https for apache2

English Applications
1

Hello;

I am facing a problem to enable the https with the apache2, I feel it is related to the certificate as I am creating a dummy certificate, but until now I am not able to know the reason, kindly find below my data and configuration for the opensuse machine:

ANASKW:~ # cat /etc/SuSE-release
openSUSE 12.1 (x86_64)
VERSION = 12.1
CODENAME = Asparagus

vi /var/log/apache2/error.log

[Sat May 25 23:37:26 2013] [info] Init: Seeding PRNG with 144 bytes of entropy
[Sat May 25 23:37:26 2013] [info] Loading certificate & private key of SSL-aware server
[Sat May 25 23:37:26 2013] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Sat May 25 23:37:26 2013] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Sat May 25 23:37:26 2013] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Sat May 25 23:37:26 2013] [info] Init: Initializing (virtual) servers for SSL
[Sat May 25 23:37:26 2013] [info] Configuring server for SSL protocol
[Sat May 25 23:37:26 2013] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: TLSv1)
[Sat May 25 23:37:26 2013] [debug] ssl_engine_init.c(666): Configuring permitted SSL ciphers [ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH]
[Sat May 25 23:37:26 2013] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Sat May 25 23:37:26 2013] [debug] ssl_engine_init.c(797): Configuring RSA server certificate
[Sat May 25 23:37:26 2013] [debug] ssl_engine_init.c(836): Configuring RSA server private key
[Sat May 25 23:37:26 2013] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/1.0.0k

ANASKW:/var/log/apache2 # rcapache2 restart
redirecting to systemctl
Job failed. See system logs and ‘systemctl status’ for details.

ANASKW:/var/log/apache2 # systemctl status apache2.service
apache2.service - apache
Loaded: loaded (/lib/systemd/system/apache2.service; enabled)
Active: failed since Sat, 25 May 2013 23:44:32 +0300; 36s ago
Process: 27659 ExecStart=/usr/sbin/start_apache2 -D SYSTEMD -k start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/apache2.service

vi /etc/apache2/listen.conf

Listen 443
Listen 80

vi /etc/apache2/vhosts.d/vhost-ssl.conf

<VirtualHost default:443>

<VirtualHost *:443>

<VirtualHost default:443>

<VirtualHost *:443>

    #  General setup for the virtual host
    DocumentRoot "/srv/www/htdocs"
    ServerName 192.168.0.5:443
    ServerAdmin [email]webmaster@anas.com[/email]
    ErrorLog /var/log/apache2/error_log
    TransferLog /var/log/apache2/access_log

SSLCertificateFile /etc/apache2/ssl.crt/server.crt

SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

The certificate was generated using the following command:

gensslcert -c KW -s Farwaneyyah -o anas -e webmaster@anas.com -n 192.168.0.5

subject=/C=KW/ST=Farwaneyyah/L=unknown/O=anas/OU=web server/CN=192.168.0.5/emailAddress=webmaster@anas.com

About the /etc/sysconfig/apache2, the ssl existed in the APACHE_MODULES and the APACHE_SERVER_FLAGS and I tried APACHE_SERVER_FLAGS="-D SSL" and I tried APACHE_SERVER_FLAGS=“SSL” but no luck

What is the wrong thing that I have? I feel it is related to the certificate … but what it could be?

Regards
Bilal

2

Any Help?

Regards
Bilal

3

Now I used:

openssl genrsa -des3 -out server.key -rand randomfile
and
openssl req -new -x509 -key server.key -out server.crt

And I placed the ServerName anaskw:443 and I used this name (anaskw) to create the crt file.

Now, when I am typing rcapache2 restart, I am getting the following:

anaskw:/etc/apache2/vhosts.d # rcapache2 restart
redirecting to systemctl
Enter SSL pass phrase for anaskw:443 (RSA): *********
Job failed. See system logs and ‘systemctl status’ for details.

And the logs is:

vi /var/log/apache2/error_log:

[Sun May 26 14:05:58 2013] [info] Init: Seeding PRNG with 144 bytes of entropy
[Sun May 26 14:05:58 2013] [info] Loading certificate & private key of SSL-aware server
[Sun May 26 14:05:58 2013] [info] Init: Requesting pass phrase from dialog filter program (/usr/sbin/apache2-systemd-ask-pass)
[Sun May 26 14:06:01 2013] [debug] ssl_engine_pphrase.c(476): encrypted RSA private key - pass phrase requested
[Sun May 26 14:06:01 2013] [info] Loading certificate & private key of SSL-aware server
[Sun May 26 14:06:01 2013] [info] anaskw:443 reusing existing RSA private key on restart
[Sun May 26 14:06:01 2013] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Sun May 26 14:06:01 2013] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Sun May 26 14:06:01 2013] [info] Init: Initializing (virtual) servers for SSL
[Sun May 26 14:06:01 2013] [info] Configuring server for SSL protocol
[Sun May 26 14:06:01 2013] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Sun May 26 14:06:01 2013] [debug] ssl_engine_init.c(666): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Sun May 26 14:06:01 2013] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Sun May 26 14:06:01 2013] [debug] ssl_engine_init.c(797): Configuring RSA server certificate
[Sun May 26 14:06:01 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun May 26 14:06:01 2013] [debug] ssl_engine_init.c(836): Configuring RSA server private key
[Sun May 26 14:06:01 2013] [info] Configuring server for SSL protocol
[Sun May 26 14:06:01 2013] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: TLSv1)
[Sun May 26 14:06:01 2013] [debug] ssl_engine_init.c(666): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Sun May 26 14:06:01 2013] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Sun May 26 14:06:01 2013] [debug] ssl_engine_init.c(797): Configuring RSA server certificate
[Sun May 26 14:06:01 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun May 26 14:06:01 2013] [debug] ssl_engine_init.c(836): Configuring RSA server private key
[Sun May 26 14:06:01 2013] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/1.0.0k

What I have to do?
Really I got to be very tired.

Regards
Bilal

4

Hi,

Please be patient. We are all here as volunteers¸ have our daily jobs, and sometimes are limited in our time here for personal reasons. Plus… you posted this on a friday night.
Some advice: post output between CODE tags, the way it is now is hard to read.

5

Hello;

I am big sorry for this …

I have the following settings right now:

at the default-server.conf

ServerName 192.168.0.5
#ServerName anaskw
ServerAdmin bilal.ghayad@helloonet.com

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

At listen.conf:

Listen 80
Listen 443

<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_ssl.c>

        Listen 443


    &lt;/IfModule&gt;
&lt;/IfDefine&gt;

</IfDefine>

I decided not to use the virtual as it is going to be one application only to be browsed.
About the certifications:
It is placed in the /etc/apache2/ssl.key/ and /etc/apache2/ssl.crt/ and /etc/apache2/ssl.csr/ and I used the following techniques from the following link:

OpenSUSE Linux: Creating Self-Signed SSL Certificates | Mr.Novell’s Blog

openssl genrsa -des3
openssl req -new -x509
openssl x509 -req

Also, I tried to use the virtual, and in the virtual configuration, I placed the ServerName to be 192.168.0.5:443 , but no luck.
Could be something related to the generated certificate and the ssl module that I have (if they are compatible or not)? How I can adjust this?

Regards
Bilal

6

I wil repeat Knurohts last question, which for some reason you did not understand (which is quite possible, but you did not tell you didn’t understand). Please post all computers texts in your post between CODE tags. You get those tags by clicking on the # button in the toolbar of the post editor.

And then copy/paste it complete: prompt, command, output, next prompt between those tags. Then you have to add almost no comment, because we can all read who you were, where you were and what you did to get the output.

7

Hello;

Please help me to learn: Is it like this good? Really I am new for the forum. Again, sorry.

By the way: to be able to generate certificate, is it required to have a domain (www.forexample.com) and to be directed for the IP address of the machine? Actually I am trying to generate license on a machine that does not have domain (I am writing in the Server Name 192.168.0.5, which is the IP address of the computers).

I have the following settings right now:

at the default-server.conf


ServerName 192.168.0.5
ServerAdmin [EMAIL="bilal.ghayad@helloonet.com"]bilal.ghayad@helloonet.com[/EMAIL]
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

At listen.conf:



Listen 80
Listen 443


<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_ssl.c>


Listen 443


</IfModule>
</IfDefine>
</IfDefine>

I decided not to use the virtual as it is going to be one application only to be browsed.

About the certifications:
It is placed in the /etc/apache2/ssl.key/ and /etc/apache2/ssl.crt/ and /etc/apache2/ssl.csr/ and I used the following techniques from the following link:

OpenSUSE Linux: Creating Self-Signed SSL Certificates | Mr.Novell’s Blog

openssl genrsa -des3
openssl req -new -x509
openssl x509 -req

Also, I tried to use the virtual, and in the virtual configuration, I placed the ServerName to be 192.168.0.5:443 , but no luck.
Could be something related to the generated certificate and the ssl module that I have (if they are compatible or not)? How I can adjust this?

Regards
Bilal

8

I would like to add that I kept the ssl-global.conf as it, and I need to know if this is effecting to the type of the certificate files that I have to generate:

        AddType application/x-x509-ca-cert .crt
        AddType application/x-pkcs7-crl    .crl


        #   Pass Phrase Dialog:
        #   Configure the pass phrase gathering process.
        #   The filtering dialog program (`builtin' is a internal
        #   terminal dialog) has to provide the pass phrase on stdout.
        &lt;IfDefine SYSTEMD&gt;
        SSLPassPhraseDialog exec:/usr/sbin/apache2-systemd-ask-pass
        &lt;/IfDefine&gt;
        &lt;IfDefine !SYSTEMD&gt;
        SSLPassPhraseDialog  builtin
        &lt;/IfDefine&gt;

Regards
Bilal