PDA

View Full Version : Apache + SSL problems


xicoloco
26th March 2012, 02:19
ok its the 3 rd time i get this i reinstall linux + ispconfig from scratch 3 times to see if this happen again and it does.

Well everything is fine i but when i trying out the certificate buttons on website SSL creation in some point apache stop working ...

my questions are :

there is a sequence to use the ISP interface to create the certificates without messing with him ?
i can recover the instalation so i not have to reinstall the linux itself ?



well i have tryed something i saw somewhere in forum without sucess :

root@tarik01:~# a2dissite petrolube.com.br.vhost
Site petrolube.com.br.vhost already disabled

i have disable all domains and apache stills not start ... well any clues ?

till
26th March 2012, 08:33
there is a sequence to use the ISP interface to create the certificates without messing with him ?

1) Select a IP address in the website settings.
2) Enable the ssl checkbox in the site settings.
3) Enter the details of the ssl cert, select create certificate as action.

The most likely resaon for your problem is a broken ssl certificate. This can happen if you enter chars in the ssl fields that cant be interpreted by openssl when the ssl cert is created.

i have disable all domains and apache stills not start ... well any clues ?

Post the errors that you get on the shell and in the apache error and ssl log when you restart apache.

There is no need to reinstall Linux or reinstall ispconfig. Reinstalling ispconfig when you created already some items like websites etc can mess up your setup, so its not recommended to do that.

xicoloco
26th March 2012, 13:29
when starting apache:

root@tarik01:~# /etc/init.d/apache2 restart
Restarting web server: apache2Action 'start' failed.
The Apache error log may have more information.
failed!
root@tarik01:~#

th eapace log is :

[Sun Mar 25 18:22:33 2012] [error] [client 201.94.206.149] client denied by server configuration: /etc/apache2/htd
ocs
[Sun Mar 25 18:22:33 2012] [error] [client 201.94.206.149] client denied by server configuration: /etc/apache2/htd
ocs
[Sun Mar 25 18:22:33 2012] [error] [client 201.94.206.149] client denied by server configuration: /etc/apache2/htd
ocs
[Sun Mar 25 18:22:58 2012] [error] [client 201.94.206.149] client denied by server configuration: /etc/apache2/htd
ocs
[Sun Mar 25 18:22:58 2012] [error] [client 201.94.206.149] client denied by server configuration: /etc/apache2/htd
ocs
[Sun Mar 25 18:22:59 2012] [error] [client 201.94.206.149] client denied by server configuration: /etc/apache2/htd
ocs
[Sun Mar 25 18:22:59 2012] [error] [client 201.94.206.149] client denied by server configuration: /etc/apache2/htd
ocs
[Sun Mar 25 18:23:02 2012] [notice] caught SIGTERM, shutting down
[Sun Mar 25 18:23:03 2012] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Mar 25 18:23:03 2012] [warn] RSA server certificate CommonName (CN) `xicoloco' does NOT match server name!?
[Sun Mar 25 18:23:03 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Sun Mar 25 18:23:03 2012] [notice] Digest: generating secret for digest authentication ...
[Sun Mar 25 18:23:03 2012] [notice] Digest: done
[Sun Mar 25 18:23:03 2012] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Mar 25 18:23:03 2012] [warn] RSA server certificate CommonName (CN) `xicoloco' does NOT match server name!?
[Sun Mar 25 18:23:03 2012] [notice] Apache/2.2.16 (Debian) DAV/2 mod_fcgid/2.3.6 PHP/5.3.3-7+squeeze8 with Suhosin
-Patch mod_ruby/1.2.6 Ruby/1.8.7(2010-08-16) mod_ssl/2.2.16 OpenSSL/0.9.8o configured -- resuming normal operation
s
[Sun Mar 25 18:23:07 2012] [notice] caught SIGTERM, shutting down


Let me ask i cant use self signed SSL to all virtual servers ? they mess up ?

If i have only 5 ips in rackspace for each server, there is a diferent solution to have more then one certificate in one IP ?

i am reinstalling anyway because this is one of my tests ... i will try now the cluster confg, sorry i feel very newby right now i left computers and linux back in 1999 is hard to get in shape again ...

xicoloco
29th March 2012, 13:53
well today that happens again ....

[Thu Mar 29 06:42:15 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
[Thu Mar 29 06:42:15 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
[Thu Mar 29 06:42:17 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
[Thu Mar 29 06:42:17 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
[Thu Mar 29 06:42:18 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
[Thu Mar 29 06:42:18 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
[Thu Mar 29 06:42:19 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
[Thu Mar 29 06:42:19 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
[Thu Mar 29 06:42:34 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
[Thu Mar 29 06:42:34 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
[Thu Mar 29 06:42:54 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
[Thu Mar 29 06:42:54 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
[Thu Mar 29 06:43:02 2012] [notice] caught SIGTERM, shutting down
[Thu Mar 29 06:43:03 2012] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Mar 29 06:43:03 2012] [warn] RSA server certificate CommonName (CN) `xicoloco' does NOT match server name!?
[Thu Mar 29 06:43:03 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Thu Mar 29 06:43:03 2012] [notice] Digest: generating secret for digest authentication ...
[Thu Mar 29 06:43:03 2012] [notice] Digest: done
[Thu Mar 29 06:43:03 2012] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Mar 29 06:43:03 2012] [warn] RSA server certificate CommonName (CN) `xicoloco' does NOT match server name!?
[Thu Mar 29 06:43:03 2012] [notice] Apache/2.2.16 (Debian) DAV/2 mod_fcgid/2.3.6 PHP/5.3.3-7+squeeze8 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.7(2010-08-16) mod_ssl/2.2.16 OpenSSL/0.9.8o configured -- resuming normal operations
[Thu Mar 29 06:43:06 2012] [notice] caught SIGTERM, shutting down
[Thu Mar 29 06:43:07 2012] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Mar 29 06:43:07 2012] [warn] RSA server certificate CommonName (CN) `xicoloco' does NOT match server name!?
[Thu Mar 29 06:43:07 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Thu Mar 29 06:43:07 2012] [notice] Digest: generating secret for digest authentication ...
[Thu Mar 29 06:43:07 2012] [notice] Digest: done
[Thu Mar 29 06:43:07 2012] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Mar 29 06:43:07 2012] [warn] RSA server certificate CommonName (CN) `xicoloco' does NOT match server name!?
[Thu Mar 29 06:43:07 2012] [notice] Apache/2.2.16 (Debian) DAV/2 mod_fcgid/2.3.6 PHP/5.3.3-7+squeeze8 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.7(2010-08-16) mod_ssl/2.2.16 OpenSSL/0.9.8o configured -- resuming normal operations
[Thu Mar 29 06:43:09 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
[Thu Mar 29 06:43:09 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
[Thu Mar 29 06:43:10 2012] [notice] caught SIGTERM, shutting down
[Thu Mar 29 06:50:11 2012] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
root@tarik01:~#


omg what fuk i doing wrong ????

falko
30th March 2012, 10:13
[Thu Mar 29 06:50:11 2012] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)

What's the output of
cd /etc/apache2
grep -Ri SSLCertificateFile *?

xicoloco
1st April 2012, 23:14
root@tarik01:/etc/apache2# grep -Ri SSLCertificateFile *
sites-available/ispconfig.vhost: SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
sites-available/default-ssl: # SSLCertificateFile directive is needed.
sites-available/default-ssl: SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
sites-available/default-ssl: # the referenced file can be the same as SSLCertificateFile
sites-enabled/000-ispconfig.vhost: SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
root@tarik01:/etc/apache2#

falko
2nd April 2012, 09:31
Do /usr/local/ispconfig/interface/ssl/ispserver.crt and /etc/ssl/certs/ssl-cert-snakeoil.pem exist?

xicoloco
2nd April 2012, 13:09
i already format this server because i panic, but i pretty sure this will happen again so we will continue on that ...

DUCKFACE
4th June 2013, 16:42
i have the samoe problem
here is the apache.log
[Tue Jun 04 17:24:03 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 04 17:24:03 2013] [warn] RSA server certificate CommonName (CN) `Nikolay Konstantinov' does NOT match server name!?
[Tue Jun 04 17:24:03 2013] [notice] Apache/2.2.22 (Ubuntu) DAV/2 mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_fcgid/2.3.7 PHP/5.4.9-4ubuntu2 mod_python/3.3.1 Python/2.7.4 mod_ruby/1.2.6 Ruby/1.8.7(2012-02-08) mod_ssl/2.2.22 OpenSSL/1.0.1c configured -- resuming normal operations
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/cgi/conf.d/ming.ini on line 1 in Unknown on line 0

the /usr/local/ispconfig/interface/ssl/ispserver.crt and /etc/ssl/certs/ssl-cert-snakeoil.pem exists

thebrawnyman
22nd August 2013, 22:54
I'm having the same issue that xicoloco was having. I ran the grep on /etc/apache2 and verified that all crt files listed in the output do exist. In this case, what would be the next thing I check?

thebrawnyman
23rd August 2013, 00:23
After some more digging I was able to figure out the issue. Turns out that when the original Private key was generated back in the day, SHA1 was used for the signature algorithm, but we were generating the new cert using SHA2 (its what the CA was set to use by default). Not sure why Apache would exit without throwing an error message about this, but thats what happens.

I ended up using openssl commands found Here (https://kb.wisc.edu/middleware/page.php?id=4064) to confirm that the private key and cert did not match, and that the new cert generated with SHA1 did match.