I can't figure out why SSL in Apache isn't working. (Not the missing mod_socache_shmcb.so) problem)

English Applications
#1

Hello everyone. Some time roughly around October 2013 SSL just suddenly stopped working in Apache. I hadn’t made a significant effort to resolve the problem until now because I had just started a University course and was directing most of my attention into that. I assumed that whatever the problem was, if I couldn’t find a solution with a few quick internet searches then it was probably going to require more of my time than I had to spare whilst doing my course. Well now I’ve more-or-less finished the year and now I want to get the the bottom of the problem.

Unfortunately, with the long wait between this problem surfacing and now, the exact details are a bit hazy. I now realise that I’ve confused two separate problems that probably arose independently and I now have no idea about when the remaining problem began. I think I must have fixed the first problem that can be solved by tweaking httpd.conf because that one prevented Apache from starting at all. This second problem, however, allows apache to start, but when it is running connections via SSL/TLS fail. Opera doesn’t give any useful information about the failure, but Firefox a least has this to say

**Secure Connection Failed**

An error occurred during a connection to localhost. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

I’ve put various parts of that message into google and it seems that it is usually caused my a misconfiguration of a network somewhere between the client and the server. This seemed like a plausible cause of the error for a short time, because much had changed in the intervening months. I changed my domain’s Registrar of Record, upgraded the hosts OS from OpenSuse 12.3 to 13.1, my ISP and consequently the router through which I access the internet. None of those changes are related to my current problem as far as I know), but there’s plenty of areas where I could do something wrong and not notice it fo a while.

I very strongly suspect that it has nothing at all to do with any of those changes and is much more likely to be down to some misconfiguration I keep making in Apache. I say this because I installed Apache/MySQL/PHP on this computer and tried to configure Apache to accept SSL/TLS connections. I did this to avoid fouling up the configuration of the actual web host and so that there couldn’t be any configuration tweaks that I’d tried an then forgotten about. Starting from a clean slate. Anyway, I installed Apache/MySQL/PHP from the web and LAMP server pattern in yast, made the necessary edit to httpd.conf and made a key and certificate and stuck 'em in /etc/apache2/ssl.key/ and /etc/apache2/ssl.crt/ respectively. Tried setting up a deffault virtual-host and indicated where the certificate and key were and then set apache running. Exactly the same as on the main host, it serves unencrypted URLs fine, but as soon as you shove https:// in front of that address, it all goes horribly wrong. The reason I so strongly suspect that it is a problem with my configuration is that this happens even on https://localhost/ So the request never even reaches the router for it to get fiddled with by the router or any other part of any other network. Both mahines are OpenSuse 13.1, but I’m fairly sure this started before I upgraded. I’m not used to all the extra configuration files involved with YaST. A little over a decade ago, I started out using Apache MySQL and so on by compiling them from source. I thought that if I learned about building them from source, that would give me a better understanding of how to fix problems that may arise when configuring them with tools like YaST. As it turned out, I was hopelessly wrong. I get hopelessly confused by all the various inclusions of the many configuration files. I also never bothered to read anything at all about vhosts because I only served the one site from the server. I was usually too busy manually resolving dependencies flagged up by configure and make, which is a strong incentive to stick with management via YaST and not to go back to compiling from source.

Anyway. what more do I need to post to make this more than just a vague description? I assume many of the Apache config files will be necessary, so I’ll start editing copies of those to remove my domain name and IP addresses from them and then post them up soon, but is there anything else?

#2

I haven’t tried to troubleshoot your problem before, and I don’t know if you’re looking at two or a single problem.

Googling your first problem

Error code: ssl_error_rx_record_too_long

Returns a few hits, of which the first
https://support.mozilla.org/en-US/questions/853637
Seems to suggest the problem is exactly as the error describes… some data is being returned which exceeds the max length. If you install the Firefox Firebug plugin you’ll get more detailed info. Or, likely more easily if this problem also shows up in a Chrome family browser (Chrome, Chromium, Canary, et al), just launch the debugger with CTL-SHIFT-J before accessing the page you want to analyze. If you’re using IE, you’ll have to install Visual Studio for a web browser debugger.

The "other’ issue which may or may not be related

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

might be related to the current more strict implementation of SSL which is being enforced everywhere… SSL now should not just encrypt, it should now be to authenticate the machine you are connecting to. As always, the certificate should match the FQDN of the website, but now it’s enforced although may be over-ridden manually.

Assuming you are mis-configuring Apache, the solution will depend on first undoing what you’ve done, then describing what you’re doing or what guide you’re following.

Or, better yet, install the YAST plugin that configures apache

zypper in yast2-http-server

After install, you should see an icon in YAST > Network Services called “HTTP Server”

HTH,
TSU

#3

Right. Here’s the most obvious config files to post.

The forum says my post is too long if I don’t break it into chunks. So here are the irst two files.
httpd.conf contains one change that I made to the file outside of YaST and is indicated by the long line of #'s surrounding the text saying the line above is the one I added manually. The last line in the file confirms that the minor changes I made through YaST have been applied.

[b]httpd.conf[/b]
#
# /etc/apache2/httpd.conf 
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs-2.2/> for detailed information about
# the directives.

# Based upon the default apache configuration file that ships with apache,
# which is based upon the NCSA server configuration files originally by Rob
# McCool. This file was knocked together by Peter Poeml <poeml+apache@suse.de>.

# If possible, avoid changes to this file. It does mainly contain Include
# statements and global settings that can/should be overridden in the
# configuration of your virtual hosts.

# Quickstart guide:
# http://en.opensuse.org/Apache_Quickstart_HOWTO


# Overview of include files, chronologically:
#
# httpd.conf
#  | 
#  |-- uid.conf  . . . . . . . . . . . . . .  UserID/GroupID to run under
#  |-- server-tuning.conf  . . . . . . . . .  sizing of the server (how many processes to start, ...)
#  |-- sysconfig.d/loadmodule.conf . . . . .  
[li] load these modules[/li]#  |-- listen.conf . . . . . . . . . . . . .  IP adresses / ports to listen on
#  |-- mod_log_config.conf . . . . . . . . .  define logging formats
#  |-- sysconfig.d/global.conf . . . . . . .  
[li] server-wide general settings[/li]#  |-- mod_status.conf . . . . . . . . . . .  restrict access to mod_status (server monitoring)
#  |-- mod_info.conf . . . . . . . . . . . .  restrict access to mod_info
#  |-- mod_usertrack.conf  . . . . . . . . .  defaults for cookie-based user tracking
#  |-- mod_autoindex-defaults.conf . . . . .  defaults for displaying of server-generated directory listings
#  |-- mod_mime-defaults.conf  . . . . . . .  defaults for mod_mime configuration
#  |-- errors.conf . . . . . . . . . . . . .  customize error responses
#  |-- ssl-global.conf . . . . . . . . . . .  SSL conf that applies to default server _and all_ virtual hosts
#  |
#  |-- default-server.conf . . . . . . . . .  set up the default server that replies to non-virtual-host requests
#  |    |--mod_userdir.conf  . . . . . . . .  enable UserDir (if mod_userdir is loaded)
#  |    `--conf.d/apache2-manual?conf  . . .  add the docs ('?' = if installed)
#  |
#  |-- sysconfig.d/include.conf  . . . . . .  
[li] your include files [/li]#  |                                             (for each file to be included here, put its name 
#  |                                              into APACHE_INCLUDE_* in /etc/sysconfig/apache2)
#  |
#  `-- vhosts.d/ . . . . . . . . . . . . . .  for each virtual host, place one file here
#       `-- *.conf . . . . . . . . . . . . .     (*.conf is automatically included)
#
#
# Files marked 
[li] are created from sysconfig upon server restart: instead of[/li]# these files, you edit /etc/sysconfig/apache2



#  Filesystem layout:
#
# /etc/apache2/
#  |-- charset.conv  . . . . . . . . . . . .  for mod_auth_ldap
#  |-- conf.d/
#  |   |-- apache2-manual.conf . . . . . . .  conf that comes with apache2-doc
#  |   |-- mod_php4.conf . . . . . . . . . .  (example) conf that comes with apache2-mod_php4
#  |   `-- ... . . . . . . . . . . . . . . .  other configuration added by packages
#  |-- default-server.conf
#  |-- errors.conf
#  |-- httpd.conf  . . . . . . . . . . . . .  top level configuration file
#  |-- listen.conf
#  |-- magic
#  |-- mime.types -> ../mime.types
#  |-- mod_autoindex-defaults.conf
#  |-- mod_info.conf
#  |-- mod_log_config.conf
#  |-- mod_mime-defaults.conf
#  |-- mod_perl-startup.pl
#  |-- mod_status.conf
#  |-- mod_userdir.conf
#  |-- mod_usertrack.conf
#  |-- server-tuning.conf
#  |-- ssl-global.conf
#  |-- ssl.crl/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificate Revocation Lists (CRL)
#  |-- ssl.crt/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificates
#  |-- ssl.csr/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificate Signing Requests
#  |-- ssl.key/  . . . . . . . . . . . . . .  PEM-encoded RSA Private Keys
#  |-- ssl.prm/  . . . . . . . . . . . . . .  public DSA Parameter Files
#  |-- sysconfig.d/  . . . . . . . . . . . .  files that are created from /etc/sysconfig/apache2
#  |   |-- global.conf
#  |   |-- include.conf
#  |   `-- loadmodule.conf
#  |-- uid.conf
#  `-- vhosts.d/ . . . . . . . . . . . . . .  put your virtual host configuration (*.conf) here
#      |-- vhost-ssl.template
#      `-- vhost.template



### Global Environment ######################################################
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests.

# run under this user/group id
Include /etc/apache2/uid.conf

# - how many server processes to start (server pool regulation)
# - usage of KeepAlive
Include /etc/apache2/server-tuning.conf

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a &lt;VirtualHost&gt;
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a &lt;VirtualHost&gt;
# container, that host's errors will be logged there and not here.
ErrorLog /var/log/apache2/error_log
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
######## The ABOVE LINE HAS BEEN ENTERED BY STEPHEN AND IS NOT PART OF THE DEFAULT CONFIGURATION ###############
Include /etc/apache2/sysconfig.d/loadmodule.conf

# IP addresses / ports to listen on
Include /etc/apache2/listen.conf

# predefined logging formats
Include /etc/apache2/mod_log_config.conf

# generated from global settings in /etc/sysconfig/apache2
Include /etc/apache2/sysconfig.d/global.conf

# optional mod_status, mod_info
Include /etc/apache2/mod_status.conf
Include /etc/apache2/mod_info.conf

# optional cookie-based user tracking
# read the documentation before using it!!
Include /etc/apache2/mod_usertrack.conf

# configuration of server-generated directory listings
Include /etc/apache2/mod_autoindex-defaults.conf

# associate MIME types with filename extensions
TypesConfig /etc/apache2/mime.types
Include /etc/apache2/mod_mime-defaults.conf

# set up (customizable) error responses
Include /etc/apache2/errors.conf

# global (server-wide) SSL configuration, that is not specific to 
# any virtual host
Include /etc/apache2/ssl-global.conf

# forbid access to the entire filesystem by default
&lt;Directory /&gt;
    Options None
    AllowOverride None
    Order deny,allow
    Deny from all
&lt;/Directory&gt;

# use .htaccess files for overriding,
AccessFileName .htaccess
# and never show them
&lt;Files ~ "^\.ht"&gt;
    Order allow,deny
    Deny from all
&lt;/Files&gt;

# List of resources to look for when the client requests a directory
DirectoryIndex index.html index.html.var

### 'Main' server configuration #############################################
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# &lt;VirtualHost&gt; definition.  These values also provide defaults for
# any &lt;VirtualHost&gt; containers you may define later in the file.
#
# All of these directives may appear inside &lt;VirtualHost&gt; containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
Include /etc/apache2/default-server.conf


# Another way to include your own files
#
# The file below is generated from /etc/sysconfig/apache2,
# include arbitrary files as named in APACHE_CONF_INCLUDE_FILES and
# APACHE_CONF_INCLUDE_DIRS
Include /etc/apache2/sysconfig.d/include.conf


### Virtual server configuration ############################################
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# &lt;URL:http://httpd.apache.org/docs-2.2/vhosts/&gt;
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
IncludeOptional /etc/apache2/vhosts.d/*.conf


# Note: instead of adding your own configuration here, consider 
#       adding it in your own file (/etc/apache2/httpd.conf.local)
#       putting its name into APACHE_CONF_INCLUDE_FILES in 
#       /etc/sysconfig/apache2 -- this will make system updates 
#       easier :) 



[b]default-server.conf[/b]
#
# Global configuration that will be applicable for all virtual hosts, unless
# deleted here, or overriden elswhere.
# 

DocumentRoot "/srv/www/htdocs"

#
# Configure the DocumentRoot
#
<Directory "/srv/www/htdocs">
         # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs-2.2/mod/core.html#options
    # for more information.
Options None
         # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
AllowOverride None
         # Controls who can get stuff from this server.
Order allow,deny
 Allow from all
</Directory>

# Aliases: aliases can be added as needed (with no limit). The format is 
# Alias fakename realname
#
# Note that if you include a trailing / on fakename then the server will
# require it to be present in the URL.  So "/icons" isn't aliased in this
# example, only "/icons/".  If the fakename is slash-terminated, then the 
# realname must also be slash terminated, and if the fakename omits the 
# trailing slash, the realname must also omit it.
#
# We include the /icons/ alias for FancyIndexed directory listings.  If you
# do not use FancyIndexing, you may comment this out.
#
Alias /icons/ "/usr/share/apache2/icons/"

<Directory "/usr/share/apache2/icons">
 Options Indexes MultiViews
 AllowOverride None
 Order allow,deny
 Allow from all
</Directory>

# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the realname directory are treated as applications and
# run by the server when requested rather than as documents sent to the client.
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"

# "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/srv/www/cgi-bin">
 AllowOverride None
 Options +ExecCGI -Includes
 Order allow,deny
 Allow from all
</Directory>

# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# To disable it, simply remove userdir from the list of modules in APACHE_MODULES 
# in /etc/sysconfig/apache2.
#
<IfModule mod_userdir.c>
         # Note that the name of the user directory ("public_html") cannot simply be
    # changed here, since it is a compile time setting. The apache package
    # would have to be rebuilt. You could work around by deleting
    # /usr/sbin/suexec, but then all scripts from the directories would be
    # executed with the UID of the webserver.
UserDir public_html
         # The actual configuration of the directory is in
    # /etc/apache2/mod_userdir.conf.
Include /etc/apache2/mod_userdir.conf
</IfModule>


# Include all *.conf files from /etc/apache2/conf.d/.
#
# This is mostly meant as a place for other RPM packages to drop in their
# configuration snippet.
#
# You can comment this out here if you want those bits include only in a
# certain virtual host, but not here.
#
IncludeOptional /etc/apache2/conf.d/*.conf

# The manual... if it is installed ('?' means it won't complain)
IncludeOptional /etc/apache2/conf.d/apache2-manual?conf
ServerName home

ServerAdmin dn3n97t93t5@networksolutionsprivateregistration.com
#4

Assuming this is a self-generated cert, how long is it? 256-bit? 512bit? longer?

Again,
If you use one of the browser debuggers I mentioned, you’ll likely return something more detailed.

TSU

#5

These two are strange because I definitely entered the information that should be in here, but it isn’t. I entered it using the YaST module, but it doesn’t appear to be here in the configuration. (note the ServerName directive. Its value still seems to be at a default value.

**default-vhost.conf**
#
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
<VirtualHost _default_:80>
    ServerName dummy-host.example.com
    ServerAdmin webmaster@dummy-host.example.com
    ServerAlias example.com www.example.com

    # DocumentRoot: The directory out of which you will serve your
    # documents. By default, all requests are taken from this directory, but
    # symbolic links and aliases may be used to point to other locations.
    DocumentRoot "/srv/www/htdocs"

    # if not specified, the global error log is used
    ErrorLog /var/log/apache2/dummy-host.example.com-error_log
    CustomLog /var/log/apache2/dummy-host.example.com-access_log combined

    # don't loose time with IP address lookups
    HostnameLookups Off

    # needed for named virtual hosts
    UseCanonicalName Off

    # configures the footer on server-generated documents
    ServerSignature On


    # Optionally, include *.conf files from /etc/apache2/conf.d/
    #
    # For example, to allow execution of PHP scripts:
    #
    # Include /etc/apache2/conf.d/mod_php4.conf
    #
    # or, to include all configuration snippets added by packages:
    # Include /etc/apache2/conf.d/*.conf


    # ScriptAlias: This controls which directories contain server scripts.
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the realname directory are treated as applications and
    # run by the server when requested rather than as documents sent to the client.
    # The same rules about trailing "/" apply to ScriptAlias directives as to
    # Alias.
    #
    ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"

    # "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased
    # CGI directory exists, if you have one, and where ScriptAlias points to.
    #
    <Directory "/srv/www/cgi-bin">
    AllowOverride None
    Options +ExecCGI -Includes
    Order allow,deny
    Allow from all
    </Directory>


    # UserDir: The name of the directory that is appended onto a user's home
    # directory if a ~user request is received.
    #
    # To disable it, simply remove userdir from the list of modules in APACHE_MODULES
    # in /etc/sysconfig/apache2.
    #
    <IfModule mod_userdir.c>
    # Note that the name of the user directory ("public_html") cannot simply be
    # changed here, since it is a compile time setting. The apache package
    # would have to be rebuilt. You could work around by deleting
    # /usr/sbin/suexec, but then all scripts from the directories would be
    # executed with the UID of the webserver.
    UserDir public_html
    # The actual configuration of the directory is in
    # /etc/apache2/mod_userdir.conf.
    Include /etc/apache2/mod_userdir.conf
    # You can, however, change the ~ if you find it awkward, by mapping e.g.
    # http://www.example.com/users/karl-heinz/ --> /home/karl-heinz/public_html/
    #AliasMatch ^/users/([a-zA-Z0-9-_.]*)/?(.*) /home/$1/public_html/$2
    </IfModule>


    #
    # This should be changed to whatever you set DocumentRoot to.
    #
    <Directory "/srv/www/htdocs">
    
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs-2.2/mod/core.html#options
    # for more information.
    #
    Options +Indexes +MultiViews +FollowSymLinks
    IndexOptions FancyIndexing
    
    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride None
    
    #
    # Controls who can get stuff from this server.
    #
    Order allow,deny
    Allow from all
    
    </Directory>

    #
    # some Rewrite stuff for sharedssl
    #
    #RewriteEngine on
    ##RewriteLog "/var/log/apache2/dummy-host.example.com-rewrite_log"
    ##RewriteLogLevel 3
    #RewriteCond %{HTTP_HOST} ^sharedssl\.* [OR]
    #RewriteRule ^/$ https://sharedssl.example.com/$1 [L,R]

</VirtualHost>
#6 
**default-vhost-ssl.conf**
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these 
# directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#

<IfDefine SSL>
<IfDefine !NOSSL>

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

    #  General setup for the virtual host
    ServerName dummy-host.example.com
    ServerAdmin webmaster@dummy-host.example.com
    ServerAlias example.com www.example.com

    # DocumentRoot: The directory out of which you will serve your
    # documents. By default, all requests are taken from this directory, but
    # symbolic links and aliases may be used to point to other locations.
    DocumentRoot "/srv/www/htdocs"
    #ServerName www.example.com:443
    #ServerAdmin webmaster@example.com
    ErrorLog /var/log/apache2/error_log
    TransferLog /var/log/apache2/access_log

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on

    #   SSL Protocol support:
    # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS and SSLv3:
    #   List the protocol versions which clients are allowed to
    #   connect with. Disable SSLv2 by default (cf. RFC 6176).
    SSLProtocol all -SSLv2
    
    #   SSL Cipher Suite:
    #   List the ciphers that the client is permitted to negotiate.
    #   See the mod_ssl documentation for a complete list.
    #
    #   Weak ciphers are disabled by default.
    #   Please see the documentation via the links above, and
    #   "openssl ciphers -v" for a complete list of ciphers that are
    #   available.
    #
    # The following default should work with openssl running in FIPS
    # mode.
    #    OPENSSL_FORCE_FIPS_MODE=1 rcapache2 restart
    # will start the web server with FIPS mode in openssl.
    # For more information, please have a look at
    # /usr/share/doc/packages/openssl/README-FIPS.txt from the openssl
    # package.
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    
    #   Speed-optimized SSL Cipher configuration:
    #   If speed is your main concern (on busy HTTPS servers e.g.),
    #   you might want to force clients to specific, performance
    #   optimized ciphers. In this case, prepend those ciphers
    #   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
    #   Caveat: by giving precedence to RC4-SHA and AES128-SHA
    #   (as in the example below), most connections will no longer
    #   have perfect forward secrecy - if the server's key is
    #   compromised, captures of past or future traffic must be
    #   considered compromised, too.
    #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
    #SSLHonorCipherOrder on 
    
    #   Server Certificate:
    #   Point SSLCertificateFile at a PEM encoded certificate.  If
    #   the certificate is encrypted, then you will be prompted for a
    #   pass phrase.  Note that a kill -HUP will prompt again.  Keep
    #   in mind that if you have both an RSA and a DSA certificate you
    #   can configure both in parallel (to also allow the use of DSA
    #   ciphers, etc.)
    SSLCertificateFile /etc/apache2/ssl.crt/server.crt
    #SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt

    #   Server Private Key:
    #   If the key is not combined with the certificate, use this
    #   directive to point at the key file.  Keep in mind that if
    #   you've both a RSA and a DSA private key you can configure
    #   both in parallel (to also allow the use of DSA ciphers, etc.)
    SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
    #SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key

    #   Server Certificate Chain:
    #   Point SSLCertificateChainFile at a file containing the
    #   concatenation of PEM encoded CA certificates which form the
    #   certificate chain for the server certificate. Alternatively
    #   the referenced file can be the same as SSLCertificateFile
    #   when the CA certificates are directly appended to the server
    #   certificate for convinience.
    #SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt

    #   Certificate Authority (CA):
    #   Set the CA certificate verification path where to find CA
    #   certificates for client authentication or alternatively one
    #   huge file containing all of them (file must be PEM encoded)
    #   Note: Inside SSLCACertificatePath you need hash symlinks
    #         to point to the certificate files. Use the provided
    #         Makefile to update the hash symlinks after changes.
    #SSLCACertificatePath /etc/apache2/ssl.crt
    #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

    #   Certificate Revocation Lists (CRL):
    #   Set the CA revocation path where to find CA CRLs for client
    #   authentication or alternatively one huge file containing all
    #   of them (file must be PEM encoded)
    #   Note: Inside SSLCARevocationPath you need hash symlinks
    #         to point to the certificate files. Use the provided
    #         Makefile to update the hash symlinks after changes.
    #SSLCARevocationPath /etc/apache2/ssl.crl
    #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

    #   Client Authentication (Type):
    #   Client certificate verification type and depth.  Types are
    #   none, optional, require and optional_no_ca.  Depth is a
    #   number which specifies how deeply to verify the certificate
    #   issuer chain before deciding the certificate is not valid.
    #SSLVerifyClient require
    #SSLVerifyDepth  10

    #   Access Control:
    #   With SSLRequire you can do per-directory access control based
    #   on arbitrary complex boolean expressions containing server
    #   variable checks and other lookup directives.  The syntax is a
    #   mixture between C and Perl.  See the mod_ssl documentation
    #   for more details.
    #<Location />
    #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
    #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
    #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
    #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
    #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
    #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
    #</Location>

    #   SSL Engine Options:
    #   Set various options for the SSL engine.
    #   o FakeBasicAuth:
    #     Translate the client X.509 into a Basic Authorisation.  This means that
    #     the standard Auth/DBMAuth methods can be used for access control.  The
    #     user name is the `one line' version of the client's X.509 certificate.
    #     Note that no password is obtained from the user. Every entry in the user
    #     file needs this password: `xxj31ZMTZzkVA'.
    #   o ExportCertData:
    #     This exports two additional environment variables: SSL_CLIENT_CERT and
    #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
    #     server (always existing) and the client (only existing when client
    #     authentication is used). This can be used to import the certificates
    #     into CGI scripts.
    #   o StdEnvVars:
    #     This exports the standard SSL/TLS related `SSL_*' environment variables.
    #     Per default this exportation is switched off for performance reasons,
    #     because the extraction step is an expensive operation and is usually
    #     useless for serving static content. So one usually enables the
    #     exportation for CGI and SSI requests only.
    #   o StrictRequire:
    #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
    #     under a "Satisfy any" situation, i.e. when it applies access is denied
    #     and no other module can change it.
    #   o OptRenegotiate:
    #     This enables optimized SSL connection renegotiation handling when SSL
    #     directives are used in per-directory context. 
    #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    &lt;FilesMatch "\.(cgi|shtml|phtml|php)$"&gt;
    SSLOptions +StdEnvVars
    &lt;/FilesMatch&gt;
    
    &lt;Directory "/srv/www/cgi-bin"&gt;
    SSLOptions +StdEnvVars
    &lt;/Directory&gt;
    
    &lt;Directory "/srv/www/htdocs"&gt;
    AllowOverride None
    #Options +Indexes +MultiViews +FollowSymLinks
    Options -Indexes -MultiViews +FollowSymLinks
    #IndexOptions FancyIndexing

    #AuthName "Top Secret on dummy-host.example.com"
    #AuthType Basic
    #AuthUserFile /srv/www/passwd/default

    #
    # Controls who can get stuff from this server.
    #
    #&lt;limit GET POST&gt;
    #  Require valid-user
    #  Order Deny,Allow
    #  Deny from All
    #  Allow from 127.0.0.1
    #  Allow from .example.com
    #  Satisfy any
    #&lt;/limit&gt;
    &lt;/Directory&gt;


    #   SSL Protocol Adjustments:
    #   The safe and default but still SSL/TLS standard compliant shutdown
    #   approach is that mod_ssl sends the close notify alert but doesn't wait for
    #   the close notify alert from client. When you need a different shutdown
    #   approach you can use one of the following variables:
    #   o ssl-unclean-shutdown:
    #     This forces an unclean shutdown when the connection is closed, i.e. no
    #     SSL close notify alert is send or allowed to received.  This violates
    #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
    #     this when you receive I/O errors because of the standard approach where
    #     mod_ssl sends the close notify alert.
    #   o ssl-accurate-shutdown:
    #     This forces an accurate shutdown when the connection is closed, i.e. a
    #     SSL close notify alert is send and mod_ssl waits for the close notify
    #     alert of the client. This is 100% SSL/TLS standard compliant, but in
    #     practice often causes hanging connections with brain-dead browsers. Use
    #     this only for browsers where you know that their SSL implementation
    #     works correctly. 
    #   Notice: Most problems of broken clients are also related to the HTTP
    #   keep-alive facility, so you usually additionally want to disable
    #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
    #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
    #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
    #   "force-response-1.0" for this.
    BrowserMatch "MSIE [2-5]" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    
    #   Per-Server Logging:
    #   The home of a custom SSL log file. Use this when you want a
    #   compact non-error SSL logfile on a virtual host basis.
    CustomLog /var/log/apache2/ssl_request_log   ssl_combined

    #
    # some Rewrite stuff for sharedssl
    #
    #RewriteEngine on
    ##RewriteLog "/var/log/apache2/dummy-host.example.com-rewrite-ssl_log"
    ##RewriteLogLevel 3
    #RewriteCond %{HTTP_HOST}  ^webmail\..* [NC]
    #RewriteRule ^/$ https://sharedssl.example.com/roundcube/ [L,R]
    #RewriteRule ^/$ /roundcube [R]

&lt;/VirtualHost&gt;                                  

&lt;/IfDefine&gt;
&lt;/IfDefine&gt;
#7

The Key is 2048 bit. Which sounds rather excessive after you enquired if it was longer than 512, but I was just taking the old length (of 1024) suggested in the howtos at openssl.org and thought well if I make a very rough application of Moore’s Law to that length that used to be posted at openssl of 1024, then 2048 seems reasonable. In fact I’ve just had a quick peek at their howtos and as far as I can see, the only thing that has changed after more than 10 years is the suggested length to 2048. The certificate is indeed self-signed. I’m fairly sure that the tool you suggested I install using zypper is the thing I’ve been struggling with to configure Apache. I assume it’s just a lack of familiarity with this method of configuration that’s probably the real cause.Your instructions to access it are the same as what I use to access the config module. The FQDN on the certificate I made for the server and its actual FQDN are identical. I just tried localhost because the handshaking didn’t even seem to get to the point of actually transmitting a public key. The setup guide Ive been following is https://activedoc.opensuse.org/book/opensuse-reference/chapter-20-the-apache-http-server .Although The guide is a little bit outdated now, for example making reference to mkcert.sh which no longer exists, but it seems fine otherwise.

I believe that if I can get the default vhost configured properly, there’s a good chance it’ll all start working smoothly. I was just a bit thrown when I did as the guide I linked to instructed, thought I’d made the default vhost, and then found that default-vhost.conf was unchanged. Especially since it looks like if you want to use SSL, you’re supposed to do it through a vhost. Like I said in my first post, vhosts are the one thing I paid no attention to at all because I only had the one site to serve.

I’ll have another stab at trying to set up a default vhost and then post back again. I just didn’t want to start trying to force config changes without the advice of people that have much more experience with using YaST to configure Apache than I do.

I’ll try you other suggestions after I figure out this vhost business.

#8

Ok. I had another stab at creating a vhost and I got the message

When I first opened up the HTTP server configuration module of YaST it said that it noticed I’d manually changed httpd.conf (by adding the line to load a missing ssl-related module. Is that anything to do with it? When I first set up the server it was giving that error because the line to include the module wasn’t there.

#9

Ok. I’ve sort of stumbled through the process and finally got it working. Thankfully systemctl status apache2.service pointed out that the last error I posted about was down to me putting " ServerAdmin dn3n97t93t5@networksolutionsprivateregistration.com" in the ServerAdmin config field during the vhost’s setup process, so in the ip-based-vhosts config file it had ServerAdmin ServerAdmin dn3n97t93t5@networksolutionsprivateregistration.com. I’ll just have to put that down to me being blind. It may just be that the whole thing was because of my eyesight. There was one step that I know I make differently this time and that was that instead of the speciic IP of the host being used in the VHost ID, I Told it to be for all IPs, and then did not use the option at the bottom of the window that lists all the vhosts to set it as the default. Instead leaving the all IP option to make it the default instead.

I can’t imagine that not setting it as the default chost is what made the difference, but it’s the only thing I know that I did differently. So after I rectified the server admin mistake it all went fine. Thanks for your patience and all of your suggestions Tsu. I’ll still install those browser tools you suggested 'cause there’s been several times in the past when they’d have come in handy.

#10

No wait a minute. Scratch that. I’ve just noticed that the server is now responding to all http requests (i.e. port 80) with a 400 Bad Request. I guess I’ll have another look at it tomorrow. It’s bedtime here now.

#11

Well,
It sounds like you’re making progress.

BTW -
I just noticed that the latest Firefox has an integrated debugger. You no longer need to install the Firebog add-on, you can simply use the following keystroke combiantion to launch the “Developer Tools” which includes the debugger

CTL-SHFT-I

TSU

#12

Thanks. I can get it to the point where the server accepts SSL/TLS connections or http connections, but not both. It has to be to do with my lack of experience in setting up vhosts and controlling them with YaST. Unfortunately the setup guide I linked to that I’ve been following just says to set up a vhost even if you’re only serving one domain, but doesn’t explain anything further on vhost configuration or link to somewhere that does. For example if I set up the vhost so that it works with SSL/TLS, then it doesn’t work on port 80. I figured this must have something to do with it not being set to the default vhost, but then when I use YaST to set it as the default host, YaST says that the default vhost can not use SSL/TLS. So then it reverts to accepting port 80 requests, but the RX packet too large message appears again when connecting via SSL/TLS (obviously because it’s no longer configured). Clearly I’m missing something here because not allowing SSL on the default seems entirely nonsensical and arbitrary. When I look in /etc//apache2/ I can see a default-vhost-ssl.conf file in the directory, but it always remains unchanged (and also makes it obvious that SSL/TLS for the default vhost can be configured, but I’m just being too stupid to figure out how).

#13

Here’s an example of what I mean. I made deinstalled Apache and and cleared out all of /etc/apache2/ except for the key and certificate and then reinstalled apache to make sure I was starting from a clean slate. Then I set up a vhost with ssl, but responded to http requests with a 400. Then I switched it to be the default vhost and now it responds on port 80, but gives the RX too big with https://. When I open /etc/apache2/default-vhost.conf, I find the following.

#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these 
# directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#

<IfDefine SSL>
<IfDefine !NOSSL>

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

    #  General setup for the virtual host
    ServerName dummy-host.example.com
    ServerAdmin [EMAIL="webmaster@dummy-host.example.com"]webmaster@dummy-host.example.com[/EMAIL]
    ServerAlias example.com [www.example.com](http://www.example.com)

    # DocumentRoot: The directory out of which you will serve your
    # documents. By default, all requests are taken from this directory, but
    # symbolic links and aliases may be used to point to other locations.
    DocumentRoot "/srv/www/htdocs"
    #ServerName [www.example.com:443](http://www.example.com:443)
    #ServerAdmin [EMAIL="webmaster@example.com"]webmaster@example.com[/EMAIL]
    ErrorLog /var/log/apache2/error_log
    TransferLog /var/log/apache2/access_log

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on

    #   SSL Protocol support:
    # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS and SSLv3:
    #   List the protocol versions which clients are allowed to
    #   connect with. Disable SSLv2 by default (cf. RFC 6176).
    SSLProtocol all -SSLv2
    
    #   SSL Cipher Suite:
    #   List the ciphers that the client is permitted to negotiate.
    #   See the mod_ssl documentation for a complete list.
    #
    #   Weak ciphers are disabled by default.
    #   Please see the documentation via the links above, and
    #   "openssl ciphers -v" for a complete list of ciphers that are
    #   available.
    #
    # The following default should work with openssl running in FIPS
    # mode.
    #    OPENSSL_FORCE_FIPS_MODE=1 rcapache2 restart
    # will start the web server with FIPS mode in openssl.
    # For more information, please have a look at
    # /usr/share/doc/packages/openssl/README-FIPS.txt from the openssl
    # package.
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    
    #   Speed-optimized SSL Cipher configuration:
    #   If speed is your main concern (on busy HTTPS servers e.g.),
    #   you might want to force clients to specific, performance
    #   optimized ciphers. In this case, prepend those ciphers
    #   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
    #   Caveat: by giving precedence to RC4-SHA and AES128-SHA
    #   (as in the example below), most connections will no longer
    #   have perfect forward secrecy - if the server's key is
    #   compromised, captures of past or future traffic must be
    #   considered compromised, too.
    #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
    #SSLHonorCipherOrder on 
    
    #   Server Certificate:
    #   Point SSLCertificateFile at a PEM encoded certificate.  If
    #   the certificate is encrypted, then you will be prompted for a
    #   pass phrase.  Note that a kill -HUP will prompt again.  Keep
    #   in mind that if you have both an RSA and a DSA certificate you
    #   can configure both in parallel (to also allow the use of DSA
    #   ciphers, etc.)
    SSLCertificateFile /etc/apache2/ssl.crt/server.crt
    #SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt

    #   Server Private Key:
    #   If the key is not combined with the certificate, use this
    #   directive to point at the key file.  Keep in mind that if
    #   you've both a RSA and a DSA private key you can configure
    #   both in parallel (to also allow the use of DSA ciphers, etc.)
    SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
    #SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key

    #   Server Certificate Chain:
    #   Point SSLCertificateChainFile at a file containing the
    #   concatenation of PEM encoded CA certificates which form the
    #   certificate chain for the server certificate. Alternatively
    #   the referenced file can be the same as SSLCertificateFile
    #   when the CA certificates are directly appended to the server
    #   certificate for convinience.
    #SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt

    #   Certificate Authority (CA):
    #   Set the CA certificate verification path where to find CA
    #   certificates for client authentication or alternatively one
    #   huge file containing all of them (file must be PEM encoded)
    #   Note: Inside SSLCACertificatePath you need hash symlinks
    #         to point to the certificate files. Use the provided
    #         Makefile to update the hash symlinks after changes.
    #SSLCACertificatePath /etc/apache2/ssl.crt
    #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

    #   Certificate Revocation Lists (CRL):
    #   Set the CA revocation path where to find CA CRLs for client
    #   authentication or alternatively one huge file containing all
    #   of them (file must be PEM encoded)
    #   Note: Inside SSLCARevocationPath you need hash symlinks
    #         to point to the certificate files. Use the provided
    #         Makefile to update the hash symlinks after changes.
    #SSLCARevocationPath /etc/apache2/ssl.crl
    #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

    #   Client Authentication (Type):
    #   Client certificate verification type and depth.  Types are
    #   none, optional, require and optional_no_ca.  Depth is a
    #   number which specifies how deeply to verify the certificate
    #   issuer chain before deciding the certificate is not valid.
    #SSLVerifyClient require
    #SSLVerifyDepth  10

    #   Access Control:
    #   With SSLRequire you can do per-directory access control based
    #   on arbitrary complex boolean expressions containing server
    #   variable checks and other lookup directives.  The syntax is a
    #   mixture between C and Perl.  See the mod_ssl documentation
    #   for more details.
    #<Location />
    #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
    #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
    #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
    #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
    #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
    #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
    #</Location>

    #   SSL Engine Options:
    #   Set various options for the SSL engine.
    #   o FakeBasicAuth:
    #     Translate the client X.509 into a Basic Authorisation.  This means that
    #     the standard Auth/DBMAuth methods can be used for access control.  The
    #     user name is the `one line' version of the client's X.509 certificate.
    #     Note that no password is obtained from the user. Every entry in the user
    #     file needs this password: `xxj31ZMTZzkVA'.
    #   o ExportCertData:
    #     This exports two additional environment variables: SSL_CLIENT_CERT and
    #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
    #     server (always existing) and the client (only existing when client
    #     authentication is used). This can be used to import the certificates
    #     into CGI scripts.
    #   o StdEnvVars:
    #     This exports the standard SSL/TLS related `SSL_*' environment variables.
    #     Per default this exportation is switched off for performance reasons,
    #     because the extraction step is an expensive operation and is usually
    #     useless for serving static content. So one usually enables the
    #     exportation for CGI and SSI requests only.
    #   o StrictRequire:
    #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
    #     under a "Satisfy any" situation, i.e. when it applies access is denied
    #     and no other module can change it.
    #   o OptRenegotiate:
    #     This enables optimized SSL connection renegotiation handling when SSL
    #     directives are used in per-directory context. 
    #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    &lt;FilesMatch "\.(cgi|shtml|phtml|php)$"&gt;
    SSLOptions +StdEnvVars
    &lt;/FilesMatch&gt;
    
    &lt;Directory "/srv/www/cgi-bin"&gt;
    SSLOptions +StdEnvVars
    &lt;/Directory&gt;
    
    &lt;Directory "/srv/www/htdocs"&gt;
    AllowOverride None
    #Options +Indexes +MultiViews +FollowSymLinks
    Options -Indexes -MultiViews +FollowSymLinks
    #IndexOptions FancyIndexing

    #AuthName "Top Secret on dummy-host.example.com"
    #AuthType Basic
    #AuthUserFile /srv/www/passwd/default

    #
    # Controls who can get stuff from this server.
    #
    #&lt;limit GET POST&gt;
    #  Require valid-user
    #  Order Deny,Allow
    #  Deny from All
    #  Allow from 127.0.0.1
    #  Allow from .example.com
    #  Satisfy any
    #&lt;/limit&gt;
    &lt;/Directory&gt;


    #   SSL Protocol Adjustments:
    #   The safe and default but still SSL/TLS standard compliant shutdown
    #   approach is that mod_ssl sends the close notify alert but doesn't wait for
    #   the close notify alert from client. When you need a different shutdown
    #   approach you can use one of the following variables:
    #   o ssl-unclean-shutdown:
    #     This forces an unclean shutdown when the connection is closed, i.e. no
    #     SSL close notify alert is send or allowed to received.  This violates
    #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
    #     this when you receive I/O errors because of the standard approach where
    #     mod_ssl sends the close notify alert.
    #   o ssl-accurate-shutdown:
    #     This forces an accurate shutdown when the connection is closed, i.e. a
    #     SSL close notify alert is send and mod_ssl waits for the close notify
    #     alert of the client. This is 100% SSL/TLS standard compliant, but in
    #     practice often causes hanging connections with brain-dead browsers. Use
    #     this only for browsers where you know that their SSL implementation
    #     works correctly. 
    #   Notice: Most problems of broken clients are also related to the HTTP
    #   keep-alive facility, so you usually additionally want to disable
    #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
    #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
    #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
    #   "force-response-1.0" for this.
    BrowserMatch "MSIE [2-5]" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    
    #   Per-Server Logging:
    #   The home of a custom SSL log file. Use this when you want a
    #   compact non-error SSL logfile on a virtual host basis.
    CustomLog /var/log/apache2/ssl_request_log   ssl_combined

    #
    # some Rewrite stuff for sharedssl
    #
    #RewriteEngine on
    ##RewriteLog "/var/log/apache2/dummy-host.example.com-rewrite-ssl_log"
    ##RewriteLogLevel 3
    #RewriteCond %{HTTP_HOST}  ^webmail\..* [NC]
    #RewriteRule ^/$ https://sharedssl.example.com/roundcube/ [L,R]
    #RewriteRule ^/$ /roundcube [R]

&lt;/VirtualHost&gt;                                  

&lt;/IfDefine&gt;
&lt;/IfDefine&gt;

As you can see, it’s completely unchanged from the default.

#14

Hi,
Just wondering (thought I read this some where) but if you’re serving both http & https from same vhost, at the very beginning of the vhost file add

Listen 80
Listen 443

Again, not sure if that’s a help or hinderence:P

#15

Well all suggestions are welcome. I thought it was a bit strange that in the YaST HTTP server vonfiguation control panel that I could set up a vhost that would not work with http, but would work with https even though I hadn’t changed the listen settings on the first page of the module where port 80 is listed as a port to be listenned on, but 443 is not. I assumed it must be to do with the enabling of SSL on later pages which might add another listen command. It turned out that this was indeed the case. It still puzzled me that the command to listen on 443 wasn’t listed on the first page, ywt port 80 was, yet never worked. Well… it never worked unless I made the SSL-enabled vjost the default host. Making it the default host then made it accept connections on port 80, but then caused access via https to break.

I’m considering posting a step-by-step walk-through of how I’ve been trying to set it up so that someone might hopefully be able to say “it’s that step that you’re doing wrong” 'cause I can’t find any up-to-date guides online about using YaST to set up a website that can be accessed via http and https.

#16

Ok, here we go. Here’s what I’m doing.

First job is to stop and remove the improperly configured server. To do this, I use

recapache stop

then I open YaST software manager and use the patterns menu to find “Web and LAMP Server” and then remove apache and it’s vrious modules such ans prefork, mod)php5 etc. Once they are removed, I then go to /etc/apache2/ and delete all files and folders except for the ones containing the certificate and the key. Once that has been done, then I go back to YaST to reinstall Apache ,its modules and the yast2_http_server configuation tool. One everything Is cleanly reinstalled then I begin.

  1. Open a root Dolphin window and navigate to /etc/apache2/ and open httpd.conf in kwrite. Scroll down to line 116 make a new line and paste in
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

Then save the file and quit.

  1. I open YaST “HTTP Server” configuration tool. The first time setup wizard does not appear because it has been run once before. On the first tab “Listen Ports and Addresses” I change nothing at all.

  2. On the second tab “Server Modules” I scroll down to php5 and ssl to check whether they are enabled or not. If either of them is not enabled then I enable them.

  3. On the “Main Host” tab all I do is go into the directory entry for /srv/www/htdocs and select the “Options” directive and change it from None to Indexes, then change the Server Name to test.example.com and the Server Administrator E-Mail to here@there.com (not the actual values but you get the idea).

At this point, if I click “Finish” and then go to test.example.com in Firefox , then it lists the contents of the htdocs directory exactly as expected. However, if I go back in to YaST’s HTTP Server configuration module or simply continue the configuation process without exiting, then the server will not respond to requests on port 80. Here’s the steps I do if I continue on to configure SSL.

  1. On the “Hosts” tab I click “Add” to add the first and only vhost. In the “Server Name” text box I put test.example.com exactly as I did in the “Main Host” tab. In the “Server Contents Root” text box I enter /srv/www/htdocs lime I did in the “Main Host” tab, and in the “Administrator E-Mail” text box I put here@there.com.

  2. Just below these text boxes, I click the “Change Virtual Host ID” button and leave the “All Addresses” radio button selected and click OK. Then I select the raido button next to “Determine Request Server by Server IP Addresss” and click next.

  3. On the following page, I leave the checkbox next to “Enable CGI for This Virtual Host” unticked. Then I tick the next checkbox “Enable SSL Support or This Virtual Host” and then browse to and select the SSL key and certificate files. then I put “index.php index.html” into the directory index text box and click next (leaving the “Enable Public HTML” checkbox unticked).

At this point, If I click “Finish”, the website will begin responding to requests for https://test.example.com without complaint. However, it will throw a 400 Bad Request for http://test.example.com.

If I go back into YaST’s HTTP Server configuration module then go back to the hosts tab and select the vhost I just set up and enabled SSL on and click “Set As Default”, then this causes YaST to tell me that the current default host will be replaced withe the one I’m trying to set as default and the the current default will become a vhost. It then goes on to say that the current default host does not have the server name or IP address specified. I have no idea at all what it is trying to say here. It can’t mean the information from the “Main Host” tab back in step 4 because that does have the same name and there isn’t anywhere to specify an IP address. It continues to say that it is not possible to use as a vhost. It then says the verify the suggested values and click Continue. The server name text box has test.example.com in it already, but the IP address is empty, so I click the little arrow and select the server’s globally routable public IP address and click continue. and then finish. This causes a warning window to be displayed Saying “Cannot Adjust ‘apache2’ service”. The server fails to restart and no particularly useful ino (that I recognise as sueful anyway) is given by

systemctl status apache2.service

The output from the command is as follows.

home:~ # systemctl status apache2.service
apache2.service - The Apache Webserver
   Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled)
   Active: failed (Result: exit-code) since Mon 2014-05-19 02:03:24 BST; 3min 30s ago
  Process: 9138 ExecStop=/usr/sbin/start_apache2 -D SYSTEMD -DFOREGROUND -k graceful-stop (code=exited, status=0/SUCCESS)
  Process: 9120 ExecStart=/usr/sbin/start_apache2 -D SYSTEMD -DFOREGROUND -k start (code=exited, status=1/FAILURE)
 Main PID: 9120 (code=exited, status=1/FAILURE)
   Status: "Total requests: 1; Current requests/sec: 0; Current traffic:   0 B/sec"

May 19 02:03:23 home start_apache2[9120]: Module "imagemap" is not installed, ignoring.
May 19 02:03:23 home start_apache2[9120]: Check the APACHE_MODULES setting in /etc/sysconfig/apache2.
May 19 02:03:23 home systemd[1]: apache2.service: main process exited, code=exited, status=1/FAILURE
May 19 02:03:23 home start_apache2[9138]: Module "imagemap" is not installed, ignoring.
May 19 02:03:23 home start_apache2[9138]: Check the APACHE_MODULES setting in /etc/sysconfig/apache2.
May 19 02:03:24 home start_apache2[9138]: httpd (no pid file) not running
May 19 02:03:24 home systemd[1]: Failed to start The Apache Webserver.
May 19 02:03:24 home systemd[1]: Unit apache2.service entered failed state.

Reopening YaST’s “HTTP Server” config module and trying to set the vhosts as default one more seems to delete the vhost and restore the availability of http connections on port 80, but the vhost isn’t there any more so it throws the same old RX too big error when SSL connections are attempted.

Can anyone please tell me where I’m going wrong here 'cause it’s driving me crazy.

#17

Just putting my 2 cents in, but it seems this is becoming a bit more complicated than is should be. IMHO pick one or the other, Yast or direct edit. Using both will just bugger things up. Personally, I prefer the direct edit, That way I know which files I’m working on. Next, since your using vhosts, there is a nice example under the /etc/apache2/vhosts.d directory-- vhost.ssl.template. Start with that, rename it to something like (yoursite.conf). Make all your changes in this file, not the *.conf files under /etc/apache2.

Another thing I noticed, you modified your httpd.conf file:

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
######## The ABOVE LINE HAS BEEN ENTERED BY STEPHEN AND IS NOT PART OF THE DEFAULT CONFIGURATION ###############
Include /etc/apache2/sysconfig.d/loadmodule.conf

As the line says, “Include /etc/apache2/sysconfig.d/loadmodule.conf”, so at the bottom of this file add your LoadModule exactly like the others, in my case it would look like:

LoadModule socache_shmcb_module      /usr/lib64/apache2-prefork/mod_sochache_shmcb.so

Our ‘loadmodule.conf’ also says we might want to visit /etc/sysconfig/apache2. About half way into this file we will see a line that starts “APACHE_MODULES= (module names), add your ‘socache_shmcb’ (if it’s not already there. Also, just above that, you’ll see notes about settings for SSL. If you scroll down a bit, you’ll see a line APACHE_SERVER_FLAGS=”", enter SSL between quotes. (You’ll also notice it tells you how to create a test certificate, if you don’t have one).

When done, restart apache /etc/init.d/apache2 restart. If you get errors, enter: systemctl status apache2.service This will give you a bunch of info you can use towards trouble shooting.

Hope this helps

#18

On Wed, 14 May 2014 16:16:01 GMT, Stephen Philbin
<Stephen_Philbin@no-mx.forums.opensuse.org> wrote:

>
>Hello everyone. Some time roughly around October 2013 SSL just suddenly
>stopped working in Apache. I hadn’t made a significant effort to resolve
>the problem until now because I had just started a University course and
>was directing most of my attention into that. I assumed that whatever
>the problem was, if I couldn’t find a solution with a few quick internet
>searches then it was probably going to require more of my time than I
>had to spare whilst doing my course. Well now I’ve more-or-less finished
>the year and now I want to get the the bottom of the problem.

Read your post. I am not sure but it sounds like a visibility problem.

It looks like the Virtual Host cannot see the SSL certificates. Like it
is in a chroot jail. How does someone replicate the certificates etc.,
into the virtual? Links? Copies? Something else?

?-)

#19

I was trying to configure apache through YaST and only YaST so that any configuration changes I made would hopefully survive a zypper patch because that appeared to be the cause of the start of my troubles. I’d just edited the .conf files and Apache worked… for a while. So this time, I thought I’d use the HTTP Server config module to try and maintain a nice and orderly configuration. As everyone has seen though, that plan hasn’t gone too well. Instead I’ve just given up trying to figure out why the YaST module says that the main host can’t use SSL and I’ve just had to revert to butchering the config files. This time, it’s a much more careful attempt, but I doubt it’s what the authors of yast2-http-server module had in mind. I basically cut out the references to vhosts and their configuration, manually edited default-server.conf to look more like how I used to have httpd.conf back when I used to compile Apache from source. Then I just modeled an ssl.conf on the default-server-ssl.conf file and indluded it into the default-server.conf. Well… That’s after I Used the YaST module to switch the server on and enable a couple of modules. So it’s neither entirely configured manually, nor through YaST. It’s like a Frankenstein’s Monster of the two. That way, hopefully, most changes will survive an update but I still get to have a server that works… for now.

Another reason for using both is to avoid problems caused by the relatively diffuse and confusing configuration of this install of Apache. It wasn’t until I read your suggestion about making sure that both 80 and 443 are being listened to , Spark7_alot,that I thought that it was a bit weird that, by default, port 443 isn’t mentioned in the YaST module as a port to be listened to. SSL could still work fine with apparently no mention at all of port 443 being listened to (so long as you were happy to do without port 80 access) , but as soon as you told the YaST module explicitly to listen on 443, it went belly-up. It wasn’t until I fished oround in the .conf files and found it there that I relised why. So I thought I’d just use it to do some initial setup (that for all I know does lots of other things too) and then once it’s up and running, never touch the things I changed in the YaST module and just do a hatchet-job on the general config.

Thanks to everyone that tried to help out. Hopefully one day the penny will drop and I’ll realise where the stupid mistake that I keep making is, but thanks anyway. The help is very much appreciated.

#20

On Sun, 18 May 2014 22:46:02 GMT, Stephen Philbin
<Stephen_Philbin@no-mx.forums.opensuse.org> wrote:

>
>Well all suggestions are welcome. I thought it was a bit strange that in
>the YaST HTTP server vonfiguation control panel that I could set up a
>vhost that would not work with http, but would work with https even
>though I hadn’t changed the listen settings on the first page of the
>module where port 80 is listed as a port to be listenned on, but 443 is
>not. I assumed it must be to do with the enabling of SSL on later pages
>which might add another listen command. It turned out that this was
>indeed the case. It still puzzled me that the command to listen on 443
>wasn’t listed on the first page, ywt port 80 was, yet never worked.
>Well… it never worked unless I made the SSL-enabled vjost the default
>host. Making it the default host then made it accept connections on port
>80, but then caused access via https to break.
>
>I’m considering posting a step-by-step walk-through of how I’ve been
>trying to set it up so that someone might hopefully be able to say “it’s
>that step that you’re doing wrong” 'cause I can’t find any up-to-date
>guides online about using YaST to set up a website that can be accessed
>via http and https.

The normal port for https is 8080 not 80. Add that and let us know.

?-)