 19:34:18 07650] [info]  Init: Configuring temporary DH parameters (512/1024 bits)
[01/Feb/2006 19:34:28 07652] [info]  Server: Apache/1.3.33, Interface: mod_ssl/2.8.24, Library: OpenSSL/0.9.7g
[01/Feb/2006 19:34:28 07652] [info]  Init: 1st startup round (still not detached)
[01/Feb/2006 19:34:28 07652] [info]  Init: Initializing OpenSSL library
[01/Feb/2006 19:34:28 07652] [info]  Init: Loading certificate & private key of SSL-aware server new.host.name:443
[01/Feb/2006 19:34:28 07652] [error] Init: Unable to read server certificate from file /etc/apache/ssl.crt/server.crt (OpenSSL library error follows)
[01/Feb/2006 19:34:28 07652] [error] OpenSSL: error:0D06B08E:asn1 encoding routines:ASN1_d2i_bio:not enough data

gilead · 02-01-2006, 07:02 PM

Did you generate keys/certificates for the server? One of the error messages says it's generating its own temporary keys. The last 2 lines look like it wasn't able to generate the keys due to a lack of entropy.

scrupul0us · 02-01-2006, 07:05 PM

i did the full install of 10.2... theres a bunch of folders pertaining to SSL in the apache folder including the file: server.crt

gilead · 02-02-2006, 02:47 AM

According to the README.crt file in the same directory as server.crt (installed by mod_ssl-2.8.24_1.3.33-i486-1) that is a dummy file that "may be overwritten by the `make certificate' target under built-time". What do you get if you type `cat /etc/apache/ssl.crt/server.crt`? (I'm assuming you've installed the package to the default location)

scrupul0us · 02-02-2006, 04:53 PM

lol it says:

THIS FILE HAS TO BE REPLACED BY A REAL SERVER CERTIFICATE! (SKIPME)

so how do i make a cert?

i tried:

openssl req -new -key privkey.pem -out cert.csr

but it says it cant find the private key

gilead · 02-02-2006, 05:33 PM

That's right - you have to have the key first. If you want self-signed certs you can do something like:

Code:

openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -x509 -days 365 -out server.crt

If you want to get a cert signed by a certificate authority, have a look at http://www.modssl.org/related/howto.html and http://www.tldp.org/HOWTO/SSL-RedHat-HOWTO-3.html#ss3.1 - this second one is old, but should still be valid.

scrupul0us · 02-02-2006, 05:42 PM

ok.. cert is all setup... im still not able to view my website via SSL... when i try:

apachectl startssl

it tells me it cannot start, but it will start without ssl

gilead · 02-02-2006, 06:14 PM

I can't get to a box with Apache installed on it at the moment to check, but I think apachectl -t will check the syntax of your config file. Can you post any errors you get from that please?

scrupul0us · 02-02-2006, 10:01 PM

i ran:

apachectl configtest

and i get back

syntax OK

as i stated... apache runs fine... lemme get a snippet of the mod_ssl_engine log and post its latest stuff

scrupul0us · 02-02-2006, 10:12 PM

Code:

[02/Feb/2006 23:20:18 04091] [info]  Init: 1st restart round (already detached)
[02/Feb/2006 23:20:18 04091] [info]  Init: Reinitializing OpenSSL library
[02/Feb/2006 23:20:18 04091] [info]  Init: Seeding PRNG with 1160 bytes of entropy
[02/Feb/2006 23:20:18 04091] [info]  Init: Configuring temporary RSA private keys (512/1024 bits)
[02/Feb/2006 23:20:18 04091] [info]  Init: Configuring temporary DH parameters (512/1024 bits)
[02/Feb/2006 23:20:18 04091] [info]  Init: Initializing (virtual) servers for SSL
[02/Feb/2006 23:22:36 04091] [info]  Init: 2nd restart round (already detached)
[02/Feb/2006 23:22:36 04091] [info]  Init: Reinitializing OpenSSL library
[02/Feb/2006 23:22:36 04091] [info]  Init: Seeding PRNG with 1160 bytes of entropy
[02/Feb/2006 23:22:36 04091] [info]  Init: Configuring temporary RSA private keys (512/1024 bits)
[02/Feb/2006 23:22:36 04091] [info]  Init: Configuring temporary DH parameters (512/1024 bits)
[02/Feb/2006 23:22:36 04091] [info]  Init: Initializing (virtual) servers for SSL
[02/Feb/2006 23:25:15 04383] [info]  Server: Apache/1.3.33, Interface: mod_ssl/2.8.24, Library: OpenSSL/0.9.7g
[02/Feb/2006 23:25:15 04383] [info]  Init: 1st startup round (still not detached)
[02/Feb/2006 23:25:15 04383] [info]  Init: Initializing OpenSSL library
[02/Feb/2006 23:25:15 04383] [info]  Init: Loading certificate & private key of SSL-aware server www.ironchefbadass.com:443
[02/Feb/2006 23:25:15 04383] [error] Init: Unable to read server certificate from file /etc/apache/ssl.crt/server.crt (OpenSSL library error follows)
[02/Feb/2006 23:25:15 04383] [error] OpenSSL: error:0D06B08E:asn1 encoding routines:ASN1_d2i_bio:not enough data
[02/Feb/2006 23:39:42 04396] [info]  Server: Apache/1.3.33, Interface: mod_ssl/2.8.24, Library: OpenSSL/0.9.7g
[02/Feb/2006 23:39:42 04396] [info]  Init: 1st startup round (still not detached)
[02/Feb/2006 23:39:42 04396] [info]  Init: Initializing OpenSSL library
[02/Feb/2006 23:39:42 04396] [info]  Init: Seeding PRNG with 136 bytes of entropy
[02/Feb/2006 23:39:42 04396] [info]  Init: Generating temporary RSA private keys (512/1024 bits)
[02/Feb/2006 23:39:43 04396] [info]  Init: Configuring temporary DH parameters (512/1024 bits)
[02/Feb/2006 23:39:44 04397] [info]  Init: 2nd startup round (already detached)
[02/Feb/2006 23:39:44 04397] [info]  Init: Reinitializing OpenSSL library
[02/Feb/2006 23:39:44 04397] [info]  Init: Seeding PRNG with 136 bytes of entropy
[02/Feb/2006 23:39:44 04397] [info]  Init: Configuring temporary RSA private keys (512/1024 bits)
[02/Feb/2006 23:39:44 04397] [info]  Init: Configuring temporary DH parameters (512/1024 bits)
[02/Feb/2006 23:39:44 04397] [info]  Init: Initializing (virtual) servers for SSL

is what i get after i restart apache and try to hit the site via https

how can it not read the cert???

heres the perms on server.crt:

-rw-r--r-- 1 root root 68 2001-10-16 08:05 server.crt

error log is clean of any SSL errors

ill also add that port 443 is forwarded to my webserver... i cant think of what would be preventing this from working

gilead · 02-03-2006, 12:26 AM

Did you get any errors creating the self signed certificate and did it ask you for a passphrase when you started Apache (it's possible to strip the passphrase out, I don't know if you did that)? The following are from the Apache docs and might help highlight what is happening with the cert. I got this from http://httpd.apache.org/docs/2.0/ssl...html#httpstest:

Try a second carriage return after the GET / HTTP/1.0 with this one

Code:

$ openssl s_client -connect localhost:443 -state -debug
GET / HTTP/1.0

Code:

curl https://localhost/
curl -k https://localhost/

Sorry it's not more informative...

scrupul0us · 02-03-2006, 09:33 AM

when i made the cert i got no errors, it DID ask for a passphrase

as for the first code block

Code:

root@SERVER:~# openssl s_client -connect localhost:443 -state -debug
connect: Connection refused
connect:errno=29

this:
$ openssl s_client -connect localhost:443 -state -debug
GET / HTTP/1.0

wont work when the GET is on the other line

and second

Code:

root@SERVER:~# curl https://localhost/
curl: (7) couldn't connect to host
root@SERVER:~# curl -k https://localhost/
curl: (7) couldn't connect to host

gilead · 02-03-2006, 02:36 PM

It sounds like it's going through its startup but still not being able to use the cert. If it's actually running http & https you should get a similar output to the following:

Code:

# netstat -ape | egrep ':https .* LISTEN|:443 .* LISTEN|:http .* LISTEN|:80 .* LISTEN'
tcp        0      0 *:http                  *:*                     LISTEN      root       1919713    21401/httpd
tcp        0      0 *:https                 *:*                     LISTEN      root       1919718    21401/httpd

About the only things left (assuming you've left the conf file ssl settings at their defaults) is to confirm that the cert creation and copying to the /etc/apache/ssl.crt/server.crt and /etc/apache/ssl.key/server.key locations worked properly. The most useful doc I've seen for this is http://slacksite.com/apache/certificate.html

scrupul0us · 02-03-2006, 09:41 PM

i tried that site and still gettin errors:

Code:

03/Feb/2006 22:51:58 06718] [info]  Server: Apache/1.3.33, Interface: mod_ssl/2.8.24, Library: OpenSSL/0.9.7g
[03/Feb/2006 22:51:58 06718] [info]  Init: 1st startup round (still not detached)
[03/Feb/2006 22:51:58 06718] [info]  Init: Initializing OpenSSL library
[03/Feb/2006 22:51:58 06718] [info]  Init: Loading certificate & private key of SSL-aware server www.ironchefbadass.com:443
[03/Feb/2006 22:51:58 06718] [error] Init: Unable to read server certificate from file /etc/apache/ssl.crt/server.crt (OpenSSL library error follows)
[03/Feb/2006 22:51:58 06718] [error] OpenSSL: error:0D06B08E:asn1 encoding routines:ASN1_d2i_bio:not enough data

could it be a permissions issue? group and user for the apache folder is root and root

gilead · 02-03-2006, 09:49 PM

If the directory is world readable it should be OK. I have all of my apache stuff owned by apache:apache and world (or other if you prefer) permissions are set to zero. That way only root and apache can see it (and the apache user has no shell).

I'm at a bit of a loss, those are the same docs I used to create my keys/certs. I did compile my apache (2.0.55) manually though with:

Code:

./configure --with-layout=Apache --prefix=/usr/local/apache2 --enable-rule=SHARED_CORE --enable-so --enable-ssl --enable-rewrite --with-ssl=/usr/include