Apache virtual host work on 80 but not over 443

OS: RHEL 6.4
SELinux: permissive mode
Apache: 2.2, mod_fcgid, mod_suxec, mod_ssl enabled
Common Name:

www.user.dept.university.edu

Code (markup):

(Note:user names, accounts, organizations etc. sanitized)

Junior administrator. I have been trying to figure out why Apache will serve PHP-based web pages over port 80 but not over 443. Here is the virtual host block excerpt from httpd.conf:

<VirtualHost *:80>
    ServerName [CODE]user.dept.univsersity.edu

Code (markup):

ServerAlias user
DocumentRoot /home/user/public_html/subdirectory
<IfModule mod_fcgid.c>
SuexecUserGroup user user
<Directory /home/user/public_html/subdirectory>
Options +ExecCGI
DirectoryIndex index.php index.html
AllowOverride All
AddHandler fcgid-script .php
FcgiWrapper /var/www/php-fcgi-scripts/user/php-fcgi-starter .php
Order allow,deny
Allow from all
</Directory>
</IfModule>
</VirtualHost>[/CODE]

Here is the virtual host block excerpt from SSL.conf (I modified the RHEL6 default conf). Per the RH documentation, SSL is now handled via ssl.conf, so there are no 443 related entries for the virtual host in httpd.conf.

LoadModule ssl_module modules/mod_ssl.so
SSLPassPhraseDialog  builtin
SSLSessionCache        shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
 
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
NameVirtualHost *:443
 
<VirtualHost xxx.xxx.xxx.xxx:443> #IP redacted
ServerName [CODE]www.user.dept.university.edu

Code (markup):

DocumentRoot /home/user/public_html/subdirectory
<IfModule mod_fcgid.c>
SuexecUserGroup user user
<Directory /home/user/public_html/subdirectory>
Options +ExecCGI
AllowOverride All
AddHandler fcgid-script .php
FCGIWrapper /var/www/php-fcgi-scripts/user/php-fcgi-starter .php
Order allow,deny
Allow from all
</Directory>
</IfModule>

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/CA/user.crt
SSLCertificateKeyFile /etc/pki/CA/private/user.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>[/CODE]

I'm waiting for the commercial SSL cert to arrive so in the interim I'm using a self-signed OpenSSL cert. I was careful not to forget the "www" prefaced in front off the Common Name when generating the cert.

I can access

http://localhost 

Code (markup):

via 80 no problems. No errors in Apache and suexec logs.
When I access

https://localhost 

Code (markup):

over 443 I get this browser error:

Here is associated Apache error_log entry (but no suexec log errors):

When I access the site from the Internet on 80 it works fine. When I access the site from the Internet over port 443

(https://blah blah)

Code (markup):

I get these errors:

The Apache log error:

The ssl_error_log:

I suspect an issue with the virtual host block in ssl.conf. The other possibility is I improperly generated the self-signed cert using the documentation from RH
Appreciate any insights!

 

you need another virtualhost for port 433 in httpd.conf
<VirtualHost *:443>
... add stuff here....
</VirtualHost>

 

So I should literally duplicate the Vhost entries from ssl.conf into a virtualhost block for httpd.conf? This seems confusing since per RH documentation "ssl functionality has been moved to ssl.conf"

 

you are right about this, after installing mod_ssl in RHEL6 it will create ssl.conf with the necessary parameters to run port 443
maybe the port is blocked so try this:
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
service iptables save
service iptables restart

 

No, that's not issue although a logical thing to ask. Here is an excerpt of the current iptables:

So, my literature and web research shows the typical cause is an incorrectly configured ssl cert and/or key file. However I should mention that I do get prompted for the passphrase (which authenticates just fine), whenever I restart Apache. So to me that indicates that at least Apache is finding the correct key and crt files.
I thought to add output from a command I just became aware of- httpd -S and DUMP_VHOSTS (again real names etc redacted)

[root@hostname user]# httpd -S
[Sun Apr 21 11:13:33 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
VirtualHost configuration:
xxx.xxx.xxx.xx:443    www.user.dept.university.edu (/etc/httpd/conf.d/ssl.conf:78)
wildcard NameVirtualHosts and _default_ servers:
*:80                  is a NameVirtualHost
        default server user.dept.university.edu (/etc/httpd/conf/httpd.conf:1070)
        port 80 namevhost user.dept.university.edu (/etc/httpd/conf/httpd.conf:1070)
                alias user
Syntax OK

Code (markup):

[root@hostname user]# httpd -D DUMP_VHOSTS
[Sun Apr 21 11:17:19 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
VirtualHost configuration:
xxx.xxx.xxx.xx:443    www.user.dept.university.edu (/etc/httpd/conf.d/ssl.conf:78)
wildcard NameVirtualHosts and _default_ servers:
*:80                  is a NameVirtualHost
        default server user.dept.university.edu (/etc/httpd/conf/httpd.conf:1070)
        port 80 namevhost user.dept.university.edu (/etc/httpd/conf/httpd.conf:1070)
                alias user
Syntax OK

Code (markup):

Also just learned about the CURL command. localhost over port 80 returns the source of the index.php. localhost over 443 returns this:

[root@hostname user]# curl https://localhost
curl: (35) SSL connect error

Code (markup):

I don't have enough familiarity with these commands but I can see at least Apache thinks for some reason the virtual host definition is lacking over 443.

 

this might show whats wrong: openssl s_client -connect localhost:443 -state -debug
and it might be offline too so try: apachectl startssl

 

Ok, ran the openssl debug command and here is the output (again sanitized some things):

[root@hostname user]# openssl s_client -connect localhost:443 -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x9d2f90 [0xa72d50] (112 bytes => 112 (0x70))
0000 - 16 03 01 00 6b 01 00 00-67 03 01 51 74 47 e1 12  ....k...g..QtG..
..
[redacted]
..
0060 - 00 08 00 06 00 03 00 ff-01 00 00 04 00 23        .............#
0070 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x9d2f90 [0xa782b0] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59                              <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
139696306353992:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:699:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 112 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Code (markup):

Thought to remind, this is Apache 2.2 so I got an error using "apachectl sslstart". Per this documentation, the command syntax should be "service httpd somecommand". But I think your point was to check to see the httpd service is running, i.e. Apache is online? If so, recall the site in question works just fine over port 80.

 

(Sigh) figured it out. I thought about the reply I just made, "...recall the site in question works just fine over port 80." So, I thought for the 3rd time to carefully compare the vhost block for 80 to the vhost entry in ssl.conf for 443. Somehow I missed this entry in the ssl.conf:

DirectoryIndex index.php index.html

Code (markup):

For security I included this directive for the port 80 vhost block but must have dropped during all the nano editing in ssl.conf. So I can access the site now over SSL.
However, after restart Apache still complains about:

[root@hostname user]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: [Sun Apr 21 16:43:21 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
 
Server www.user.dept.university.edu:443 (RSA)
Enter pass phrase:
 
OK: Pass Phrase Dialog successful.
                                                          [  OK  ]

Code (markup):