OS: RHEL 6.4 SELinux: permissive mode Apache: 2.2, mod_fcgid, mod_suxec, mod_ssl enabled Common Name: www.user.dept.university.edu Code (markup): (Note:user names, accounts, organizations etc. sanitized) Junior administrator. I have been trying to figure out why Apache will serve PHP-based web pages over port 80 but not over 443. Here is the virtual host block excerpt from httpd.conf: <VirtualHost *:80> ServerName [CODE]user.dept.univsersity.edu Code (markup): ServerAlias user DocumentRoot /home/user/public_html/subdirectory <IfModule mod_fcgid.c> SuexecUserGroup user user <Directory /home/user/public_html/subdirectory> Options +ExecCGI DirectoryIndex index.php index.html AllowOverride All AddHandler fcgid-script .php FcgiWrapper /var/www/php-fcgi-scripts/user/php-fcgi-starter .php Order allow,deny Allow from all </Directory> </IfModule> </VirtualHost>[/CODE] Here is the virtual host block excerpt from SSL.conf (I modified the RHEL6 default conf). Per the RH documentation, SSL is now handled via ssl.conf, so there are no 443 related entries for the virtual host in httpd.conf. LoadModule ssl_module modules/mod_ssl.so SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin NameVirtualHost *:443 <VirtualHost xxx.xxx.xxx.xxx:443> #IP redacted ServerName [CODE]www.user.dept.university.edu Code (markup): DocumentRoot /home/user/public_html/subdirectory <IfModule mod_fcgid.c> SuexecUserGroup user user <Directory /home/user/public_html/subdirectory> Options +ExecCGI AllowOverride All AddHandler fcgid-script .php FCGIWrapper /var/www/php-fcgi-scripts/user/php-fcgi-starter .php Order allow,deny Allow from all </Directory> </IfModule> ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/CA/user.crt SSLCertificateKeyFile /etc/pki/CA/private/user.key <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>[/CODE] I'm waiting for the commercial SSL cert to arrive so in the interim I'm using a self-signed OpenSSL cert. I was careful not to forget the "www" prefaced in front off the Common Name when generating the cert. I can access http://localhost Code (markup): via 80 no problems. No errors in Apache and suexec logs. When I access https://localhost Code (markup): over 443 I get this browser error: Here is associated Apache error_log entry (but no suexec log errors): When I access the site from the Internet on 80 it works fine. When I access the site from the Internet over port 443 (https://blah blah) Code (markup): I get these errors: The Apache log error: The ssl_error_log: I suspect an issue with the virtual host block in ssl.conf. The other possibility is I improperly generated the self-signed cert using the documentation from RH Appreciate any insights!
you need another virtualhost for port 433 in httpd.conf <VirtualHost *:443> ... add stuff here.... </VirtualHost>
So I should literally duplicate the Vhost entries from ssl.conf into a virtualhost block for httpd.conf? This seems confusing since per RH documentation "ssl functionality has been moved to ssl.conf"
you are right about this, after installing mod_ssl in RHEL6 it will create ssl.conf with the necessary parameters to run port 443 maybe the port is blocked so try this: iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT service iptables save service iptables restart
No, that's not issue although a logical thing to ask. Here is an excerpt of the current iptables: So, my literature and web research shows the typical cause is an incorrectly configured ssl cert and/or key file. However I should mention that I do get prompted for the passphrase (which authenticates just fine), whenever I restart Apache. So to me that indicates that at least Apache is finding the correct key and crt files. I thought to add output from a command I just became aware of- httpd -S and DUMP_VHOSTS (again real names etc redacted) [root@hostname user]# httpd -S [Sun Apr 21 11:13:33 2013] [warn] NameVirtualHost *:443 has no VirtualHosts VirtualHost configuration: xxx.xxx.xxx.xx:443 www.user.dept.university.edu (/etc/httpd/conf.d/ssl.conf:78) wildcard NameVirtualHosts and _default_ servers: *:80 is a NameVirtualHost default server user.dept.university.edu (/etc/httpd/conf/httpd.conf:1070) port 80 namevhost user.dept.university.edu (/etc/httpd/conf/httpd.conf:1070) alias user Syntax OK Code (markup): [root@hostname user]# httpd -D DUMP_VHOSTS [Sun Apr 21 11:17:19 2013] [warn] NameVirtualHost *:443 has no VirtualHosts VirtualHost configuration: xxx.xxx.xxx.xx:443 www.user.dept.university.edu (/etc/httpd/conf.d/ssl.conf:78) wildcard NameVirtualHosts and _default_ servers: *:80 is a NameVirtualHost default server user.dept.university.edu (/etc/httpd/conf/httpd.conf:1070) port 80 namevhost user.dept.university.edu (/etc/httpd/conf/httpd.conf:1070) alias user Syntax OK Code (markup): Also just learned about the CURL command. localhost over port 80 returns the source of the index.php. localhost over 443 returns this: [root@hostname user]# curl https://localhost curl: (35) SSL connect error Code (markup): I don't have enough familiarity with these commands but I can see at least Apache thinks for some reason the virtual host definition is lacking over 443.
this might show whats wrong: openssl s_client -connect localhost:443 -state -debug and it might be offline too so try: apachectl startssl
Ok, ran the openssl debug command and here is the output (again sanitized some things): [root@hostname user]# openssl s_client -connect localhost:443 -state -debug CONNECTED(00000003) SSL_connect:before/connect initialization write to 0x9d2f90 [0xa72d50] (112 bytes => 112 (0x70)) 0000 - 16 03 01 00 6b 01 00 00-67 03 01 51 74 47 e1 12 ....k...g..QtG.. .. [redacted] .. 0060 - 00 08 00 06 00 03 00 ff-01 00 00 04 00 23 .............# 0070 - <SPACES/NULS> SSL_connect:SSLv2/v3 write client hello A read from 0x9d2f90 [0xa782b0] (7 bytes => 7 (0x7)) 0000 - 3c 21 44 4f 43 54 59 <!DOCTY SSL_connect:error in SSLv2/v3 read server hello A 139696306353992:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:699: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 112 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Code (markup): Thought to remind, this is Apache 2.2 so I got an error using "apachectl sslstart". Per this documentation, the command syntax should be "service httpd somecommand". But I think your point was to check to see the httpd service is running, i.e. Apache is online? If so, recall the site in question works just fine over port 80.
(Sigh) figured it out. I thought about the reply I just made, "...recall the site in question works just fine over port 80." So, I thought for the 3rd time to carefully compare the vhost block for 80 to the vhost entry in ssl.conf for 443. Somehow I missed this entry in the ssl.conf: DirectoryIndex index.php index.html Code (markup): For security I included this directive for the port 80 vhost block but must have dropped during all the nano editing in ssl.conf. So I can access the site now over SSL. However, after restart Apache still complains about: [root@hostname user]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [Sun Apr 21 16:43:21 2013] [warn] NameVirtualHost *:443 has no VirtualHosts Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server www.user.dept.university.edu:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. [ OK ] Code (markup):