apache2 setup for SSL-TLS

English Applications
#1

I am integrating osCommerce into my existing (brochure-type) website and need help configuring SSL with apache2.
I just loaded my CA issued ssl.csr and ssl.key files into their respective directories. I was hoping not to use the VirtualHost protocol, but would like to have my basic web content served through http/port 80 and my osCommerce pages through https/port 443 using the same Apache instance.

Here is some output which may be useful:

tall:/var/log/apache2 # service apache2 restart
Syntax OK
Shutting down httpd2 (waiting for all children to terminate) done
Starting httpd2 (prefork) done
tall:/var/log/apache2 # tail -n 2 error_log
[Sat Aug 29 16:22:44 2009] [notice] caught SIGTERM, shutting down
[Sat Aug 29 16:22:45 2009] [notice] Apache/2.2.10 (Linux/SUSE) mod_ssl/2.2.10 OpenSSL/0.9.8h PHP/5.2.9 with Suhosin-Patch configured – resuming normal operations
tall:/var/log/apache2 #

I can navigate to my home page from outside my network using a web client (i.e. with Konqueror-- <!–http://menardsystems.com:80–> or <!–http://menardsystems.com:443–>, and get no indication of SSL being enabled. When I try <!–https://menardsystems.com–>, I get the following browser client message:

Secure Connection Failed

An error occurred during a connection to menardsystems.com.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

The page you are trying to view can not be shown because the authenticity of the received data could not be verified.

* Please contact the web site owners to inform them of this problem.

The key I generated and submitted to the CA was a 2048-bit RSA private key. Any suggestions before I call the CA?

#2

First of all, you have to use https://…, http://…:443 will not work.

Secondly, it’s the crt and key files that you install, and not the csr file.

You should check the files in /var/log/apache2/ for any log messages related to SSL startup.

Note that virtual hosting doesn’t work with HTTPS, you can only have one site per IP address with SSL. But virtual hosting will work with HTTP. HTTP and HTTPS can coexist on the same server.

#3

My original post included the client attempts with <!–http://menardsystems.com:80 and http://menardsystems.com:443–> partly in order to establish that Apache is listening on those ports and that my firewall is configured accordingly. Is my understanding correct on that matter?

My earlier reference to “ssl.csr” was a typographical error–I had intended “ssl.crt”.

Here is an error_log message related to a client https request:
tall:/var/log/apache2 # tail -f /var/log/apache2/error_log

[Sun Aug 30 07:54:29 2009] [error] [client 99.2.135.18] Invalid method in request \x16\x03\x01

I have seen numerous Apache documentation references to the use of one (ip-based) https-SSL enabled site coexisting with an http site, with the option to use the virtual host directive or not for the https site. My case is simple in that I wish to serve both http and https content through “99.2.135.18”
My understanding is that the pertinent configuration file related to this is “listen.conf”, so here is my current state:

tall:/etc/apache2 # cat listen.conf

Listen: Allows you to bind Apache to specific IP addresses and/or

ports. See also the <VirtualHost> directive.

mpm_common - Apache HTTP Server

Change this to Listen on specific IP addresses as shown below to

prevent Apache from glomming onto all bound IP addresses (0.0.0.0)

When we also provide SSL we have to listen to the

standard HTTP port (see above) and to the HTTPS port

Note: Configurations that use IPv6 but not IPv4-mapped addresses need two

Listen directives: “Listen ::]:443” and “Listen 0.0.0.0:443”

#Listen 443

<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_ssl.c>

        Listen 443

    &lt;/IfModule&gt;
&lt;/IfDefine&gt;

</IfDefine>

Use name-based virtual hosting

- on a specified address / port:

#NameVirtualHost 12.34.56.78:80

- name-based virtual hosting:

#NameVirtualHost *:80

- on all addresses and ports. This is your best bet when you are on

dynamically assigned IP addresses:

#NameVirtualHost *

#Listen 443
Listen 80

tall:/etc/apache2 #

My CA tech support responded to my service request with:

Please do refer the following link to know more about “SSL_ERROR_RX_RECORD_TOO_LONG”
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1196

That link suggests:
"…If you are using Apache2:
In the ports.conf file, make sure it looks like the following:
— clip —
Listen 80
Listen 443 https
— clip —

The https after the 443 tells Apache2 to use the SSL protocol on that port."

I am assuming that Suse “listen.conf” file is an analogue to the “ports.conf” file.

When I adjust “listen.conf” accordingly, Apache fails to restart:
tall:/etc/apache2 # vi listen.conf
tall:/etc/apache2 # service apache2 restart
Syntax OK
Shutting down httpd2 (waiting for all children to terminate) done
Starting httpd2 (prefork) (98)Address already in use: make_sock: could not bind to address ::]:443
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
startproc: exit status of parent of /usr/sbin/httpd2-prefork: 1
failed
tall:/etc/apache2 #

Any guidance will be appreciated–Mark

#4

Looking at a working openSUSE server that does HTTPS: The ports do not need to be edited in listen.conf, only the line for the type of VirtualHosting. That’s the only change you need to listen.conf. To enable HTTPS you only have to enable SSL in /etc/sysconfig/apache.conf. Chances are you have have repeated the 443 in two places. You can’t have the 443 inside a VirtualHost scope. VirtualHosts don’t work with HTTPS. But you can have VirtualHosts for port 80.

#5

I don’t have /etc/sysconfig/apache.conf:

tall:/etc/sysconfig # ls -l
total 348
-rw-r–r-- 1 root root 34041 Aug 28 23:04 SuSEfirewall2
drwxr-xr-x 3 root root 21 Dec 3 2008 SuSEfirewall2.d
-rw-r–r-- 1 root root 571 Aug 22 13:31 amavis
-rw-r–r-- 1 root root 10084 Aug 29 22:52 apache2
-rw-r–r-- 1 root root 10065 Aug 29 16:03 apache2-old
-rw-r–r-- 1 root root 450 Aug 22 13:31 atd

Did you mean to say /etc/sysconfig/apache2?

If so, here is an excerpt from that file:

APACHE_SERVER_FLAGS=“SSL”

(–not commented out–)

After restarting Apache, the output in the error_log file incudes:
[Sun Aug 30 16:27:44 2009] [notice] Apache/2.2.10 (Linux/SUSE) mod_ssl/2.2.10 OpenSSL/0.9.8h PHP/5.2.9 with Suhosin-Patch configured – resuming normal operations

Doesn’t that suggest that SSL is enabled?

#6

Yeah /etc/sysconfig/apache2.

That log message simply says that the ssl module is loaded. Whether it is actually activated depends on that -DSSL.

You should also be able to see that Apache is listening on 443 in the output of:

netstat -atn | grep :443

#7

As stated earlier, http://localhost:443 works, but https://localhost:443 does not.

tall:/ # netstat -atn | grep :443
tcp 0 0 :::443 :::* LISTEN
tall:/ # curl https://localhost/
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
tall:/ #

#8

This means Apache is listening for HTTP on 443. Usually it’s because you don’t have HTTPS activated for that port, or have activated HTTP for that port. I would put listen.conf back the way it was fresh from the install, forget about VirtualHosts for HTTP for the time being and see if you can get HTTPS working. Check that you don’t have other listen 443’s in any of the config files. The only listen 443 should be the one enclosed within the ifdef SSL.

Another possibility is the cert isn’t correct. You could try turning on any debug options on curl. Or try wget with -S to show server responses.

wget -S https://localhost

or use telnet

telnet localhost 443
GET / HTTP/1.1

#9

tall:/ # wget -S https://localhost
–2009-08-30 22:00:05-- https://localhost/
Resolving localhost… ::1, 127.0.0.1
Connecting to localhost|::1|:443… connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

tall:/ # curl -v https://menardsystems.com

  • About to connect() to menardsystems.com port 443 (#0)
  • Trying 192.168.1.18… connected
  • Connected to menardsystems.com (192.168.1.18) port 443 (#0)
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs/
  • SSLv3, TLS handshake, Client hello (1):
  • error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
  • Closing connection #0
    curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
    tall:/ #

I would like to know precisely what is generating error:140770FC.

#10

Try to connect with telnet and see if port 443 responds to a HTTP request and delivers the content as if it were port 80. If so, you are not serving HTTPS on port 443 as the client expects.

telnet localhost 443
GET / HTTP/1.1
<return>
<return>

However if it says something to the effect “I was expecting you (the client) to start a SSL negotiation”, then that’s not the problem.

#11

tall:/etc/apache2/ssl.crt # telnet localhost 443
Trying ::1…
Connected to localhost.
Escape character is ‘^]’.
GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Mon, 31 Aug 2009 11:41:58 GMT
Server: Apache/2.2.10 (Linux/SUSE)
Content-Length: 300
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.10 (Linux/SUSE) Server at tall Port 80</address>
</body></html>
Connection closed by foreign host.
tall:/etc/apache2/ssl.crt #

Would it be a worthwhile exercise to rename my existing key/cert files and install a freshly generated and self-signed set to isolate that set of variables? Should I be looking for a robust and verbose SSL analysis tool?

#12

Ok, the SSL port does seem to be working, only something seems to be wrong with the cert. Yes, what you propose seems to be the next logical step.

Did you remember that you have to provide a passwordless key to Apache? And since it’s passwordless, it should be readable only by root.

#13

I had this exact problem. OpenSuse 12.3 Apache 2

https://myserver.net/ yielded error_rx_record_too_long

The port (443) was open. The config files “looked” good on first glance.

I am not sure how it happened, but the root cause was a missing include line in /etc/apache2/httpd.conf. It may be due to an attempt at activating SSL in Yast messing up the httpd.conf file. The missing line was:

Include /etc/apache2/default-vhost-ssl.conf

This yielded no error on apache start in the logs, and was only apparent on client connection. I found the error when I used the following command to connect to the web server:

openssl s_client -connect myserver.net:443

The output revealed that no key was available. That meant it had to be a mistake in the location of the key in the configuration files. The mistake was the files that pointed to the keys and certs were not included in the configuration.

I hope this post helps people who had to wade through all the “me too” posts for this error. I get a feeling this happens a lot.

#14

I had the same problem - thanks for Your help jcarleto - I owe You a beer !

#15

jcarleto you save my life thx alot.
i had this problem too.