Re: [users@httpd] Problem setting up ssl
On 2018-08-20 01:38 PM, Mahmood Naderan wrote: [snip] Now, when I open https://w.x.y.z in firefox, I get Your connection is not secure The owner of 5.57.36.104 has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. > So, I have to click on advanced and then "add exception". Is that related to apache configuration? Apache? No -- it's related to what Firefox says on that page: 5.57.36.104 uses an invalid security certificate. The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure. The certificate is only valid for the following names: *.scu.ac.ir, scu.ac.ir and even then *it's_not_valid* -- a little further digging comes up with: scu.ac.ir uses an invalid security certificate. The certificate is only valid for *.scu.ac.ir The certificate expired on 2017-01-18 04:22 AM. The current time is 2018-08-21 10:38 AM. which suggests to me that your certificate (or the one you are attempting to use) expired some twenty months ago... Paul - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Problem setting up ssl
Hi Sander, Nice to meet you. Based on your response here, you seem to be more educated with respect to web security and SSLs. I’m working on developing a startup that eliminates the difficulty obtaining and installing SSL certs. The process is overly complicated and ripe for disruption. If this is something of interest to you, please send me your LinkedIn url and/or CV and some good days/times to chat. Thanks, Tony On Tue, Aug 21, 2018 at 4:12 AM Sander Smeenk wrote: > Quoting Mahmood Naderan (nt_mahm...@yahoo.com.INVALID): > > > >Is default-ssl site "enabled" via the debian/ubuntu tools e.g. > a2ensite? > > # a2ensite default-ssl > > Enabling site default-ssl. > > Well, there ya go. > > > Now, when I open https://w.x.y.z in firefox, I get > > Your connection is not secure > > This is because SSL-certs require domain names and don't work properly > with 'bare IP addresses'. You'll never get that fixed unless you start > using a domainname and a correct certificate (LetsEncrypt for example). > > -- > | I'm a lousy dancer but my moods are swinging! > | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Tony DiLoreto President & CEO Migliore Technologies Inc 716.997.2396 t...@miglioretechnologies.com miglioretechnologies.com *The best in the business...period!*
Re: [users@httpd] Problem setting up ssl
>This is because SSL-certs require domain names and don't work properly >with 'bare IP addresses'. You'll never get that fixed unless you start >using a domainname and a correct certificate (LetsEncrypt for example). Thank you very much for the help. Regards, Mahmood
Re: [users@httpd] Problem setting up ssl
Quoting Mahmood Naderan (nt_mahm...@yahoo.com.INVALID): > >Is default-ssl site "enabled" via the debian/ubuntu tools e.g. a2ensite? > # a2ensite default-ssl > Enabling site default-ssl. Well, there ya go. > Now, when I open https://w.x.y.z in firefox, I get > Your connection is not secure This is because SSL-certs require domain names and don't work properly with 'bare IP addresses'. You'll never get that fixed unless you start using a domainname and a correct certificate (LetsEncrypt for example). -- | I'm a lousy dancer but my moods are swinging! | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Problem setting up ssl
Quoting Mahmood Naderan (nt_mahm...@yahoo.com.INVALID): > root@webshub:~# grep IfModule /etc/apache2/sites-available/default-ssl.conf > # > # Ok. > root@webshub:~# apachectl -S > AH00558: apache2: Could not reliably determine the server's fully qualified > domain name, using 127.0.1.1. Set the 'ServerName' directive globally to > suppress this message > VirtualHost configuration: > *:80 127.0.1.1 > (/etc/apache2/sites-enabled/000-default.conf:1) > ServerRoot: "/etc/apache2" I would expect a *:443 line here too. Somehow your config is not being parsed and Apache is not showing the SSL :443 vhost configuration. -- | My Bonnie looked into a gas tank, the height of its contents to see! | She lit a small match to assist her, oh bring back my Bonnie to me. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Problem setting up ssl
>Is default-ssl site "enabled" via the debian/ubuntu tools e.g. a2ensite? # a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Module socache_shmcb already enabled Module ssl already enabled # a2ensite default-ssl Enabling site default-ssl. To activate the new configuration, you need to run: systemctl reload apache2 # # service apache2 restart # systemctl reload apache2 # Now, when I open https://w.x.y.z in firefox, I get Your connection is not secure The owner of 5.57.36.104 has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. So, I have to click on advanced and then "add exception".Is that related to apache configuration? By proceeding to visit the website, I think it switches to https again. In Edge, I get The hostname in the website’s security certificate differs from the website you are trying to visit. Error Code: DLG_FLAGS_SEC_CERT_CN_INVALID Since I am using IP address and the certificate is registered with a domain, I think that is the root of the problem. Am I right? Regards, Mahmood
Re: [users@httpd] Problem setting up ssl
> root@webshub:~# grep IfModule /etc/apache2/sites-available/default-ssl.conf > # > # > root@webshub:~# apachectl -S > AH00558: apache2: Could not reliably determine the server's fully qualified > domain name, using 127.0.1.1. Set the 'ServerName' directive globally to > suppress this message > VirtualHost configuration: > *:80 127.0.1.1 > (/etc/apache2/sites-enabled/000-default.conf:1) > ServerRoot: "/etc/apache2" Is default-ssl site "enabled" via the debian/ubuntu tools e.g. a2ensite? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Problem setting up ssl
>Is mod_ssl actually loaded/enabled? >Try removing the lines and check your >httpd config syntax (apache2ctl -S) root@webshub:~# grep IfModule /etc/apache2/sites-available/default-ssl.conf # # root@webshub:~# apachectl -S AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message VirtualHost configuration: *:80 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1) ServerRoot: "/etc/apache2" Main DocumentRoot: "/var/www/html" Main ErrorLog: "/var/log/apache2/error.log" Mutex ssl-stapling: using_defaults Mutex ssl-cache: using_defaults Mutex default: dir="/var/run/apache2/" mechanism=default Mutex mpm-accept: using_defaults Mutex watchdog-callback: using_defaults Mutex rewrite-map: using_defaults Mutex ssl-stapling-refresh: using_defaults PidFile: "/var/run/apache2/apache2.pid" Define: DUMP_VHOSTS Define: DUMP_RUN_CFG User: name="www-data" id=33 Group: name="www-data" id=33 # apachectl -M | grep ssl_module AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message ssl_module (shared) >You could take a look at settings for ‘Redirects' in the Apache2 online docs >too Do you mean https://httpd.apache.org/docs/2.4/rewrite/remapping.html ? Regards, Mahmood
Re: [users@httpd] Problem setting up ssl
Quoting Mahmood Naderan (nt_mahm...@yahoo.com.INVALID): > As I posted earlier, SSLEngine is on > $ cat /etc/apache2/sites-available/default-ssl.conf > > So, I really don't know why it listens to http! Is mod_ssl actually loaded/enabled? Try removing the lines and check your httpd config syntax (apache2ctl -S) -- | Age is a very high price to pay for maturity. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Problem setting up ssl
Hello Mahmood, Please forgive me if you have already tried this, but have you read the man pages on HTTPD as there are some very useful command flags which can point out configuration settings. You could take a look at settings for ‘Redirects' in the Apache2 online docs too. I’m sorry if you have already tried all of this… Regards, Angel aka Rammsteinium. > On 20 Aug 2018, at 12:18, Mahmood Naderan > wrote: > > As I posted earlier, SSLEngine is on > > $ cat /etc/apache2/sites-available/default-ssl.conf > > > ServerAdmin webmaster@localhost > > DocumentRoot /var/www/html > > Options FollowSymLinks > AllowOverride All > Order allow,deny > allow from all > > LogLevel debug ssl:debug > > ErrorLog ${APACHE_LOG_DIR}/error.log > CustomLog ${APACHE_LOG_DIR}/access.log combined > > SSLCertificateFile > /home/mahmood/certi/certificate-standard_wildcard.scu.ac.ir.crt > SSLCertificateKeyFile > /home/mahmood/certi/certificate-standard_wildcard.scu.ac.ir.key > SSLCertificateChainFile /home/mahmood/certi/intermediate.crt > > SSLEngine on > > > SSLOptions +StdEnvVars > > > SSLOptions +StdEnvVars > > > > > > > So, I really don't know why it listens to http! > > > > Regards, > Mahmood > >
Re: [users@httpd] Problem setting up ssl
As I posted earlier, SSLEngine is on $ cat /etc/apache2/sites-available/default-ssl.conf ServerAdmin webmaster@localhost DocumentRoot /var/www/html Options FollowSymLinks AllowOverride All Order allow,deny allow from all LogLevel debug ssl:debug ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCertificateFile /home/mahmood/certi/certificate-standard_wildcard.scu.ac.ir.crt SSLCertificateKeyFile /home/mahmood/certi/certificate-standard_wildcard.scu.ac.ir.key SSLCertificateChainFile /home/mahmood/certi/intermediate.crt SSLEngine on SSLOptions +StdEnvVars SSLOptions +StdEnvVars So, I really don't know why it listens to http! Regards,Mahmood
Re: [users@httpd] Problem setting up ssl
Quoting Mahmood Naderan (nt_mahm...@yahoo.com.INVALID): > [mahmood@rocks7 ~]$ wget http://w.x.y.z:443 > Connecting to w.x.y.z:443... connected. > HTTP request sent, awaiting response... 200 OK > 2018-08-20 10:30:50 (1.95 MB/s) - ‘index.html.1’ saved [33229] > Any thought? Did you forget to put 'SSLEngine On' in your SSL-vhost definition? The above quoted clearly shows your Apache is doing normal HTTP on port 443. Also, SSL generally doesn't work well when connecting to just an IP-address. SSL certs contain a domain name, it has to match or you'll get certificate security warnings. Use this config as a reference, assuming Apache 2.4+: | | ServerName www.example.com | ServerAlias example.com | | DocumentRoot /var/vhosts/www.example.com/html | | RewriteEngine On | RewriteCond %{REQUEST_URI} !^/.well-known/ | RewriteRule (.*) https://www.example.com$1 [R=301,L] | | | ServerName www.example.com | ServerAlias example.com | | AddDefaultCharset utf-8 | | Header always add Strict-Transport-Security "max-age=15552000; includeSubDomains" | Header always add X-Content-Type-Options "nosniff" | Header always add X-Frame-Options "SAMEORIGIN" | Header always add X-XSS-Protection "1; mode=block" | | SSLEngine On | SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 | SSLCipherSuite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:!aNULL:!eNULL:!EXPORT:!RC4:!DES:!SSLv2:!MD5:!SSLV3:!3DES:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:KRB5-DES-CBC3-SHA:" | SSLOpenSSLConfCmd ECDHParameters secp384r1 | SSLOpenSSLConfCmd Curves secp384r1 | | SSLCertificateChainFile/etc/letsencrypt/manual/chain.pem | SSLCertificateFile /etc/letsencrypt/manual/www.example.com.crt | SSLCertificateKeyFile /etc/letsencrypt/manual/www.example.com.key | SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/manual/www.example.com.dh | | ErrorLog /var/vhosts/www.example.com/logs/error.log | CustomLog /var/vhosts/www.example.com/logs/access.log combined | | DocumentRoot /var/vhosts/www.example.com/html/ | | Options -Indexes | Require all granted | | | RewriteEngine On | | RewriteCond %{HTTP_HOST} !^www.example.com | RewriteRule (.*) https://www.example.com$1 [R=301,L] | -- | Dopeler effect: The tendency of stupid ideas to seem smarter when they | come at you rapidly. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Problem setting up ssl
Hi Mahmood, On Mon, Aug 20, 2018 at 8:11 AM Mahmood Naderan wrote: > [mahmood@rocks7 ~]$ wget https://w.x.y.z > --2018-08-20 10:30:43-- https://w.x.y.z/ > Connecting to w.x.y.z:443... connected. > OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol > Unable to establish SSL connection. > [mahmood@rocks7 ~]$ wget http://w.x.y.z:443 > --2018-08-20 10:30:50-- http://w.x.y.z:443/ > Connecting to w.x.y.z:443... connected. > HTTP request sent, awaiting response... 200 OK > It's exactly as Jens already said, you have an HTTP listener on the HTTPS port. Enable SSL for that vhost configuration (SSLEngine on and configuration of certificate, key and cipher suites) and it'll probably be just fine. Regards, -- Riemer Palstra rie...@palstra.com
Re: [users@httpd] Problem setting up ssl
Hi again >From another computer I tried to access the IP address via wget command. See >this output [mahmood@rocks7 ~]$ wget http://w.x.y.z --2018-08-20 10:30:38-- http://w.x.y.z/ Connecting to w.x.y.z:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.html’ [ <=> ] 33,229 --.-K/s in 0.009s 2018-08-20 10:30:38 (3.58 MB/s) - ‘index.html’ saved [33229] [mahmood@rocks7 ~]$ wget https://w.x.y.z --2018-08-20 10:30:43-- https://w.x.y.z/ Connecting to w.x.y.z:443... connected. OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol Unable to establish SSL connection. [mahmood@rocks7 ~]$ wget http://w.x.y.z:443 --2018-08-20 10:30:50-- http://w.x.y.z:443/ Connecting to w.x.y.z:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.html.1’ [ <=> ] 33,229 --.-K/s in 0.02s 2018-08-20 10:30:50 (1.95 MB/s) - ‘index.html.1’ saved [33229] [mahmood@rocks7 ~]$ Any thought? Regards, Mahmood
Re: [users@httpd] Problem setting up ssl
>OTOH, seems to be some >special setup, defaulting to an address from the loopback network >(127.0.1.1). I also noted that, but don't know what to do. >As you seem to receive some resources via HTTP, the request should get >logged somewhere. I use "tail -f /var/log/apache2/access.log" and error.log on the console and then enter IP address in the browser.When I enter http://w.x.y.z the page is shown and access.log shows some messages.I also see some debug messages in error.log IMO, the messages aren't important! since I see the page in the browser.However, when I enter https://w.x.y.z nothing is shown in the console. >You always tell you're accessing "w.x.y.z" and >said "the server's page is reachble by an IP address", so I understand >you're not using a host name, but IP address to connect. w.x.y.z reads >like an IPv4 address, while your earlier report of open ports just >gave an IPv6 port open for listening: > >root@webshub:~# netstat -tulpn | grep 443 >tcp6 0 0 :::443 :::* >LISTEN 14709/apache2 > >So there might be a chance your browser's requests doesn't even end up >in *your* server. I also think such thing is the root of the issue. Things are 1) Yes, I don't have hostname. So, I have to enter ip address. 2) The SSL certificates are created for our university where they have host name. 3) I don't know if the certificates are only usable with subdomains only. Any thought? 4) The netstat command shows the IPv6. Is that a firewall issue? iptables? ufw? Here is the output of ufw root@webshub:~# ufw status Status: active To Action From -- -- Apache Full ALLOW Anywhere OpenSSH ALLOW Anywhere 20/tcp ALLOW Anywhere 21/tcp ALLOW Anywhere 990/tcp ALLOW Anywhere 4:5/tcp ALLOW Anywhere Apache Full (v6) ALLOW Anywhere (v6) OpenSSH (v6) ALLOW Anywhere (v6) 20/tcp (v6) ALLOW Anywhere (v6) 21/tcp (v6) ALLOW Anywhere (v6) 990/tcp (v6) ALLOW Anywhere (v6) 4:5/tcp (v6) ALLOW Anywhere (v6) root@webshub:~# netstat -tulpn | grep 443 tcp6 0 0 :::443 :::* LISTEN 1114/apache2 root@webshub:~# Regards, Mahmood
Re: [users@httpd] Problem setting up ssl
Hi, Zitat von Mahmood Naderan : what's in the logs of your httpd server? Any errors reported during httpd startup and/or your accesses? When I restart apache2 service, I see these lines in the syslog Aug 13 22:19:36 webshub systemd[1]: Stopping The Apache HTTP Server... Aug 13 22:19:36 webshub apachectl[20543]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message Aug 13 22:19:37 webshub systemd[1]: Stopped The Apache HTTP Server. Aug 13 22:19:37 webshub systemd[1]: Starting The Apache HTTP Server... Aug 13 22:19:37 webshub apachectl[20554]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message Aug 13 22:19:37 webshub systemd[1]: Started The Apache HTTP Server. nothing that points to the root cause, then. OTOH, seems to be some special setup, defaulting to an address from the loopback network (127.0.1.1). However, apache/error.log and apache/access.log show nothing when I enter the IP address in the browser. As you seem to receive some resources via HTTP, the request should get logged somewhere. Another guess: what do you see in the browser if you try to access http://w.x.y.z:443 (so actually trying to access your "SSL site" via regular HTTP)? I believe to remember having seen that error when the server spat out regular HTTP. http://w.x.y.z:443 works. I mean I can see the page. However it is not https.https://w.x.y.z:443 says the same error as before. So your server (on port 443) is handing out http, not https. Seems to be some configuration issue then. The browser error (when using https://...) is just telling you "cannot interpret the server output as SSL/TLS traffic". As one more step of diagnosis, you might want to ask httpd for it's current (v)host setup (see "-S" option) and in your place, I'd try to find out where the accesses actually end up - there should be some logging somewhere. Another test would be to change the content of your html page (the one you believe to receive when reuqesting http://w.x.y.z:443) and double-check that the browser then receives the modified version. Because: Might it be that the request ends up in a totally different server/httpd process? You always tell you're accessing "w.x.y.z" and said "the server's page is reachble by an IP address", so I understand you're not using a host name, but IP address to connect. w.x.y.z reads like an IPv4 address, while your earlier report of open ports just gave an IPv6 port open for listening: root@webshub:~# netstat -tulpn | grep 443 tcp6 0 0 :::443 :::* LISTEN 14709/apache2 So there might be a chance your browser's requests doesn't even end up in *your* server. Regards, J - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Problem setting up ssl
Hi, Zitat von Mahmood Naderan : what's in the logs of your httpd server? Any errors reported during httpd startup and/or your accesses? When I restart apache2 service, I see these lines in the syslog Aug 13 22:19:36 webshub systemd[1]: Stopping The Apache HTTP Server... Aug 13 22:19:36 webshub apachectl[20543]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message Aug 13 22:19:37 webshub systemd[1]: Stopped The Apache HTTP Server. Aug 13 22:19:37 webshub systemd[1]: Starting The Apache HTTP Server... Aug 13 22:19:37 webshub apachectl[20554]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message Aug 13 22:19:37 webshub systemd[1]: Started The Apache HTTP Server. nothing that points to the root cause, then. OTOH, seems to be some special setup, defaulting to an address from the loopback network (127.0.1.1). However, apache/error.log and apache/access.log show nothing when I enter the IP address in the browser. As you seem to receive some resources via HTTP, the request should get logged somewhere. Another guess: what do you see in the browser if you try to access http://w.x.y.z:443 (so actually trying to access your "SSL site" via regular HTTP)? I believe to remember having seen that error when the server spat out regular HTTP. http://w.x.y.z:443 works. I mean I can see the page. However it is not https.https://w.x.y.z:443 says the same error as before. So your server (on port 443) is handing out http, not https. Seems to be some configuration issue then. The browser error (when using https://...) is just telling you "cannot interpret the server output as SSL/TLS traffic". As one more step of diagnosis, you might want to ask httpd for it's current (v)host setup (see "-S" option) and in your place, I'd try to find out where the accesses actually end up - there should be some logging somewhere. Another test would be to change the content of your html page (the one you believe to receive when reuqesting http://w.x.y.z:443) and double-check that the browser then receives the modified version. Because: Might it be that the request ends up in a totally different server/httpd process? You always tell you're accessing "w.x.y.z" and said "the server's page is reachble by an IP address", so I understand you're not using a host name, but IP address to connect. w.x.y.z reads like an IPv4 address, while your earlier report of open ports just gave an IPv6 port open for listening: root@webshub:~# netstat -tulpn | grep 443 tcp6 0 0 :::443 :::* LISTEN 14709/apache2 So there might be a chance your browser's requests doesn't even end up in *your* server. Regards, J - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Problem setting up ssl
>what's in the logs of your httpd server? Any errors reported during >httpd startup and/or your accesses? When I restart apache2 service, I see these lines in the syslog Aug 13 22:19:36 webshub systemd[1]: Stopping The Apache HTTP Server... Aug 13 22:19:36 webshub apachectl[20543]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message Aug 13 22:19:37 webshub systemd[1]: Stopped The Apache HTTP Server. Aug 13 22:19:37 webshub systemd[1]: Starting The Apache HTTP Server... Aug 13 22:19:37 webshub apachectl[20554]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message Aug 13 22:19:37 webshub systemd[1]: Started The Apache HTTP Server. However, apache/error.log and apache/access.log show nothing when I enter the IP address in the browser. >Another guess: what do you see in the browser if you try to access >http://w.x.y.z:443 (so actually trying to access your "SSL site" via >regular HTTP)? I believe to remember having seen that error when the >server spat out regular HTTP. http://w.x.y.z:443 works. I mean I can see the page. However it is not https.https://w.x.y.z:443 says the same error as before. Regards, Mahmood
Re: [users@httpd] Problem setting up ssl
Zitat von Mahmood Naderan : Now, when I open https://w.x.y.z in the browser, I get>>>An error occurred during a connection to w.x.y.z. SSL received a record that exceeded the maximum permissible >length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG Excuse me... Isn't there any idea? what's in the logs of your httpd server? Any errors reported during httpd startup and/or your accesses? Another guess: what do you see in the browser if you try to access http://w.x.y.z:443 (so actually trying to access your "SSL site" via regular HTTP)? I believe to remember having seen that error when the server spat out regular HTTP. Regards, J - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Problem setting up ssl
>Now, when I open https://w.x.y.z in the browser, I get>>>An error occurred >during a connection to w.x.y.z. SSL received a record that exceeded the >maximum permissible >length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG Excuse me... Isn't there any idea? I searched the web about the error but there is no single solution for that and that error raises from several situations. Regards, Mahmood - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Problem setting up ssl
>In ports.conf have a 443 port listen configured? You enable mod_ssl with >a2enmod mod_ssl? root@webshub:~# netstat -tulpn | grep 443tcp6 0 0 :::443 :::* LISTEN 14709/apache2 I enabled mod_ssl root@webshub:~# a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Enabling module socache_shmcb. Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: systemctl restart apache2 root@webshub:~# service apache2 restart root@webshub:~# Now, when I open https://w.x.y.z in the browser, I get An error occurred during a connection to w.x.y.z. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG Regards, Mahmood - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Problem setting up ssl
In ports.conf have a 443 port listen configured? You enable mod_ssl with a2enmod mod_ssl? On Sun, Aug 12, 2018 at 2:52 PM Mahmood Naderan wrote: > Hi, > > I am totally confused with the configuration of ssl via apache2. The > server's page is reachable by an IP address. So, when I enter > http://w.x.y.z I am able to see the web page and the content of > /etc/apache2/sites-available/000-default.conf is > > > DocumentRoot /var/www/html > > Options FollowSymLinks > AllowOverride All > Order allow,deny > allow from all > > > > > Now, what I do for the ssl is to first comment the above lines (because > the virtualhost is on port 80). Then I paste the above lines in > /etc/apache2/sites-available/default-ssl.conf and the content is shown > below. Please note that the certificates were obtained by the network admin > and are valid because the main website has FQDN. > > > > > ServerAdmin webmaster@localhost > DocumentRoot /var/www/html > > Options FollowSymLinks > AllowOverride All > Order allow,deny > allow from all > > LogLevel debug ssl:warn > > ErrorLog ${APACHE_LOG_DIR}/error.log > CustomLog ${APACHE_LOG_DIR}/access.log combined > > SSLCertificateFile > /home/mahmood/certi/certificate-standard_wildcard.SOMEWHERE.COM.crt > SSLCertificateKeyFile > /home/mahmood/certi/certificate-standard_wildcard. SOMEWHERE.COM.key > SSLCertificateChainFile > /home/mahmood/certi/intermediate.crt > SSLEngine on > > > SSLOptions +StdEnvVars > > > SSLOptions +StdEnvVars > > > > > > > > > I also paste the following entries in /var/www/html/.htaccess > > > RewriteEngine onRewriteCond %{SERVER_PORT} 443 > RewriteCond %{HTTP_HOST} ^(subdomain\.)?SOMEWHERE\.COMRewriteRule > ^(.*)$ https://subdomain.SOMEWHERE.COM/$1 [R,L] > > > The firewall status also looks fine > > > root@webshub:~# ufw status > Status: active > To Action From > -- -- > Apache FullALLOW Anywhere > OpenSSHALLOW Anywhere > 20/tcp ALLOW Anywhere > 21/tcp ALLOW Anywhere > 990/tcpALLOW Anywhere > 4:5/tcpALLOW Anywhere > Apache Full (v6) ALLOW Anywhere (v6) > OpenSSH (v6) ALLOW Anywhere (v6) > 20/tcp (v6)ALLOW Anywhere (v6) > 21/tcp (v6)ALLOW Anywhere (v6) > 990/tcp (v6) ALLOW Anywhere (v6) > 4:5/tcp (v6) ALLOW Anywhere (v6) > > > > > After restarting apache2 service, still I see that http://w.x.y.z works > but https://w.x.y.z is unreachable with the browser. > > > Any thought is welcomed. > > > > Regards, > Mahmood > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Elias Pereira
[users@httpd] Problem setting up ssl
Hi, I am totally confused with the configuration of ssl via apache2. The server's page is reachable by an IP address. So, when I enter http://w.x.y.z I am able to see the web page and the content of /etc/apache2/sites-available/000-default.conf is DocumentRoot /var/www/html Options FollowSymLinks AllowOverride All Order allow,deny allow from all Now, what I do for the ssl is to first comment the above lines (because the virtualhost is on port 80). Then I paste the above lines in /etc/apache2/sites-available/default-ssl.conf and the content is shown below. Please note that the certificates were obtained by the network admin and are valid because the main website has FQDN. ServerAdmin webmaster@localhost DocumentRoot /var/www/html Options FollowSymLinks AllowOverride All Order allow,deny allow from all LogLevel debug ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCertificateFile /home/mahmood/certi/certificate-standard_wildcard.SOMEWHERE.COM.crt SSLCertificateKeyFile /home/mahmood/certi/certificate-standard_wildcard. SOMEWHERE.COM.key SSLCertificateChainFile /home/mahmood/certi/intermediate.crt SSLEngine on SSLOptions +StdEnvVars SSLOptions +StdEnvVars I also paste the following entries in /var/www/html/.htaccess RewriteEngine on RewriteCond %{SERVER_PORT} 443 RewriteCond %{HTTP_HOST} ^(subdomain\.)?SOMEWHERE\.COM RewriteRule ^(.*)$ https://subdomain.SOMEWHERE.COM/$1 [R,L] The firewall status also looks fine root@webshub:~# ufw status Status: active To Action From -- -- Apache Full ALLOW Anywhere OpenSSH ALLOW Anywhere 20/tcp ALLOW Anywhere 21/tcp ALLOW Anywhere 990/tcp ALLOW Anywhere 4:5/tcp ALLOW Anywhere Apache Full (v6) ALLOW Anywhere (v6) OpenSSH (v6) ALLOW Anywhere (v6) 20/tcp (v6) ALLOW Anywhere (v6) 21/tcp (v6) ALLOW Anywhere (v6) 990/tcp (v6) ALLOW Anywhere (v6) 4:5/tcp (v6) ALLOW Anywhere (v6) After restarting apache2 service, still I see that http://w.x.y.z works but https://w.x.y.z is unreachable with the browser. Any thought is welcomed. Regards, Mahmood - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org