Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: I can't figure out why SSL in Apache isn't working. (Not the missing mod_socache_shmcb.so) problem)

  1. #1

    Default I can't figure out why SSL in Apache isn't working. (Not the missing mod_socache_shmcb.so) problem)

    Hello everyone. Some time roughly around October 2013 SSL just suddenly stopped working in Apache. I hadn't made a significant effort to resolve the problem until now because I had just started a University course and was directing most of my attention into that. I assumed that whatever the problem was, if I couldn't find a solution with a few quick internet searches then it was probably going to require more of my time than I had to spare whilst doing my course. Well now I've more-or-less finished the year and now I want to get the the bottom of the problem.

    Unfortunately, with the long wait between this problem surfacing and now, the exact details are a bit hazy. I now realise that I've confused two separate problems that probably arose independently and I now have no idea about when the remaining problem began. I think I must have fixed the first problem that can be solved by tweaking httpd.conf because that one prevented Apache from starting at all. This second problem, however, allows apache to start, but when it is running connections via SSL/TLS fail. Opera doesn't give any useful information about the failure, but Firefox a least has this to say
    Code:
    Secure Connection Failed
    
    An error occurred during a connection to localhost. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)
    
        The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
        Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
    I've put various parts of that message into google and it seems that it is usually caused my a misconfiguration of a network somewhere between the client and the server. This seemed like a plausible cause of the error for a short time, because much had changed in the intervening months. I changed my domain's Registrar of Record, upgraded the hosts OS from OpenSuse 12.3 to 13.1, my ISP and consequently the router through which I access the internet. None of those changes are related to my current problem as far as I know), but there's plenty of areas where I could do something wrong and not notice it fo a while.

    I very strongly suspect that it has nothing at all to do with any of those changes and is much more likely to be down to some misconfiguration I keep making in Apache. I say this because I installed Apache/MySQL/PHP on this computer and tried to configure Apache to accept SSL/TLS connections. I did this to avoid fouling up the configuration of the actual web host and so that there couldn't be any configuration tweaks that I'd tried an then forgotten about. Starting from a clean slate. Anyway, I installed Apache/MySQL/PHP from the web and LAMP server pattern in yast, made the necessary edit to httpd.conf and made a key and certificate and stuck 'em in /etc/apache2/ssl.key/ and /etc/apache2/ssl.crt/ respectively. Tried setting up a deffault virtual-host and indicated where the certificate and key were and then set apache running. Exactly the same as on the main host, it serves unencrypted URLs fine, but as soon as you shove https:// in front of that address, it all goes horribly wrong. The reason I so strongly suspect that it is a problem with my configuration is that this happens even on https://localhost/ So the request never even reaches the router for it to get fiddled with by the router or any other part of any other network. Both mahines are OpenSuse 13.1, but I'm fairly sure this started before I upgraded. I'm not used to all the extra configuration files involved with YaST. A little over a decade ago, I started out using Apache MySQL and so on by compiling them from source. I thought that if I learned about building them from source, that would give me a better understanding of how to fix problems that may arise when configuring them with tools like YaST. As it turned out, I was hopelessly wrong. I get hopelessly confused by all the various inclusions of the many configuration files. I also never bothered to read anything at all about vhosts because I only served the one site from the server. I was usually too busy manually resolving dependencies flagged up by configure and make, which is a strong incentive to stick with management via YaST and not to go back to compiling from source.

    Anyway. what more do I need to post to make this more than just a vague description? I assume many of the Apache config files will be necessary, so I'll start editing copies of those to remove my domain name and IP addresses from them and then post them up soon, but is there anything else?

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,461
    Blog Entries
    2

    Default Re: I can't figure out why SSL in Apache isn't working. (Not the missing mod_socache_shmcb.so) prob

    I haven't tried to troubleshoot your problem before, and I don't know if you're looking at two or a single problem.

    Googling your first problem
    Code:
    Error code: ssl_error_rx_record_too_long
    Returns a few hits, of which the first
    https://support.mozilla.org/en-US/questions/853637
    Seems to suggest the problem is exactly as the error describes... some data is being returned which exceeds the max length. If you install the Firefox Firebug plugin you'll get more detailed info. Or, likely more easily if this problem also shows up in a Chrome family browser (Chrome, Chromium, Canary, et al), just launch the debugger with CTL-SHIFT-J before accessing the page you want to analyze. If you're using IE, you'll have to install Visual Studio for a web browser debugger.

    The "other' issue which may or may not be related
    Code:
    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    might be related to the current more strict implementation of SSL which is being enforced everywhere... SSL now should not just encrypt, it should now be <required> to authenticate the machine you are connecting to. As always, the certificate should match the FQDN of the website, but now it's enforced although may be over-ridden manually.

    Assuming you are mis-configuring Apache, the solution will depend on first undoing what you've done, then describing what you're doing or what guide you're following.

    Or, better yet, install the YAST plugin that configures apache
    Code:
    zypper in yast2-http-server
    After install, you should see an icon in YAST > Network Services called "HTTP Server"

    HTH,
    TSU

  3. #3

    Default Re: I can't figure out why SSL in Apache isn't working. (Not the missing mod_socache_shmcb.so) prob

    Right. Here's the most obvious config files to post.

    The forum says my post is too long if I don't break it into chunks. So here are the irst two files.
    httpd.conf contains one change that I made to the file outside of YaST and is indicated by the long line of #'s surrounding the text saying the line above is the one I added manually. The last line in the file confirms that the minor changes I made through YaST have been applied.
    Code:
    httpd.conf
    #
    # /etc/apache2/httpd.conf 
    #
    # This is the main Apache server configuration file.  It contains the
    # configuration directives that give the server its instructions.
    # See <URL:http://httpd.apache.org/docs-2.2/> for detailed information about
    # the directives.
    
    # Based upon the default apache configuration file that ships with apache,
    # which is based upon the NCSA server configuration files originally by Rob
    # McCool. This file was knocked together by Peter Poeml <poeml+apache@suse.de>.
    
    # If possible, avoid changes to this file. It does mainly contain Include
    # statements and global settings that can/should be overridden in the
    # configuration of your virtual hosts.
    
    # Quickstart guide:
    # http://en.opensuse.org/Apache_Quickstart_HOWTO
    
    
    # Overview of include files, chronologically:
    #
    # httpd.conf
    #  | 
    #  |-- uid.conf  . . . . . . . . . . . . . .  UserID/GroupID to run under
    #  |-- server-tuning.conf  . . . . . . . . .  sizing of the server (how many processes to start, ...)
    #  |-- sysconfig.d/loadmodule.conf . . . . .  [*] load these modules
    #  |-- listen.conf . . . . . . . . . . . . .  IP adresses / ports to listen on
    #  |-- mod_log_config.conf . . . . . . . . .  define logging formats
    #  |-- sysconfig.d/global.conf . . . . . . .  [*] server-wide general settings
    #  |-- mod_status.conf . . . . . . . . . . .  restrict access to mod_status (server monitoring)
    #  |-- mod_info.conf . . . . . . . . . . . .  restrict access to mod_info
    #  |-- mod_usertrack.conf  . . . . . . . . .  defaults for cookie-based user tracking
    #  |-- mod_autoindex-defaults.conf . . . . .  defaults for displaying of server-generated directory listings
    #  |-- mod_mime-defaults.conf  . . . . . . .  defaults for mod_mime configuration
    #  |-- errors.conf . . . . . . . . . . . . .  customize error responses
    #  |-- ssl-global.conf . . . . . . . . . . .  SSL conf that applies to default server _and all_ virtual hosts
    #  |
    #  |-- default-server.conf . . . . . . . . .  set up the default server that replies to non-virtual-host requests
    #  |    |--mod_userdir.conf  . . . . . . . .  enable UserDir (if mod_userdir is loaded)
    #  |    `--conf.d/apache2-manual?conf  . . .  add the docs ('?' = if installed)
    #  |
    #  |-- sysconfig.d/include.conf  . . . . . .  [*] your include files 
    #  |                                             (for each file to be included here, put its name 
    #  |                                              into APACHE_INCLUDE_* in /etc/sysconfig/apache2)
    #  |
    #  `-- vhosts.d/ . . . . . . . . . . . . . .  for each virtual host, place one file here
    #       `-- *.conf . . . . . . . . . . . . .     (*.conf is automatically included)
    #
    #
    # Files marked [*] are created from sysconfig upon server restart: instead of
    # these files, you edit /etc/sysconfig/apache2
    
    
    
    #  Filesystem layout:
    #
    # /etc/apache2/
    #  |-- charset.conv  . . . . . . . . . . . .  for mod_auth_ldap
    #  |-- conf.d/
    #  |   |-- apache2-manual.conf . . . . . . .  conf that comes with apache2-doc
    #  |   |-- mod_php4.conf . . . . . . . . . .  (example) conf that comes with apache2-mod_php4
    #  |   `-- ... . . . . . . . . . . . . . . .  other configuration added by packages
    #  |-- default-server.conf
    #  |-- errors.conf
    #  |-- httpd.conf  . . . . . . . . . . . . .  top level configuration file
    #  |-- listen.conf
    #  |-- magic
    #  |-- mime.types -> ../mime.types
    #  |-- mod_autoindex-defaults.conf
    #  |-- mod_info.conf
    #  |-- mod_log_config.conf
    #  |-- mod_mime-defaults.conf
    #  |-- mod_perl-startup.pl
    #  |-- mod_status.conf
    #  |-- mod_userdir.conf
    #  |-- mod_usertrack.conf
    #  |-- server-tuning.conf
    #  |-- ssl-global.conf
    #  |-- ssl.crl/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificate Revocation Lists (CRL)
    #  |-- ssl.crt/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificates
    #  |-- ssl.csr/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificate Signing Requests
    #  |-- ssl.key/  . . . . . . . . . . . . . .  PEM-encoded RSA Private Keys
    #  |-- ssl.prm/  . . . . . . . . . . . . . .  public DSA Parameter Files
    #  |-- sysconfig.d/  . . . . . . . . . . . .  files that are created from /etc/sysconfig/apache2
    #  |   |-- global.conf
    #  |   |-- include.conf
    #  |   `-- loadmodule.conf
    #  |-- uid.conf
    #  `-- vhosts.d/ . . . . . . . . . . . . . .  put your virtual host configuration (*.conf) here
    #      |-- vhost-ssl.template
    #      `-- vhost.template
    
    
    
    ### Global Environment ######################################################
    #
    # The directives in this section affect the overall operation of Apache,
    # such as the number of concurrent requests.
    
    # run under this user/group id
    Include /etc/apache2/uid.conf
    
    # - how many server processes to start (server pool regulation)
    # - usage of KeepAlive
    Include /etc/apache2/server-tuning.conf
    
    # ErrorLog: The location of the error log file.
    # If you do not specify an ErrorLog directive within a <VirtualHost>
    # container, error messages relating to that virtual host will be
    # logged here.  If you *do* define an error logfile for a <VirtualHost>
    # container, that host's errors will be logged there and not here.
    ErrorLog /var/log/apache2/error_log
    LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
    ######## The ABOVE LINE HAS BEEN ENTERED BY STEPHEN AND IS NOT PART OF THE DEFAULT CONFIGURATION ###############
    Include /etc/apache2/sysconfig.d/loadmodule.conf
    
    # IP addresses / ports to listen on
    Include /etc/apache2/listen.conf
    
    # predefined logging formats
    Include /etc/apache2/mod_log_config.conf
    
    # generated from global settings in /etc/sysconfig/apache2
    Include /etc/apache2/sysconfig.d/global.conf
    
    # optional mod_status, mod_info
    Include /etc/apache2/mod_status.conf
    Include /etc/apache2/mod_info.conf
    
    # optional cookie-based user tracking
    # read the documentation before using it!!
    Include /etc/apache2/mod_usertrack.conf
    
    # configuration of server-generated directory listings
    Include /etc/apache2/mod_autoindex-defaults.conf
    
    # associate MIME types with filename extensions
    TypesConfig /etc/apache2/mime.types
    Include /etc/apache2/mod_mime-defaults.conf
    
    # set up (customizable) error responses
    Include /etc/apache2/errors.conf
    
    # global (server-wide) SSL configuration, that is not specific to 
    # any virtual host
    Include /etc/apache2/ssl-global.conf
    
    # forbid access to the entire filesystem by default
    <Directory />
        Options None
        AllowOverride None
        Order deny,allow
        Deny from all
    </Directory>
    
    # use .htaccess files for overriding,
    AccessFileName .htaccess
    # and never show them
    <Files ~ "^\.ht">
        Order allow,deny
        Deny from all
    </Files>
    
    # List of resources to look for when the client requests a directory
    DirectoryIndex index.html index.html.var
    
    ### 'Main' server configuration #############################################
    #
    # The directives in this section set up the values used by the 'main'
    # server, which responds to any requests that aren't handled by a
    # <VirtualHost> definition.  These values also provide defaults for
    # any <VirtualHost> containers you may define later in the file.
    #
    # All of these directives may appear inside <VirtualHost> containers,
    # in which case these default settings will be overridden for the
    # virtual host being defined.
    #
    Include /etc/apache2/default-server.conf
    
    
    # Another way to include your own files
    #
    # The file below is generated from /etc/sysconfig/apache2,
    # include arbitrary files as named in APACHE_CONF_INCLUDE_FILES and
    # APACHE_CONF_INCLUDE_DIRS
    Include /etc/apache2/sysconfig.d/include.conf
    
    
    ### Virtual server configuration ############################################
    #
    # VirtualHost: If you want to maintain multiple domains/hostnames on your
    # machine you can setup VirtualHost containers for them. Most configurations
    # use only name-based virtual hosts so the server doesn't need to worry about
    # IP addresses. This is indicated by the asterisks in the directives below.
    #
    # Please see the documentation at
    # <URL:http://httpd.apache.org/docs-2.2/vhosts/>
    # for further details before you try to setup virtual hosts.
    #
    # You may use the command line option '-S' to verify your virtual host
    # configuration.
    #
    IncludeOptional /etc/apache2/vhosts.d/*.conf
    
    
    # Note: instead of adding your own configuration here, consider 
    #       adding it in your own file (/etc/apache2/httpd.conf.local)
    #       putting its name into APACHE_CONF_INCLUDE_FILES in 
    #       /etc/sysconfig/apache2 -- this will make system updates 
    #       easier :)
    Code:
    default-server.conf
    #
    # Global configuration that will be applicable for all virtual hosts, unless
    # deleted here, or overriden elswhere.
    # 
    
    DocumentRoot "/srv/www/htdocs"
    
    #
    # Configure the DocumentRoot
    #
    <Directory "/srv/www/htdocs">
             # Possible values for the Options directive are "None", "All",
        # or any combination of:
        #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
        #
        # Note that "MultiViews" must be named *explicitly* --- "Options All"
        # doesn't give it to you.
        #
        # The Options directive is both complicated and important.  Please see
        # http://httpd.apache.org/docs-2.2/mod/core.html#options
        # for more information.
    Options None
             # AllowOverride controls what directives may be placed in .htaccess files.
        # It can be "All", "None", or any combination of the keywords:
        #   Options FileInfo AuthConfig Limit
    AllowOverride None
             # Controls who can get stuff from this server.
    Order allow,deny
     Allow from all
    </Directory>
    
    # Aliases: aliases can be added as needed (with no limit). The format is 
    # Alias fakename realname
    #
    # Note that if you include a trailing / on fakename then the server will
    # require it to be present in the URL.  So "/icons" isn't aliased in this
    # example, only "/icons/".  If the fakename is slash-terminated, then the 
    # realname must also be slash terminated, and if the fakename omits the 
    # trailing slash, the realname must also omit it.
    #
    # We include the /icons/ alias for FancyIndexed directory listings.  If you
    # do not use FancyIndexing, you may comment this out.
    #
    Alias /icons/ "/usr/share/apache2/icons/"
    
    <Directory "/usr/share/apache2/icons">
     Options Indexes MultiViews
     AllowOverride None
     Order allow,deny
     Allow from all
    </Directory>
    
    # ScriptAlias: This controls which directories contain server scripts.
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the realname directory are treated as applications and
    # run by the server when requested rather than as documents sent to the client.
    # The same rules about trailing "/" apply to ScriptAlias directives as to
    # Alias.
    #
    ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
    
    # "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased
    # CGI directory exists, if you have that configured.
    #
    <Directory "/srv/www/cgi-bin">
     AllowOverride None
     Options +ExecCGI -Includes
     Order allow,deny
     Allow from all
    </Directory>
    
    # UserDir: The name of the directory that is appended onto a user's home
    # directory if a ~user request is received.
    #
    # To disable it, simply remove userdir from the list of modules in APACHE_MODULES 
    # in /etc/sysconfig/apache2.
    #
    <IfModule mod_userdir.c>
             # Note that the name of the user directory ("public_html") cannot simply be
        # changed here, since it is a compile time setting. The apache package
        # would have to be rebuilt. You could work around by deleting
        # /usr/sbin/suexec, but then all scripts from the directories would be
        # executed with the UID of the webserver.
    UserDir public_html
             # The actual configuration of the directory is in
        # /etc/apache2/mod_userdir.conf.
    Include /etc/apache2/mod_userdir.conf
    </IfModule>
    
    
    # Include all *.conf files from /etc/apache2/conf.d/.
    #
    # This is mostly meant as a place for other RPM packages to drop in their
    # configuration snippet.
    #
    # You can comment this out here if you want those bits include only in a
    # certain virtual host, but not here.
    #
    IncludeOptional /etc/apache2/conf.d/*.conf
    
    # The manual... if it is installed ('?' means it won't complain)
    IncludeOptional /etc/apache2/conf.d/apache2-manual?conf
    ServerName home
    
    ServerAdmin dn3n97t93t5@networksolutionsprivateregistration.com

  4. #4
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,461
    Blog Entries
    2

    Default Re: I can't figure out why SSL in Apache isn't working. (Not the missing mod_socache_shmcb.so) prob

    Assuming this is a self-generated cert, how long is it? 256-bit? 512bit? longer?

    Again,
    If you use one of the browser debuggers I mentioned, you'll likely return something more detailed.

    TSU

  5. #5

    Default Re: I can't figure out why SSL in Apache isn't working. (Not the missing mod_socache_shmcb.so) prob

    These two are strange because I definitely entered the information that should be in here, but it isn't. I entered it using the YaST module, but it doesn't appear to be here in the configuration. (note the ServerName directive. Its value still seems to be at a default value.
    Code:
    default-vhost.conf
    #
    # Almost any Apache directive may go into a VirtualHost container.
    # The first VirtualHost section is used for requests without a known
    # server name.
    #
    <VirtualHost _default_:80>
        ServerName dummy-host.example.com
        ServerAdmin webmaster@dummy-host.example.com
        ServerAlias example.com www.example.com
    
        # DocumentRoot: The directory out of which you will serve your
        # documents. By default, all requests are taken from this directory, but
        # symbolic links and aliases may be used to point to other locations.
        DocumentRoot "/srv/www/htdocs"
    
        # if not specified, the global error log is used
        ErrorLog /var/log/apache2/dummy-host.example.com-error_log
        CustomLog /var/log/apache2/dummy-host.example.com-access_log combined
    
        # don't loose time with IP address lookups
        HostnameLookups Off
    
        # needed for named virtual hosts
        UseCanonicalName Off
    
        # configures the footer on server-generated documents
        ServerSignature On
    
    
        # Optionally, include *.conf files from /etc/apache2/conf.d/
        #
        # For example, to allow execution of PHP scripts:
        #
        # Include /etc/apache2/conf.d/mod_php4.conf
        #
        # or, to include all configuration snippets added by packages:
        # Include /etc/apache2/conf.d/*.conf
    
    
        # ScriptAlias: This controls which directories contain server scripts.
        # ScriptAliases are essentially the same as Aliases, except that
        # documents in the realname directory are treated as applications and
        # run by the server when requested rather than as documents sent to the client.
        # The same rules about trailing "/" apply to ScriptAlias directives as to
        # Alias.
        #
        ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
    
        # "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased
        # CGI directory exists, if you have one, and where ScriptAlias points to.
        #
        <Directory "/srv/www/cgi-bin">
        AllowOverride None
        Options +ExecCGI -Includes
        Order allow,deny
        Allow from all
        </Directory>
    
    
        # UserDir: The name of the directory that is appended onto a user's home
        # directory if a ~user request is received.
        #
        # To disable it, simply remove userdir from the list of modules in APACHE_MODULES
        # in /etc/sysconfig/apache2.
        #
        <IfModule mod_userdir.c>
        # Note that the name of the user directory ("public_html") cannot simply be
        # changed here, since it is a compile time setting. The apache package
        # would have to be rebuilt. You could work around by deleting
        # /usr/sbin/suexec, but then all scripts from the directories would be
        # executed with the UID of the webserver.
        UserDir public_html
        # The actual configuration of the directory is in
        # /etc/apache2/mod_userdir.conf.
        Include /etc/apache2/mod_userdir.conf
        # You can, however, change the ~ if you find it awkward, by mapping e.g.
        # http://www.example.com/users/karl-heinz/ --> /home/karl-heinz/public_html/
        #AliasMatch ^/users/([a-zA-Z0-9-_.]*)/?(.*) /home/$1/public_html/$2
        </IfModule>
    
    
        #
        # This should be changed to whatever you set DocumentRoot to.
        #
        <Directory "/srv/www/htdocs">
        
        #
        # Possible values for the Options directive are "None", "All",
        # or any combination of:
        #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
        #
        # Note that "MultiViews" must be named *explicitly* --- "Options All"
        # doesn't give it to you.
        #
        # The Options directive is both complicated and important.  Please see
        # http://httpd.apache.org/docs-2.2/mod/core.html#options
        # for more information.
        #
        Options +Indexes +MultiViews +FollowSymLinks
        IndexOptions FancyIndexing
        
        #
        # AllowOverride controls what directives may be placed in .htaccess files.
        # It can be "All", "None", or any combination of the keywords:
        #   Options FileInfo AuthConfig Limit
        #
        AllowOverride None
        
        #
        # Controls who can get stuff from this server.
        #
        Order allow,deny
        Allow from all
        
        </Directory>
    
        #
        # some Rewrite stuff for sharedssl
        #
        #RewriteEngine on
        ##RewriteLog "/var/log/apache2/dummy-host.example.com-rewrite_log"
        ##RewriteLogLevel 3
        #RewriteCond %{HTTP_HOST} ^sharedssl\.* [OR]
        #RewriteRule ^/$ https://sharedssl.example.com/$1 [L,R]
    
    </VirtualHost>

  6. #6

    Default Re: I can't figure out why SSL in Apache isn't working. (Not the missing mod_socache_shmcb.so) prob

    Code:
    default-vhost-ssl.conf
    #
    # This is the Apache server configuration file providing SSL support.
    # It contains the configuration directives to instruct the server how to
    # serve pages over an https connection. For detailing information about these 
    # directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html>
    #
    # Do NOT simply read the instructions in here without understanding
    # what they do.  They're here only as hints or reminders.  If you are unsure
    # consult the online docs. You have been warned.  
    #
    
    <IfDefine SSL>
    <IfDefine !NOSSL>
    
    ##
    ## SSL Virtual Host Context
    ##
    
    <VirtualHost _default_:443>
    
        #  General setup for the virtual host
        ServerName dummy-host.example.com
        ServerAdmin webmaster@dummy-host.example.com
        ServerAlias example.com www.example.com
    
        # DocumentRoot: The directory out of which you will serve your
        # documents. By default, all requests are taken from this directory, but
        # symbolic links and aliases may be used to point to other locations.
        DocumentRoot "/srv/www/htdocs"
        #ServerName www.example.com:443
        #ServerAdmin webmaster@example.com
        ErrorLog /var/log/apache2/error_log
        TransferLog /var/log/apache2/access_log
    
        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on
    
        #   SSL Protocol support:
        # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS and SSLv3:
        #   List the protocol versions which clients are allowed to
        #   connect with. Disable SSLv2 by default (cf. RFC 6176).
        SSLProtocol all -SSLv2
        
        #   SSL Cipher Suite:
        #   List the ciphers that the client is permitted to negotiate.
        #   See the mod_ssl documentation for a complete list.
        #
        #   Weak ciphers are disabled by default.
        #   Please see the documentation via the links above, and
        #   "openssl ciphers -v" for a complete list of ciphers that are
        #   available.
        #
        # The following default should work with openssl running in FIPS
        # mode.
        #    OPENSSL_FORCE_FIPS_MODE=1 rcapache2 restart
        # will start the web server with FIPS mode in openssl.
        # For more information, please have a look at
        # /usr/share/doc/packages/openssl/README-FIPS.txt from the openssl
        # package.
        SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
        
        #   Speed-optimized SSL Cipher configuration:
        #   If speed is your main concern (on busy HTTPS servers e.g.),
        #   you might want to force clients to specific, performance
        #   optimized ciphers. In this case, prepend those ciphers
        #   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
        #   Caveat: by giving precedence to RC4-SHA and AES128-SHA
        #   (as in the example below), most connections will no longer
        #   have perfect forward secrecy - if the server's key is
        #   compromised, captures of past or future traffic must be
        #   considered compromised, too.
        #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
        #SSLHonorCipherOrder on 
        
        #   Server Certificate:
        #   Point SSLCertificateFile at a PEM encoded certificate.  If
        #   the certificate is encrypted, then you will be prompted for a
        #   pass phrase.  Note that a kill -HUP will prompt again.  Keep
        #   in mind that if you have both an RSA and a DSA certificate you
        #   can configure both in parallel (to also allow the use of DSA
        #   ciphers, etc.)
        SSLCertificateFile /etc/apache2/ssl.crt/server.crt
        #SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
    
        #   Server Private Key:
        #   If the key is not combined with the certificate, use this
        #   directive to point at the key file.  Keep in mind that if
        #   you've both a RSA and a DSA private key you can configure
        #   both in parallel (to also allow the use of DSA ciphers, etc.)
        SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
        #SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
    
        #   Server Certificate Chain:
        #   Point SSLCertificateChainFile at a file containing the
        #   concatenation of PEM encoded CA certificates which form the
        #   certificate chain for the server certificate. Alternatively
        #   the referenced file can be the same as SSLCertificateFile
        #   when the CA certificates are directly appended to the server
        #   certificate for convinience.
        #SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
    
        #   Certificate Authority (CA):
        #   Set the CA certificate verification path where to find CA
        #   certificates for client authentication or alternatively one
        #   huge file containing all of them (file must be PEM encoded)
        #   Note: Inside SSLCACertificatePath you need hash symlinks
        #         to point to the certificate files. Use the provided
        #         Makefile to update the hash symlinks after changes.
        #SSLCACertificatePath /etc/apache2/ssl.crt
        #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
    
        #   Certificate Revocation Lists (CRL):
        #   Set the CA revocation path where to find CA CRLs for client
        #   authentication or alternatively one huge file containing all
        #   of them (file must be PEM encoded)
        #   Note: Inside SSLCARevocationPath you need hash symlinks
        #         to point to the certificate files. Use the provided
        #         Makefile to update the hash symlinks after changes.
        #SSLCARevocationPath /etc/apache2/ssl.crl
        #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
    
        #   Client Authentication (Type):
        #   Client certificate verification type and depth.  Types are
        #   none, optional, require and optional_no_ca.  Depth is a
        #   number which specifies how deeply to verify the certificate
        #   issuer chain before deciding the certificate is not valid.
        #SSLVerifyClient require
        #SSLVerifyDepth  10
    
        #   Access Control:
        #   With SSLRequire you can do per-directory access control based
        #   on arbitrary complex boolean expressions containing server
        #   variable checks and other lookup directives.  The syntax is a
        #   mixture between C and Perl.  See the mod_ssl documentation
        #   for more details.
        #<Location />
        #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
        #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
        #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
        #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
        #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
        #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
        #</Location>
    
        #   SSL Engine Options:
        #   Set various options for the SSL engine.
        #   o FakeBasicAuth:
        #     Translate the client X.509 into a Basic Authorisation.  This means that
        #     the standard Auth/DBMAuth methods can be used for access control.  The
        #     user name is the `one line' version of the client's X.509 certificate.
        #     Note that no password is obtained from the user. Every entry in the user
        #     file needs this password: `xxj31ZMTZzkVA'.
        #   o ExportCertData:
        #     This exports two additional environment variables: SSL_CLIENT_CERT and
        #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
        #     server (always existing) and the client (only existing when client
        #     authentication is used). This can be used to import the certificates
        #     into CGI scripts.
        #   o StdEnvVars:
        #     This exports the standard SSL/TLS related `SSL_*' environment variables.
        #     Per default this exportation is switched off for performance reasons,
        #     because the extraction step is an expensive operation and is usually
        #     useless for serving static content. So one usually enables the
        #     exportation for CGI and SSI requests only.
        #   o StrictRequire:
        #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
        #     under a "Satisfy any" situation, i.e. when it applies access is denied
        #     and no other module can change it.
        #   o OptRenegotiate:
        #     This enables optimized SSL connection renegotiation handling when SSL
        #     directives are used in per-directory context. 
        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
        </FilesMatch>
        
        <Directory "/srv/www/cgi-bin">
        SSLOptions +StdEnvVars
        </Directory>
        
        <Directory "/srv/www/htdocs">
        AllowOverride None
        #Options +Indexes +MultiViews +FollowSymLinks
        Options -Indexes -MultiViews +FollowSymLinks
        #IndexOptions FancyIndexing
    
        #AuthName "Top Secret on dummy-host.example.com"
        #AuthType Basic
        #AuthUserFile /srv/www/passwd/default
    
        #
        # Controls who can get stuff from this server.
        #
        #<limit GET POST>
        #  Require valid-user
        #  Order Deny,Allow
        #  Deny from All
        #  Allow from 127.0.0.1
        #  Allow from .example.com
        #  Satisfy any
        #</limit>
        </Directory>
    
    
        #   SSL Protocol Adjustments:
        #   The safe and default but still SSL/TLS standard compliant shutdown
        #   approach is that mod_ssl sends the close notify alert but doesn't wait for
        #   the close notify alert from client. When you need a different shutdown
        #   approach you can use one of the following variables:
        #   o ssl-unclean-shutdown:
        #     This forces an unclean shutdown when the connection is closed, i.e. no
        #     SSL close notify alert is send or allowed to received.  This violates
        #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
        #     this when you receive I/O errors because of the standard approach where
        #     mod_ssl sends the close notify alert.
        #   o ssl-accurate-shutdown:
        #     This forces an accurate shutdown when the connection is closed, i.e. a
        #     SSL close notify alert is send and mod_ssl waits for the close notify
        #     alert of the client. This is 100% SSL/TLS standard compliant, but in
        #     practice often causes hanging connections with brain-dead browsers. Use
        #     this only for browsers where you know that their SSL implementation
        #     works correctly. 
        #   Notice: Most problems of broken clients are also related to the HTTP
        #   keep-alive facility, so you usually additionally want to disable
        #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
        #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
        #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
        #   "force-response-1.0" for this.
        BrowserMatch "MSIE [2-5]" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0
        
        #   Per-Server Logging:
        #   The home of a custom SSL log file. Use this when you want a
        #   compact non-error SSL logfile on a virtual host basis.
        CustomLog /var/log/apache2/ssl_request_log   ssl_combined
    
        #
        # some Rewrite stuff for sharedssl
        #
        #RewriteEngine on
        ##RewriteLog "/var/log/apache2/dummy-host.example.com-rewrite-ssl_log"
        ##RewriteLogLevel 3
        #RewriteCond %{HTTP_HOST}  ^webmail\..* [NC]
        #RewriteRule ^/$ https://sharedssl.example.com/roundcube/ [L,R]
        #RewriteRule ^/$ /roundcube [R]
    
    </VirtualHost>                                  
    
    </IfDefine>
    </IfDefine>

  7. #7

    Default Re: I can't figure out why SSL in Apache isn't working. (Not the missing mod_socache_shmcb.so) prob

    The Key is 2048 bit. Which sounds rather excessive after you enquired if it was longer than 512, but I was just taking the old length (of 1024) suggested in the howtos at openssl.org and thought well if I make a very rough application of Moore's Law to that length that used to be posted at openssl of 1024, then 2048 seems reasonable. In fact I've just had a quick peek at their howtos and as far as I can see, the only thing that has changed after more than 10 years is the suggested length to 2048. The certificate is indeed self-signed. I'm fairly sure that the tool you suggested I install using zypper is the thing I've been struggling with to configure Apache. I assume it's just a lack of familiarity with this method of configuration that's probably the real cause.Your instructions to access it are the same as what I use to access the config module. The FQDN on the certificate I made for the server and its actual FQDN are identical. I just tried localhost because the handshaking didn't even seem to get to the point of actually transmitting a public key. The setup guide Ive been following is https://activedoc.opensuse.org/book/...he-http-server .Although The guide is a little bit outdated now, for example making reference to mkcert.sh which no longer exists, but it seems fine otherwise.

    I believe that if I can get the default vhost configured properly, there's a good chance it'll all start working smoothly. I was just a bit thrown when I did as the guide I linked to instructed, thought I'd made the default vhost, and then found that default-vhost.conf was unchanged. Especially since it looks like if you want to use SSL, you're supposed to do it through a vhost. Like I said in my first post, vhosts are the one thing I paid no attention to at all because I only had the one site to serve.

    I'll have another stab at trying to set up a default vhost and then post back again. I just didn't want to start trying to force config changes without the advice of people that have much more experience with using YaST to configure Apache than I do.

    I'll try you other suggestions after I figure out this vhost business.

  8. #8

    Default Re: I can't figure out why SSL in Apache isn't working. (Not the missing mod_socache_shmcb.so) prob

    Ok. I had another stab at creating a vhost and I got the message
    Quote Originally Posted by YaST
    Cannot adjust 'apache2' service.
    When I first opened up the HTTP server configuration module of YaST it said that it noticed I'd manually changed httpd.conf (by adding the line to load a missing ssl-related module. Is that anything to do with it? When I first set up the server it was giving that error because the line to include the module wasn't there.

  9. #9

    Default Re: I can't figure out why SSL in Apache isn't working. (Not the missing mod_socache_shmcb.so) prob

    Ok. I've sort of stumbled through the process and finally got it working. Thankfully systemctl status apache2.service pointed out that the last error I posted about was down to me putting " ServerAdmin dn3n97t93t5@networksolutionsprivateregistration.com" in the ServerAdmin config field during the vhost's setup process, so in the ip-based-vhosts config file it had ServerAdmin ServerAdmin dn3n97t93t5@networksolutionsprivateregistration.com. I'll just have to put that down to me being blind. It may just be that the whole thing was because of my eyesight. There was one step that I know I make differently this time and that was that instead of the speciic IP of the host being used in the VHost ID, I Told it to be for all IPs, and then did not use the option at the bottom of the window that lists all the vhosts to set it as the default. Instead leaving the all IP option to make it the default instead.

    I can't imagine that not setting it as the default chost is what made the difference, but it's the only thing I know that I did differently. So after I rectified the server admin mistake it all went fine. Thanks for your patience and all of your suggestions Tsu. I'll still install those browser tools you suggested 'cause there's been several times in the past when they'd have come in handy.

  10. #10

    Default Re: I can't figure out why SSL in Apache isn't working. (Not the missing mod_socache_shmcb.so) prob

    No wait a minute. Scratch that. I've just noticed that the server is now responding to all http requests (i.e. port 80) with a 400 Bad Request. I guess I'll have another look at it tomorrow. It's bedtime here now.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •