Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 9th November 2012, 18:52
max123 max123 is offline
Junior Member
 
Join Date: Nov 2012
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default ssl and multiple virtual hosts in apache

hi all,
ive read the stuff on apache and other posting on this topic but still cant seem to figure out what i'm doing wrong.
so i get that i cant use name based virtaul hosts for ssl. i also get that need to use a sp ip address for each virtual host configured in the httpd.conf.
so i do following :
but it doesnt work.
and i cant seem to figure out why cus from all the reading ive done i'm doing everything right.
i have an ip interface (.yyy) on physical machine with ip .xxx. i have therfore ip based virtual hosts as below and listen directives as below and a NameVirtualHost for each ip and port . But i still dont get apache to come up.
can anyone pt me to the possibly the obvious/or not so obvoius thing that i'm doing wrong?

my httpd.conf file is as below

... some irrelavant directives eg.
ServerRoot "APACHE_ROOT_DIR"
<IfModule !mpm_winnt.c>
<IfModule !mpm_netware.c>
#LockFile logs/accept.lock
</IfModule>
</IfModule>

<IfModule prefork.c>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 5000
</IfModule>
...
...then juicy stuff...
Listen 162.109.xx.xxx:9090
Listen 162.109.xx.yyy:9095
...


NameVirtualHost 162.109.xx.xxx:9090
NameVirtualHost 162.109.xx.yyy:9095

<VirtualHost 162.109.xx.xxx:9090>
ServerAdmin me@162.109.xx.xxx
DocumentRoot "/usr/local/AdventNet/WebNMS"
ServerName 162.109.xx.xxx
SSLEngine on
SSLCertificateFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/server.cer
SSLCertificateKeyFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/server.key
SSLCertificateChainFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/cachain.crt

</VirtualHost>

<VirtualHost 162.109.xx.yyy:9095>
DocumentRoot "/usr/local/AdventNet/virtual"
ServerAdmin me@162.109.xx.yyy
ServerName 162.109.xx.yyy
SSLEngine on
SSLCertificateFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/virtual/server.cer
SSLCertificateKeyFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/virtual/server.key
SSLCertificateChainFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/virtual/cachain.crt
</VirtualHost>

Include "TOMCAT_ROOT_DIR/conf/mod_jk.conf-nms"
Alias /perf/ 'WEBNMS_ROOT_DIR/webclient/perf/'
# Entry for blocking webclient directory from listing
<Directory "WEBNMS_ROOT_DIR/webclient">
# Tyco turned this off to match BT security standards - PR00217
# Options FollowSymLinks
AllowOverride None
</Directory>

JkMount /*.ajax ajp13
JkMount /*.spring ajp13


in ssl.conf i have following:

....taken out some comments to make the posting brief....
SSLPassPhraseDialog builtin

# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache none
#SSLSessionCache shmht:logs/ssl_scache(512000)
#SSLSessionCache shmcb:logs/ssl_scache(512000)
#SSLSessionCache dbm:logs/ssl_scache
#SSLSessionCacheTimeout 300

# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
#SSLMutex file:logs/ssl_mutex

# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512

##
## SSL Virtual Host Context
##



# General setup for the virtual host
#DocumentRoot "C:/Progra~1/AdventNet/WebNMS"
#ServerName GBA85WS2153
#ErrorLog logs/error_log
#TransferLog logs/access_log

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
#NA SSLEngine on

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
#SSLCertificateFile /usr/local/apache_2.0.43/conf/ssl.crt/server.crt
#SSLCertificateFile /usr/local/apache_2.0.43/conf/ssl.crt/server-dsa.crt
#NA SSLCertificateFile conf/ssl.crt/server.cer
#SSLCertificateFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/server.cer
#SSLCertificateFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/virtual/server.cer

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /usr/local/apache_2.0.43/conf/ssl.key/server.key
#SSLCertificateKeyFile /usr/local/apache_2.0.43/conf/ssl.key/server-dsa.key
#NA SSLCertificateKeyFile conf/ssl.crt/server.key
#SSLCertificateKeyFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/server.key
#SSLCertificateKeyFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/virtual/server.key

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /usr/local/apache_2.0.43/conf/ssl.crt/ca.crt
#SSLCertificateChainFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/cachain.crt
#SSLCertificateChainFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/virtual/cachain.crt


SSLOptions +StdEnvVars


SSLOptions +StdEnvVars


SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0



also looking in apache error gte following:

[Thu Nov 08 13:38:50 2012] [info] Init: Seeding PRNG with 136 bytes of entropy
[Thu Nov 08 13:38:50 2012] [info] Loading certificate & private key of SSL-aware server
[Thu Nov 08 13:38:50 2012] [info] Loading certificate & private key of SSL-aware server
[Thu Nov 08 13:38:50 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Thu Nov 08 13:38:51 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Thu Nov 08 13:38:51 2012] [info] Init: Initializing (virtual) servers for SSL
[Thu Nov 08 13:38:51 2012] [info] Configuring server for SSL protocol
[Thu Nov 08 13:38:51 2012] [info] Configuring server for SSL protocol
[Thu Nov 08 13:38:51 2012] [info] mod_ssl/2.2.10 compiled against Server: Apache/2.2.10, Library: OpenSSL/0.9.7d
[Thu Nov 08 13:38:51 2012] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/AdventNet/WebNMS/apache/logs/jk-runtime-status
[Thu Nov 08 13:38:51 2012] [info] Init: Seeding PRNG with 136 bytes of entropy
[Thu Nov 08 13:38:51 2012] [info] Loading certificate & private key of SSL-aware server
[Thu Nov 08 13:38:51 2012] [info] Loading certificate & private key of SSL-aware server
[Thu Nov 08 13:38:51 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Thu Nov 08 13:38:53 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Thu Nov 08 13:38:53 2012] [info] Init: Initializing (virtual) servers for SSL
[Thu Nov 08 13:38:53 2012] [info] Configuring server for SSL protocol
[Thu Nov 08 13:38:53 2012] [info] Configuring server for SSL protocol
[Thu Nov 08 13:38:53 2012] [info] mod_ssl/2.2.10 compiled against Server: Apache/2.2.10, Library: OpenSSL/0.9.7d
[Thu Nov 08 13:38:53 2012] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/AdventNet/WebNMS/apache/logs/jk-runtime-status
[Thu Nov 08 13:38:53 2012] [notice] Digest: generating secret for digest authentication ...
[Thu Nov 08 13:38:53 2012] [notice] Digest: done
[Thu Nov 08 13:38:54 2012] [notice] Apache/2.2.10 (Unix) DAV/2 mod_ssl/2.2.10 OpenSSL/0.9.7d mod_jk/1.2.26 configured -- resuming normal operations
[Thu Nov 08 13:38:54 2012] [info] Server built: Oct 28 2008 10:34:09
[Thu Nov 08 13:39:34 2012] [info] [client 162.109.xxxxxx] Connection to child 0 established (server 162.109.xxxxx:443)
[Thu Nov 08 13:39:34 2012] [info] Seeding PRNG with 136 bytes of entropy
[Thu Nov 08 13:39:36 2012] [info] Initial (No.1) HTTPS request received for child 0 (server 162.109.xxxxx:443)
[Thu Nov 08 13:39:36 2012] [error] [client 162.109.xxxxx] File does not exist: /usr/local/AdventNet/WebNMS/unauthenticatedservlets/com.adventnet.nms.servlets.ConnectionCheckServlet
[Thu Nov 08 13:39:36 2012] [info] [client 162.109.xxxx] Connection to child 1 established (server 162.109.xxxx:443)
[Thu Nov 08 13:39:36 2012] [info] Seeding PRNG with 136 bytes of entropy
[Thu Nov 08 13:39:36 2012] [info] Initial (No.1) HTTPS request received for child 1 (server 162.109.xxxx:443)
[Thu Nov 08 13:39:36 2012] [error] [client 162.109.xxxx] File does not exist: /usr/local/AdventNet/WebNMS/unauthenticatedservlets/com.adventnet.nms.servlets.ConnectionCheckServlet
[Thu Nov 08 13:39:38 2012] [info] [client 162.109.xxxx] Connection closed to child 1 with standard shutdown (server 162.109.xxxx:443)
[Thu Nov 08 13:39:38 2012] [info] [client 162.109.xx.xxx] Connection closed to child 0 with standard shutdown (server 162.109.xx.xxx:443)
[Thu Nov 08 13:39:41 2012] [info] removed PID file /usr/local/AdventNet/WebNMS/apache/logs/httpd.pid (pid=11964)
[Thu Nov 08 13:39:41 2012] [notice] caught SIGTERM, shutting down
Reply With Quote
Sponsored Links
  #2  
Old 12th November 2012, 14:24
max123 max123 is offline
Junior Member
 
Join Date: Nov 2012
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

ppl, how come i'm not getting any help here - have i asked an obvious nonsense question ive been reading and messing about with this issue for about a week now with no solution - would really appreciate some pointers even if they are to say that u need to do more homework cus the answer is too easy for this forum and we dont wish to answer?? or wrds to that effect , in case ppl can confirm my config files are correct and that they dont know why i get the issue that affirmation would aslo be good as i knwo not to then waste time looking into that section and can look elsewheer to resolve the issue.

basic problem.
have httpd.conf for multiple virtaual hosts which i think is correct form my reading .
have additonal ssl.conf not sure what that does cus i' defining my private key ect as part of virtual hosts ...

but without virtual hosts, it works (ie. apache starts ok) - in this case my httpd.conf has default server config no virtaul directive, ssl.conf is module done as include directive and probably creates a ssl virtual host and all that starts up fine i can go to https and stuff works but above changes to get 2 virtual hosts stops it from working and although done reading and tried alsorts of suggestion etc... can make it work.
any pointers will be helpful thanks.
Reply With Quote
  #3  
Old 12th November 2012, 14:37
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,046
Thanks: 826
Thanked 5,384 Times in 4,231 Posts
Default

The most likely reason that apache does not start related to ssl are:

1) One of the defined ssl certificate files (crt, key or chain file) is missing.
2) One of the certs is broken (if a singöe char in one of the files is wrong, apache will not start).
3) A ssl cert consists of two files, the certificate and the key. If the key and crt does not beling together, apache will not start.

In all of these 3 cases, apache will not throw an error, it just wont start.

To find the problem, comment ou all ssl vhosts except of one and also comment out the ssl cert lines in this vhost and try to start apache without ssl in this vhost. If it works, enable ssl just in thsi vhost, if it does not start anymore then create a new self signed ssl cert for this vhost and use just this crt and key (no chain) certificate and try again to to find the reason for yozr problem.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 13th November 2012, 19:56
max123 max123 is offline
Junior Member
 
Join Date: Nov 2012
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Till,
Thanks.
i tried all your suggestions and basically even getting a basic non http didnt work, nor did a single ssl vhost.

i left all the default main server entries in httpd.conf and commented out vhost numbr 2, changed vhost 1 intially only server name, server admin, document root no ssl stuff - it didnt work and it still tried doing ssl , (assumed cus application startup script has lots ssl type statements)
then added in the ssl certificates etc... didnt work.
then as all ref for ssl were being mad eto /conf/ssl.conf and not httpd.conf .
i changed the diercetives from httpd.conf to ssl.conf similar to above.

ie ssl conf stated directive for enigne on and not in vhost etc...
still nothing worked.

my certificates are ok as they all work if i do the default setup.


i think its an issue with integration to AdventNet WebNMS application - what i would really appreciate is if any one out there has done multiple virtaul ssl vhosts in conjuction to adventNet webnms ?
as i think the issue is to do with the other startup, set senv.sh and config files that makeup the deployment of the webNMS product utilising a bundeled apache .. which are not allowing it work.
Reply With Quote
  #5  
Old 20th November 2012, 15:00
ITG ITG is offline
HowtoForge Supporter
 
Join Date: Nov 2012
Location: Alabama
Posts: 18
Thanks: 1
Thanked 1 Time in 1 Post
 
Default

So lets examine your logs a little bit here...

Quote:
[Thu Nov 08 13:38:54 2012] [notice] Apache/2.2.10 (Unix) DAV/2 mod_ssl/2.2.10 OpenSSL/0.9.7d mod_jk/1.2.26 configured -- resuming normal operations
[Thu Nov 08 13:38:54 2012] [info] Server built: Oct 28 2008 10:34:09
The above tells me that apache has started. It is ready to begin serving requests at this point.


Quote:
[Thu Nov 08 13:39:34 2012] [info] [client 162.109.xxxxxx] Connection to child 0 established (server 162.109.xxxxx:443)
[Thu Nov 08 13:39:34 2012] [info] Seeding PRNG with 136 bytes of entropy
[Thu Nov 08 13:39:36 2012] [info] Initial (No.1) HTTPS request received for child 0 (server 162.109.xxxxx:443)
Apache received a request from client 162.109.xxxxxx

Quote:
[Thu Nov 08 13:39:36 2012] [error] [client 162.109.xxxxx] File does not exist: /usr/local/AdventNet/WebNMS/unauthenticatedservlets/com.adventnet.nms.servlets.ConnectionCheckServlet
Error message here shows that a file that the client asked for is not found.


Quote:
[Thu Nov 08 13:39:36 2012] [info] [client 162.109.xxxx] Connection to child 1 established (server 162.109.xxxx:443)
[Thu Nov 08 13:39:36 2012] [info] Seeding PRNG with 136 bytes of entropy
[Thu Nov 08 13:39:36 2012] [info] Initial (No.1) HTTPS request received for child 1 (server 162.109.xxxx:443)
[Thu Nov 08 13:39:36 2012] [error] [client 162.109.xxxx] File does not exist: /usr/local/AdventNet/WebNMS/unauthenticatedservlets/com.adventnet.nms.servlets.ConnectionCheckServlet
Looks like this was the second connection attempt, apache answered the request, but the file didn't exist.

Quote:
[Thu Nov 08 13:39:41 2012] [notice] caught SIGTERM, shutting down
Apache caught a SIGTERM kill code. This tells me that something issued a stop command or a kill command to apache's httpd process, and apache shut down due to the request sent to it.

Is there something in the WebNMS application that is sending the command to kill apache? I think i would look at that... It looks like your other configs are working because apache is starting. Keep your eye on the fact it's trying to find a file that isn't there.. maybe there is a path problem?

Hope this helps.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache2 and multiple SSL configs and name based virtual hosting Creator1326 Server Operation 11 5th October 2010 19:28
SSL don't work please help me walner8080 Installation/Configuration 8 26th September 2010 12:07
problem with upgrade to 2.2.34 brianetilley Installation/Configuration 14 11th November 2009 17:22
Apache 2, Multiple SSL certs, one ip address sfunk1x Server Operation 1 17th August 2009 21:26
Apache Virtual Hosts - I have never gotten this right. DazzyB Server Operation 2 24th December 2007 13:37


All times are GMT +2. The time now is 16:21.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.