Re: [users@httpd] Problem setting up ssl

2018-08-21 Thread Stormy 

On 2018-08-20 01:38 PM, Mahmood Naderan wrote:
[snip]

Now, when I open https://w.x.y.z in firefox, I get
Your connection is not secure
The owner of 5.57.36.104 has configured their website improperly. To 
protect your information from being stolen, Firefox has not connected to 
this website. > So, I have to click on advanced and then "add exception".

Is that related to apache configuration?


Apache? No -- it's related to what Firefox says on that page:

5.57.36.104 uses an invalid security certificate. The certificate 
is not trusted because it was signed using a signature algorithm that 
was disabled because that algorithm is not secure. The certificate is 
only valid for the following names: *.scu.ac.ir, scu.ac.ir 


and even then *it's_not_valid* -- a little further digging comes up with:

scu.ac.ir uses an invalid security certificate.
The certificate is only valid for *.scu.ac.ir
The certificate expired on 2017-01-18 04:22 AM. The current time is 
2018-08-21 10:38 AM.


which suggests to me that your certificate (or the one you are 
attempting to use) expired some twenty months ago...


Paul

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problem setting up ssl

2018-08-21 Thread Tony DiLoreto 
Hi Sander,

Nice to meet you. Based on your response here, you seem to be more educated
with respect to web security and SSLs. I’m working on developing a startup
that eliminates the difficulty obtaining and installing SSL certs. The
process is overly complicated and ripe for disruption.


If this is something of interest to you, please send me your LinkedIn url
and/or CV and some good days/times to chat.


Thanks,

Tony

On Tue, Aug 21, 2018 at 4:12 AM Sander Smeenk 
wrote:

> Quoting Mahmood Naderan (nt_mahm...@yahoo.com.INVALID):
>
> >  >Is default-ssl site "enabled" via the debian/ubuntu tools e.g.
> a2ensite?
> > # a2ensite default-ssl
> > Enabling site default-ssl.
>
> Well, there ya go.
>
> > Now, when I open https://w.x.y.z in firefox, I get
> > Your connection is not secure
>
> This is because SSL-certs require domain names and don't work properly
> with 'bare IP addresses'. You'll never get that fixed unless you start
> using a domainname and a correct certificate (LetsEncrypt for example).
>
> --
> | I'm a lousy dancer but my moods are swinging!
> | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
> --
Tony DiLoreto
President & CEO
Migliore Technologies Inc

716.997.2396
t...@miglioretechnologies.com



miglioretechnologies.com
*The best in the business...period!*

Re: [users@httpd] Problem setting up ssl

2018-08-21 Thread Mahmood Naderan 
>This is because SSL-certs require domain names and don't work properly
>with 'bare IP addresses'. You'll never get that fixed unless you start
>using a domainname and a correct certificate (LetsEncrypt for example).


Thank you very much for the help.


Regards,
Mahmood

Re: [users@httpd] Problem setting up ssl

2018-08-21 Thread Sander Smeenk 
Quoting Mahmood Naderan (nt_mahm...@yahoo.com.INVALID):

>  >Is default-ssl site "enabled" via the debian/ubuntu tools e.g. a2ensite?
> # a2ensite default-ssl
> Enabling site default-ssl.

Well, there ya go.

> Now, when I open https://w.x.y.z in firefox, I get
> Your connection is not secure

This is because SSL-certs require domain names and don't work properly
with 'bare IP addresses'. You'll never get that fixed unless you start
using a domainname and a correct certificate (LetsEncrypt for example).

-- 
| I'm a lousy dancer but my moods are swinging!
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problem setting up ssl

2018-08-21 Thread Sander Smeenk 
Quoting Mahmood Naderan (nt_mahm...@yahoo.com.INVALID):

> root@webshub:~# grep IfModule /etc/apache2/sites-available/default-ssl.conf
> #
> #

Ok.

> root@webshub:~# apachectl -S
> AH00558: apache2: Could not reliably determine the server's fully qualified 
> domain name, using 127.0.1.1. Set the 'ServerName' directive globally to 
> suppress this message
> VirtualHost configuration:
> *:80   127.0.1.1 
> (/etc/apache2/sites-enabled/000-default.conf:1)
> ServerRoot: "/etc/apache2"

I would expect a *:443 line here too. Somehow your config is not being
parsed and Apache is not showing the SSL :443 vhost configuration.

-- 
| My Bonnie looked into a gas tank, the height of its contents to see!
| She lit a small match to assist her, oh bring back my Bonnie to me.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problem setting up ssl

2018-08-20 Thread Mahmood Naderan 
 >Is default-ssl site "enabled" via the debian/ubuntu tools e.g. a2ensite?



# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled
# a2ensite default-ssl
Enabling site default-ssl.
To activate the new configuration, you need to run:
  systemctl reload apache2
# 
# service apache2 restart
# systemctl reload apache2
#


Now, when I open https://w.x.y.z in firefox, I get

Your connection is not secure

The owner of 5.57.36.104 has configured their website improperly. To protect 
your information from being stolen, Firefox has not connected to this website.


So, I have to click on advanced and then "add exception".Is that related to 
apache configuration?
By proceeding to visit the website, I think it switches to https again.




In Edge, I get


The hostname in the website’s security certificate differs from the website you 
are trying to visit.
 
Error Code: DLG_FLAGS_SEC_CERT_CN_INVALID


Since I am using IP address and the certificate is registered with a domain, I 
think that is the root of the problem.
Am I right?

Regards,
Mahmood

Re: [users@httpd] Problem setting up ssl

2018-08-20 Thread Eric Covener 
> root@webshub:~# grep IfModule /etc/apache2/sites-available/default-ssl.conf

> #
> #
> root@webshub:~# apachectl -S
> AH00558: apache2: Could not reliably determine the server's fully qualified 
> domain name, using 127.0.1.1. Set the 'ServerName' directive globally to 
> suppress this message
> VirtualHost configuration:
> *:80   127.0.1.1 
> (/etc/apache2/sites-enabled/000-default.conf:1)
> ServerRoot: "/etc/apache2"

Is default-ssl site "enabled" via the debian/ubuntu tools e.g. a2ensite?

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problem setting up ssl

2018-08-20 Thread Mahmood Naderan 
>Is mod_ssl actually loaded/enabled?
>Try removing the   lines and check your
>httpd config syntax (apache2ctl -S)




root@webshub:~# grep IfModule /etc/apache2/sites-available/default-ssl.conf
#
#
root@webshub:~# apachectl -S
AH00558: apache2: Could not reliably determine the server's fully qualified 
domain name, using 127.0.1.1. Set the 'ServerName' directive globally to 
suppress this message
VirtualHost configuration:
*:80   127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
# apachectl -M | grep ssl_module
AH00558: apache2: Could not reliably determine the server's fully qualified 
domain name, using 127.0.1.1. Set the 'ServerName' directive globally to 
suppress this message
 ssl_module (shared)






>You could take a look at settings for ‘Redirects' in the Apache2 online docs 
>too
Do you mean https://httpd.apache.org/docs/2.4/rewrite/remapping.html
?



Regards,
Mahmood

Re: [users@httpd] Problem setting up ssl

2018-08-20 Thread Sander Smeenk 
Quoting Mahmood Naderan (nt_mahm...@yahoo.com.INVALID):

> As I posted earlier, SSLEngine is  on
>  $ cat /etc/apache2/sites-available/default-ssl.conf
> 
> So, I really don't know why it listens to http!

Is mod_ssl actually loaded/enabled?
Try removing the   lines and check your
httpd config syntax (apache2ctl -S)


-- 
| Age is a very high price to pay for maturity.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problem setting up ssl

2018-08-20 Thread angel Hall-Coulston 
Hello Mahmood,
Please forgive me if you have already tried this, but have you read the 
man pages on HTTPD as there are some very useful command flags which can point 
out configuration settings. You could take a look at settings for ‘Redirects' 
in the Apache2 online docs too. I’m sorry if you have already tried all of this…

Regards,
Angel aka Rammsteinium.



> On 20 Aug 2018, at 12:18, Mahmood Naderan  
> wrote:
> 
> As I posted earlier, SSLEngine is  on
> 
> $ cat /etc/apache2/sites-available/default-ssl.conf
> 
> 
> ServerAdmin webmaster@localhost
> 
> DocumentRoot /var/www/html
>
> Options FollowSymLinks
> AllowOverride All
> Order allow,deny
> allow from all
> 
> LogLevel debug ssl:debug
> 
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
> 
> SSLCertificateFile 
> /home/mahmood/certi/certificate-standard_wildcard.scu.ac.ir.crt
> SSLCertificateKeyFile 
> /home/mahmood/certi/certificate-standard_wildcard.scu.ac.ir.key
> SSLCertificateChainFile /home/mahmood/certi/intermediate.crt
> 
> SSLEngine on
> 
> 
> SSLOptions +StdEnvVars
> 
> 
> SSLOptions +StdEnvVars
> 
> 
> 
> 
> 
> 
> So, I really don't know why it listens to http!
> 
> 
> 
> Regards,
> Mahmood
> 
>

Re: [users@httpd] Problem setting up ssl

2018-08-20 Thread Mahmood Naderan 
As I posted earlier, SSLEngine is  on
 $ cat /etc/apache2/sites-available/default-ssl.conf

    
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www/html
           
        Options FollowSymLinks
            AllowOverride All
        Order allow,deny
        allow from all
            
    LogLevel debug ssl:debug

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLCertificateFile 
/home/mahmood/certi/certificate-standard_wildcard.scu.ac.ir.crt
    SSLCertificateKeyFile 
/home/mahmood/certi/certificate-standard_wildcard.scu.ac.ir.key
    SSLCertificateChainFile /home/mahmood/certi/intermediate.crt

    SSLEngine on

    
    SSLOptions +StdEnvVars
    
    
    SSLOptions +StdEnvVars
    
    




So, I really don't know why it listens to http!



Regards,Mahmood

Re: [users@httpd] Problem setting up ssl

2018-08-20 Thread Sander Smeenk 
Quoting Mahmood Naderan (nt_mahm...@yahoo.com.INVALID):

> [mahmood@rocks7 ~]$ wget http://w.x.y.z:443
> Connecting to w.x.y.z:443... connected.
> HTTP request sent, awaiting response... 200 OK
> 2018-08-20 10:30:50 (1.95 MB/s) - ‘index.html.1’ saved [33229]
> Any thought?

Did you forget to put 'SSLEngine On' in your SSL-vhost definition?
The above quoted clearly shows your Apache is doing normal HTTP on port 443.

Also, SSL generally doesn't work well when connecting to just an IP-address.
SSL certs contain a domain name, it has to match or you'll get certificate
security warnings.

Use this config as a reference, assuming Apache 2.4+:

| 
| ServerName www.example.com
| ServerAlias example.com
| 
| DocumentRoot /var/vhosts/www.example.com/html
| 
| RewriteEngine On
| RewriteCond %{REQUEST_URI} !^/.well-known/
| RewriteRule (.*) https://www.example.com$1 [R=301,L]
| 
| 
| ServerName www.example.com
| ServerAlias example.com
| 
| AddDefaultCharset utf-8
| 
| Header always add Strict-Transport-Security "max-age=15552000; 
includeSubDomains"
| Header always add X-Content-Type-Options "nosniff"
| Header always add X-Frame-Options "SAMEORIGIN"
| Header always add X-XSS-Protection "1; mode=block"
| 
| SSLEngine On
| SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
| SSLCipherSuite 
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:!aNULL:!eNULL:!EXPORT:!RC4:!DES:!SSLv2:!MD5:!SSLV3:!3DES:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:KRB5-DES-CBC3-SHA:"
| SSLOpenSSLConfCmd ECDHParameters secp384r1
| SSLOpenSSLConfCmd Curves secp384r1
| 
| SSLCertificateChainFile/etc/letsencrypt/manual/chain.pem
| SSLCertificateFile /etc/letsencrypt/manual/www.example.com.crt
| SSLCertificateKeyFile  /etc/letsencrypt/manual/www.example.com.key
| SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/manual/www.example.com.dh
| 
| ErrorLog /var/vhosts/www.example.com/logs/error.log
| CustomLog /var/vhosts/www.example.com/logs/access.log combined
| 
| DocumentRoot /var/vhosts/www.example.com/html/
| 
| Options -Indexes
| Require all granted
| 
| 
| RewriteEngine On
| 
| RewriteCond %{HTTP_HOST} !^www.example.com
| RewriteRule (.*) https://www.example.com$1 [R=301,L]
| 

-- 
| Dopeler effect: The tendency of stupid ideas to seem smarter when they
| come at you rapidly.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problem setting up ssl

2018-08-20 Thread Riemer Palstra 
Hi Mahmood,

On Mon, Aug 20, 2018 at 8:11 AM Mahmood Naderan
 wrote:

> [mahmood@rocks7 ~]$ wget https://w.x.y.z
> --2018-08-20 10:30:43--  https://w.x.y.z/
> Connecting to w.x.y.z:443... connected.
> OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol
> Unable to establish SSL connection.
> [mahmood@rocks7 ~]$ wget http://w.x.y.z:443
> --2018-08-20 10:30:50--  http://w.x.y.z:443/
> Connecting to w.x.y.z:443... connected.
> HTTP request sent, awaiting response... 200 OK
>

It's exactly as Jens already said, you have an HTTP listener on the HTTPS
port. Enable SSL for that vhost configuration (SSLEngine on and
configuration of certificate, key and cipher suites) and it'll probably be
just fine.

Regards,

-- 
Riemer Palstra
rie...@palstra.com

Re: [users@httpd] Problem setting up ssl

2018-08-20 Thread Mahmood Naderan 
Hi again
>From another computer I tried to access the IP address via wget command. See 
>this output

[mahmood@rocks7 ~]$ wget http://w.x.y.z
--2018-08-20 10:30:38--  http://w.x.y.z/
Connecting to w.x.y.z:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

    [ <=>   
  ] 33,229  --.-K/s   in 0.009s

2018-08-20 10:30:38 (3.58 MB/s) - ‘index.html’ saved [33229]

[mahmood@rocks7 ~]$ wget https://w.x.y.z
--2018-08-20 10:30:43--  https://w.x.y.z/
Connecting to w.x.y.z:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.
[mahmood@rocks7 ~]$ wget http://w.x.y.z:443
--2018-08-20 10:30:50--  http://w.x.y.z:443/
Connecting to w.x.y.z:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.1’

    [ <=>   
  ] 33,229  --.-K/s   in 0.02s

2018-08-20 10:30:50 (1.95 MB/s) - ‘index.html.1’ saved [33229]

[mahmood@rocks7 ~]$




Any thought?


Regards,
Mahmood

Re: [users@httpd] Problem setting up ssl

2018-08-18 Thread Mahmood Naderan 
>OTOH, seems to be some  
>special setup, defaulting to an address from the loopback network  
>(127.0.1.1).

I also noted that, but don't know what to do.



>As you seem to receive some resources via HTTP, the request should get  
>logged somewhere.

I use "tail -f /var/log/apache2/access.log" and error.log on the console and 
then enter IP address in the browser.When I enter http://w.x.y.z the page is 
shown and access.log shows some messages.I also see some debug messages in 
error.log

IMO, the messages aren't important! since I see the page in the 
browser.However, when I enter https://w.x.y.z nothing is shown in the console. 






>You always tell you're accessing "w.x.y.z" and  
>said "the server's page is reachble by an IP address", so I understand  
>you're not using a host name, but IP address to connect. w.x.y.z reads  
>like an IPv4 address, while your earlier report of open ports just  
>gave an IPv6 port open for listening:
>
>root@webshub:~# netstat -tulpn | grep 443
>tcp6      0      0 :::443                  :::*                    
>LISTEN      14709/apache2
>
>So there might be a chance your browser's requests doesn't even end up  
>in *your* server.


I also think such thing is the root of the issue. Things are
1) Yes, I don't have hostname. So, I have to enter ip address.
2) The SSL certificates are created for our university where they have host 
name. 

3) I don't know if the certificates are only usable with subdomains only. Any 
thought?
4) The netstat command shows the IPv6. Is that a firewall issue? iptables? ufw? 
Here is the output of ufw

root@webshub:~# ufw status
Status: active

To Action  From
-- --  
Apache Full    ALLOW   Anywhere
OpenSSH    ALLOW   Anywhere
20/tcp ALLOW   Anywhere
21/tcp ALLOW   Anywhere
990/tcp    ALLOW   Anywhere
4:5/tcp    ALLOW   Anywhere
Apache Full (v6)   ALLOW   Anywhere (v6)
OpenSSH (v6)   ALLOW   Anywhere (v6)
20/tcp (v6)    ALLOW   Anywhere (v6)
21/tcp (v6)    ALLOW   Anywhere (v6)
990/tcp (v6)   ALLOW   Anywhere (v6)
4:5/tcp (v6)   ALLOW   Anywhere (v6)

root@webshub:~# netstat -tulpn | grep 443
tcp6   0  0 :::443  :::*    LISTEN  
1114/apache2
root@webshub:~#







Regards,
Mahmood

Re: [users@httpd] Problem setting up ssl

2018-08-14 Thread Jens-U. Mozdzen 

Hi,

Zitat von Mahmood Naderan :

what's in the logs of your httpd server? Any errors reported during 
httpd startup and/or your accesses?


When I restart apache2 service, I see these lines in the syslog
Aug 13 22:19:36 webshub systemd[1]: Stopping The Apache HTTP Server...
Aug 13 22:19:36 webshub apachectl[20543]: AH00558: apache2: Could  
not reliably determine the server's fully qualified domain name,  
using 127.0.1.1. Set the 'ServerName' directive globally to suppress  
this message

Aug 13 22:19:37 webshub systemd[1]: Stopped The Apache HTTP Server.
Aug 13 22:19:37 webshub systemd[1]: Starting The Apache HTTP Server...
Aug 13 22:19:37 webshub apachectl[20554]: AH00558: apache2: Could  
not reliably determine the server's fully qualified domain name,  
using 127.0.1.1. Set the 'ServerName' directive globally to suppress  
this message

Aug 13 22:19:37 webshub systemd[1]: Started The Apache HTTP Server.


nothing that points to the root cause, then. OTOH, seems to be some  
special setup, defaulting to an address from the loopback network  
(127.0.1.1).


However, apache/error.log and apache/access.log show nothing when I  
enter the IP address in the browser.


As you seem to receive some resources via HTTP, the request should get  
logged somewhere.



Another guess: what do you see in the browser if you try to access 
http://w.x.y.z:443 (so actually trying to access your "SSL site" via 
regular HTTP)? I believe to remember having seen that error when the 
server spat out regular HTTP.



http://w.x.y.z:443 works. I mean I can see the page. However it is  
not https.https://w.x.y.z:443 says the same error as before.


So your server (on port 443) is handing out http, not https. Seems to  
be some configuration issue then. The browser error (when using  
https://...) is just telling you "cannot interpret the server output  
as SSL/TLS traffic".


As one more step of diagnosis, you might want to ask httpd for it's  
current (v)host setup (see "-S" option) and in your place, I'd try to  
find out where the accesses actually end up - there should be some  
logging somewhere. Another test would be to change the content of your  
html page (the one you believe to receive when reuqesting  
http://w.x.y.z:443) and double-check that the browser then receives  
the modified version. Because:


Might it be that the request ends up in a totally different  
server/httpd process? You always tell you're accessing "w.x.y.z" and  
said "the server's page is reachble by an IP address", so I understand  
you're not using a host name, but IP address to connect. w.x.y.z reads  
like an IPv4 address, while your earlier report of open ports just  
gave an IPv6 port open for listening:


root@webshub:~# netstat -tulpn | grep 443
tcp6   0  0 :::443  :::* 
LISTEN  14709/apache2


So there might be a chance your browser's requests doesn't even end up  
in *your* server.


Regards,
J


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problem setting up ssl

2018-08-14 Thread Jens-U. Mozdzen 

Hi,

Zitat von Mahmood Naderan :

what's in the logs of your httpd server? Any errors reported during 
httpd startup and/or your accesses?


When I restart apache2 service, I see these lines in the syslog
Aug 13 22:19:36 webshub systemd[1]: Stopping The Apache HTTP Server...
Aug 13 22:19:36 webshub apachectl[20543]: AH00558: apache2: Could  
not reliably determine the server's fully qualified domain name,  
using 127.0.1.1. Set the 'ServerName' directive globally to suppress  
this message

Aug 13 22:19:37 webshub systemd[1]: Stopped The Apache HTTP Server.
Aug 13 22:19:37 webshub systemd[1]: Starting The Apache HTTP Server...
Aug 13 22:19:37 webshub apachectl[20554]: AH00558: apache2: Could  
not reliably determine the server's fully qualified domain name,  
using 127.0.1.1. Set the 'ServerName' directive globally to suppress  
this message

Aug 13 22:19:37 webshub systemd[1]: Started The Apache HTTP Server.


nothing that points to the root cause, then. OTOH, seems to be some  
special setup, defaulting to an address from the loopback network  
(127.0.1.1).


However, apache/error.log and apache/access.log show nothing when I  
enter the IP address in the browser.


As you seem to receive some resources via HTTP, the request should get  
logged somewhere.



Another guess: what do you see in the browser if you try to access 
http://w.x.y.z:443 (so actually trying to access your "SSL site" via 
regular HTTP)? I believe to remember having seen that error when the 
server spat out regular HTTP.



http://w.x.y.z:443 works. I mean I can see the page. However it is  
not https.https://w.x.y.z:443 says the same error as before.


So your server (on port 443) is handing out http, not https. Seems to  
be some configuration issue then. The browser error (when using  
https://...) is just telling you "cannot interpret the server output  
as SSL/TLS traffic".


As one more step of diagnosis, you might want to ask httpd for it's  
current (v)host setup (see "-S" option) and in your place, I'd try to  
find out where the accesses actually end up - there should be some  
logging somewhere. Another test would be to change the content of your  
html page (the one you believe to receive when reuqesting  
http://w.x.y.z:443) and double-check that the browser then receives  
the modified version. Because:


Might it be that the request ends up in a totally different  
server/httpd process? You always tell you're accessing "w.x.y.z" and  
said "the server's page is reachble by an IP address", so I understand  
you're not using a host name, but IP address to connect. w.x.y.z reads  
like an IPv4 address, while your earlier report of open ports just  
gave an IPv6 port open for listening:


root@webshub:~# netstat -tulpn | grep 443
tcp6   0  0 :::443  :::* 
LISTEN  14709/apache2


So there might be a chance your browser's requests doesn't even end up  
in *your* server.


Regards,
J


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problem setting up ssl

2018-08-13 Thread Mahmood Naderan 
>what's in the logs of your httpd server? Any errors reported during  
>httpd startup and/or your accesses?

When I restart apache2 service, I see these lines in the syslog
Aug 13 22:19:36 webshub systemd[1]: Stopping The Apache HTTP Server...
Aug 13 22:19:36 webshub apachectl[20543]: AH00558: apache2: Could not reliably 
determine the server's fully qualified domain name, using 127.0.1.1. Set the 
'ServerName' directive globally to suppress this message
Aug 13 22:19:37 webshub systemd[1]: Stopped The Apache HTTP Server.
Aug 13 22:19:37 webshub systemd[1]: Starting The Apache HTTP Server...
Aug 13 22:19:37 webshub apachectl[20554]: AH00558: apache2: Could not reliably 
determine the server's fully qualified domain name, using 127.0.1.1. Set the 
'ServerName' directive globally to suppress this message
Aug 13 22:19:37 webshub systemd[1]: Started The Apache HTTP Server.




However, apache/error.log and apache/access.log show nothing when I enter the 
IP address in the browser.


>Another guess: what do you see in the browser if you try to access  
>http://w.x.y.z:443 (so actually trying to access your "SSL site" via  
>regular HTTP)? I believe to remember having seen that error when the  
>server spat out regular HTTP.


http://w.x.y.z:443 works. I mean I can see the page. However it is not 
https.https://w.x.y.z:443 says the same error as before.





Regards,
Mahmood

Re: [users@httpd] Problem setting up ssl

2018-08-13 Thread Jens-U. Mozdzen 

Zitat von Mahmood Naderan :
Now, when I open https://w.x.y.z in the browser, I get>>>An error  
occurred during a connection to w.x.y.z. SSL received a record that  
exceeded the maximum permissible >length. Error code:  
SSL_ERROR_RX_RECORD_TOO_LONG





Excuse me... Isn't there any idea?


what's in the logs of your httpd server? Any errors reported during  
httpd startup and/or your accesses?


Another guess: what do you see in the browser if you try to access  
http://w.x.y.z:443 (so actually trying to access your "SSL site" via  
regular HTTP)? I believe to remember having seen that error when the  
server spat out regular HTTP.


Regards,
J


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problem setting up ssl

2018-08-13 Thread Mahmood Naderan 
 >Now, when I open https://w.x.y.z in the browser, I get>>>An error occurred 
 >during a connection to w.x.y.z. SSL received a record that exceeded the 
 >maximum permissible >length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG 




Excuse me... Isn't there any idea?

I searched the web about the error but there is no single solution for that and 
that error raises  from several situations.


Regards,
Mahmood


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problem setting up ssl

2018-08-12 Thread Mahmood Naderan 
>In ports.conf have a 443 port listen configured? You enable mod_ssl with 
>a2enmod mod_ssl?

root@webshub:~# netstat -tulpn | grep 443tcp6   0  0 :::443 
 :::*    LISTEN  14709/apache2



I enabled mod_ssl



root@webshub:~# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create 
self-signed certificates.
To activate the new configuration, you need to run:
  systemctl restart apache2
root@webshub:~# service apache2 restart
root@webshub:~# 



Now, when I open https://w.x.y.z in the browser, I get


An error occurred during a connection to w.x.y.z. SSL received a record that 
exceeded the maximum permissible length. Error code: 
SSL_ERROR_RX_RECORD_TOO_LONG 




Regards,
Mahmood


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problem setting up ssl

2018-08-12 Thread Elias Pereira 
In ports.conf have a 443 port listen configured? You enable mod_ssl with
a2enmod mod_ssl?

On Sun, Aug 12, 2018 at 2:52 PM Mahmood Naderan
 wrote:

> Hi,
>
> I am totally confused with the configuration of ssl via apache2. The
> server's page is reachable by an IP address. So, when I enter
> http://w.x.y.z I am able to see the web page and the content of
> /etc/apache2/sites-available/000-default.conf is
>
>
> DocumentRoot /var/www/html
> 
>  Options FollowSymLinks
>  AllowOverride All
>  Order allow,deny
>  allow from all
> 
>
>
>
> Now, what I do for the ssl is to first comment the above lines (because
> the virtualhost is on port 80). Then I paste the above lines in
> /etc/apache2/sites-available/default-ssl.conf and the content is shown
> below. Please note that the certificates were obtained by the network admin
> and are valid because the main website has FQDN.
>
>
> 
> 
> ServerAdmin webmaster@localhost
> DocumentRoot /var/www/html
> 
>  Options FollowSymLinks
>  AllowOverride All
>  Order allow,deny
>  allow from all
> 
> LogLevel debug ssl:warn
>
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
>
> SSLCertificateFile
> /home/mahmood/certi/certificate-standard_wildcard.SOMEWHERE.COM.crt
> SSLCertificateKeyFile
> /home/mahmood/certi/certificate-standard_wildcard. SOMEWHERE.COM.key
> SSLCertificateChainFile
> /home/mahmood/certi/intermediate.crt
> SSLEngine on
>
> 
> SSLOptions +StdEnvVars
> 
> 
> SSLOptions +StdEnvVars
> 
> 
> 
>
>
>
>
>
> I also paste the following entries in /var/www/html/.htaccess
>
>
> RewriteEngine onRewriteCond %{SERVER_PORT} 443
> RewriteCond %{HTTP_HOST} ^(subdomain\.)?SOMEWHERE\.COMRewriteRule
> ^(.*)$ https://subdomain.SOMEWHERE.COM/$1 [R,L]
>
>
> The firewall status also looks fine
>
>
> root@webshub:~# ufw status
> Status: active
> To Action  From
> -- --  
> Apache FullALLOW   Anywhere
> OpenSSHALLOW   Anywhere
> 20/tcp ALLOW   Anywhere
> 21/tcp ALLOW   Anywhere
> 990/tcpALLOW   Anywhere
> 4:5/tcpALLOW   Anywhere
> Apache Full (v6)   ALLOW   Anywhere (v6)
> OpenSSH (v6)   ALLOW   Anywhere (v6)
> 20/tcp (v6)ALLOW   Anywhere (v6)
> 21/tcp (v6)ALLOW   Anywhere (v6)
> 990/tcp (v6)   ALLOW   Anywhere (v6)
> 4:5/tcp (v6)   ALLOW   Anywhere (v6)
>
>
>
>
> After restarting apache2 service, still I see that http://w.x.y.z works
> but https://w.x.y.z is unreachable with the browser.
>
>
> Any thought is welcomed.
>
>
>
> Regards,
> Mahmood
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

-- 
Elias Pereira

[users@httpd] Problem setting up ssl

2018-08-12 Thread Mahmood Naderan 
Hi,

I am totally confused with the configuration of ssl via apache2. The server's 
page is reachable by an IP address. So, when I enter http://w.x.y.z I am able 
to see the web page and the content of 
/etc/apache2/sites-available/000-default.conf is


    DocumentRoot /var/www/html
    
 Options FollowSymLinks
 AllowOverride All
 Order allow,deny
 allow from all
    



Now, what I do for the ssl is to first comment the above lines (because the 
virtualhost is on port 80). Then I paste the above lines in  
/etc/apache2/sites-available/default-ssl.conf and the content is shown below. 
Please note that the certificates were obtained by the network admin and are 
valid because the main website has FQDN.



    
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    
 Options FollowSymLinks
 AllowOverride All
 Order allow,deny
 allow from all
    
    LogLevel debug ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLCertificateFile 
/home/mahmood/certi/certificate-standard_wildcard.SOMEWHERE.COM.crt
    SSLCertificateKeyFile 
/home/mahmood/certi/certificate-standard_wildcard. SOMEWHERE.COM.key
    SSLCertificateChainFile /home/mahmood/certi/intermediate.crt
    SSLEngine on

    
    SSLOptions +StdEnvVars
    
    
    SSLOptions +StdEnvVars
    
    






I also paste the following entries in /var/www/html/.htaccess


    RewriteEngine on    RewriteCond %{SERVER_PORT} 443    
RewriteCond %{HTTP_HOST} ^(subdomain\.)?SOMEWHERE\.COM    RewriteRule 
^(.*)$ https://subdomain.SOMEWHERE.COM/$1 [R,L]


The firewall status also looks fine


root@webshub:~# ufw status
Status: active
To Action  From
-- --  
Apache Full    ALLOW   Anywhere
OpenSSH    ALLOW   Anywhere
20/tcp ALLOW   Anywhere
21/tcp ALLOW   Anywhere
990/tcp    ALLOW   Anywhere
4:5/tcp    ALLOW   Anywhere
Apache Full (v6)   ALLOW   Anywhere (v6)
OpenSSH (v6)   ALLOW   Anywhere (v6)
20/tcp (v6)    ALLOW   Anywhere (v6)
21/tcp (v6)    ALLOW   Anywhere (v6)
990/tcp (v6)   ALLOW   Anywhere (v6)
4:5/tcp (v6)   ALLOW   Anywhere (v6)




After restarting apache2 service, still I see that http://w.x.y.z works but 
https://w.x.y.z is unreachable with the browser.


Any thought is welcomed.



Regards,
Mahmood

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org