Apache SSL not working; Warning: [ssl:warn] [pid 4035] AH01873: Init: Session Cache is not configure

Hi everybody,

recently I switched from Debian to Opensuse using Tumbleweed on my laptop and its working really very good. Now I installed Leap 15.2. on the server and the only thing, that doesn’t work is Apache with SSL.
I can access the start page with http.
In the Error log, I get the following warning: [ssl:warn] [pid 4035] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
I made a certificate for testing with /usr/bin/gensslcert.

My settings for apache are:

listen.conf:


Listen 80
Listen 443 https

<IfDefine SSL>
        <IfDefine !NOSSL>
        <IfModule mod_ssl.c>

                Listen 443

        </IfModule>
        </IfDefine>
</IfDefine>


ssl-global.conf:


<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_ssl.c>

        #
        #   Some MIME-types for downloading Certificates and CRLs
        #
        AddType application/x-x509-ca-cert .crt
        AddType application/x-pkcs7-crl    .crl

        #   Pass Phrase Dialog:
        #   Configure the pass phrase gathering process.
        #   The filtering dialog program (`builtin' is a internal
        #   terminal dialog) has to provide the pass phrase on stdout.
        &lt;IfDefine SYSTEMD&gt;
        SSLPassPhraseDialog exec:/usr/sbin/apache2-systemd-ask-pass
        &lt;/IfDefine&gt;
        &lt;IfDefine !SYSTEMD&gt;
        SSLPassPhraseDialog  builtin
        &lt;/IfDefine&gt;

        #   Inter-Process Session Cache:
        #   Configure the SSL Session Cache: First the mechanism
        #   to use and second the expiring timeout (in seconds).
        #   Note that on most platforms shared memory segments are not allowed to be on
        #   network-mounted drives, so in that case you need to use the dbm method.
        #SSLSessionCache        none
        &lt;IfModule mod_socache_dbm.c&gt;
        SSLSessionCache         dbm:/var/lib/apache2/ssl_scache
        &lt;/IfModule&gt;

        &lt;IfModule mod_socache_shmcb.c&gt;
        SSLSessionCache         shmcb:/var/lib/apache2/ssl_scache(512000)
        &lt;/IfModule&gt;

        SSLSessionCacheTimeout  300

        #   Configures the cache used to store OCSP responses which get included in
        #   the TLS handshake if SSLUseStapling is enabled. Configuration of a cache
        #   is mandatory for OCSP stapling. With the exception of none and nonenotnull,
        #   the same storage types are supported as with SSLSessionCache.
        #&lt;IfModule mod_socache_dbm.c&gt;
        #SSLStaplingCache       dbm:/var/lib/apache2/ssl_stapling
        #&lt;/IfModule&gt;

        &lt;IfModule mod_socache_shmcb.c&gt;
        SSLStaplingCache        shmcb:/var/lib/apache2/ssl_stapling(64000)
        &lt;/IfModule&gt;

        SSLStaplingStandardCacheTimeout         86400
        SSLStaplingErrorCacheTimeout            300
        SSLStaplingReturnResponderErrors        Off

        #   Pseudo Random Number Generator (PRNG):
        #   Configure one or more sources to seed the PRNG of the
        #   SSL library. The seed data should be of good random quality.
        #   WARNING! On some platforms /dev/random blocks if not enough entropy
        #   is available. This means you then cannot use the /dev/random device
        #   because it would lead to very long connection times (as long as
        #   it requires to make more entropy available). But usually those
        #   platforms additionally provide a /dev/urandom device which doesn't
        #   block. So, if available, use this one instead. Read the mod_ssl User
        #   Manual for more details.
        SSLRandomSeed startup builtin
        SSLRandomSeed connect builtin
        #SSLRandomSeed startup file:/dev/random  512
        #SSLRandomSeed connect file:/dev/random  512
        #SSLRandomSeed startup file:/dev/urandom 512
        #SSLRandomSeed connect file:/dev/urandom 512

        #   SSL protocols
        #   Allow TLS version 1.2 or higher, which is a recommended default
    #   these days by international information security standards.
        SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

        #   SSL Cipher Suite:
        #   List the ciphers that the client is permitted to negotiate.
        #   See the mod_ssl documentation for a complete list.
        #   The magic string "DEFAULT_SUSE" expands to an openssl defined
        #   secure list of default ciphers (openssl ciphers -v DEFAULT_SUSE).
        SSLCipherSuite DEFAULT_SUSE

        #   SSLHonorCipherOrder
        #   If SSLHonorCipherOrder is disabled, then the client's preferences
        #   for chosing the cipher during the TLS handshake are used.
        #   If set to on, then the above SSLCipherSuite is used, in the order
        #   given, with the first supported match on both ends.
        SSLHonorCipherOrder on

        #   Server Certificate:
        #   Point SSLCertificateFile at a PEM encoded certificate.  If
        #   the certificate is encrypted, then you will be prompted for a
        #   pass phrase.  Note that a kill -HUP will prompt again.  Keep
        #   in mind that if you have both an RSA and a DSA certificate you
        #   can configure both in parallel (to also allow the use of DSA
        #   ciphers, etc.)
        SSLCertificateFile /etc/apache2/ssl.crt/hohensinn.spdns.org-server.crt
        #SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt

        #   Server Private Key:
        #   If the key is not combined with the certificate, use this
        #   directive to point at the key file.  Keep in mind that if
        #   you've both a RSA and a DSA private key you can configure
        #   both in parallel (to also allow the use of DSA ciphers, etc.)
        SSLCertificateKeyFile /etc/apache2/ssl.key/hohensinn.spdns.org-server.key
        #SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key

        #   Server Certificate Chain:
        #   Point SSLCertificateChainFile at a file containing the
        #   concatenation of PEM encoded intermediate CA
        #   certificates which form the certificate chain for the
        #   server certificate. Alternatively the referenced file
        #   can be the same as SSLCertificateFile when the CA
        #   certificates are directly appended to the server
        #   certificate for convinience.
        #SSLCertificateChainFile /etc/apache2/ssl.crt/chain.crt

        #   Certificate Authority (CA):
        #   Set the CA certificate verification path where to find CA
        #   certificates for client authentication or alternatively one
        #   huge file containing all of them (file must be PEM encoded)
        #   Note: Inside SSLCACertificatePath you need hash symlinks
        #         to point to the certificate files. Use the provided
        #         Makefile to update the hash symlinks after changes.
        #SSLCACertificatePath /etc/apache2/ssl.crt
        #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

        #   Certificate Revocation Lists (CRL):
        #   Set the CA revocation path where to find CA CRLs for client
        #   authentication or alternatively one huge file containing all
        #   of them (file must be PEM encoded)
        #   Note: Inside SSLCARevocationPath you need hash symlinks
        #         to point to the certificate files. Use the provided
        #         Makefile to update the hash symlinks after changes.
        #SSLCARevocationPath /etc/apache2/ssl.crl
        #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

&lt;/IfModule&gt;
&lt;/IfDefine&gt;
&lt;/IfDefine&gt;

I also tried it without a firewall; in Firefox via the LAN I get the follwing message:
Fehlercode: SSL_ERROR_RX_RECORD_TOO_LONG

Does anybody know, how I make apache work??

Many thanks,

Bernhard

You also need to add SSL to modules being loaded.

sudo a2enmod ssl

or

edit** /etc/sysconfig/apache2/** and find APACHE_SERVER_FLAGS="", change it to APACHE_SERVER_FLAGS=“SSL” and systemctl restart apache2.

Hi,

thanks for the immediate reply. I had already enabled ssl-Module in Apache2, I changed the APACHE_SERVER_FLAGS as you describes, restarted apache, but it’s all the same. I tried some hours to find what I made wrong by searching the net and working with the Opensuse Leap guide, but still Apache doesn’t work.

My /var/log/apache2/errorlog:

[Thu Sep 03 19:46:04.910673 2020] [mpm_prefork:notice] [pid 2884] AH00170: caught SIGWINCH, shutting down gracefully
AH00557: httpd-prefork: apr_sockaddr_info_get() failed for hohensinn
AH00558: httpd-prefork: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
[Thu Sep 03 19:46:04.979528 2020] [mpm_prefork:notice] [pid 3136] AH00163: Apache/2.4.43 (Linux/SUSE) OpenSSL/1.1.1d configured – resuming normal operations
[Thu Sep 03 19:46:04.979644 2020] [core:notice] [pid 3136] AH00094: Command line: '/usr/sbin/httpd-prefork -D SYSCONFIG -D SSL -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sys>

Thanks in advance

Bernhard

Did you also create a vhost configuration file for your site? Merely defining the .key/.crt + adding 443 / ssl would not suffice.

There is a vhost-ssl.template in /etc/apache2/vhosts.d that you need to copy to a new file (ending with .conf) and edit the contents of that file to reflect your site. The file pretty well documented / includes link to quickstart you can read. Then restart apache.

Note; you can after editing and patching things together issue; apachectl configtest to see if everything is working properly.

Edit:
Also note there is a YAST module for configuring Apache if you prefer GUI.

Hi Miuku,

thanks a lot, you saved my day.
Because of the error log, I was searching for an error in the basic configuration, but the error was in the vhost-file.

Thanks and all the best,

Bernhard