Apache + SSL problems

Discussion in 'Installation/Configuration' started by xicoloco, Mar 26, 2012.

  1. xicoloco

    xicoloco New Member

    ok its the 3 rd time i get this i reinstall linux + ispconfig from scratch 3 times to see if this happen again and it does.

    Well everything is fine i but when i trying out the certificate buttons on website SSL creation in some point apache stop working ...

    my questions are :

    there is a sequence to use the ISP interface to create the certificates without messing with him ?
    i can recover the instalation so i not have to reinstall the linux itself ?



    well i have tryed something i saw somewhere in forum without sucess :

    root@tarik01:~# a2dissite petrolube.com.br.vhost
    Site petrolube.com.br.vhost already disabled

    i have disable all domains and apache stills not start ... well any clues ?
     
  2. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    1) Select a IP address in the website settings.
    2) Enable the ssl checkbox in the site settings.
    3) Enter the details of the ssl cert, select create certificate as action.

    The most likely resaon for your problem is a broken ssl certificate. This can happen if you enter chars in the ssl fields that cant be interpreted by openssl when the ssl cert is created.

    Post the errors that you get on the shell and in the apache error and ssl log when you restart apache.

    There is no need to reinstall Linux or reinstall ispconfig. Reinstalling ispconfig when you created already some items like websites etc can mess up your setup, so its not recommended to do that.
     
  3. xicoloco

    xicoloco New Member

    when starting apache:

    root@tarik01:~# /etc/init.d/apache2 restart
    Restarting web server: apache2Action 'start' failed.
    The Apache error log may have more information.
    failed!
    root@tarik01:~#

    th eapace log is :

    Code:
    [Sun Mar 25 18:22:33 2012] [error] [client 201.94.206.149] client denied by server configuration: /etc/apache2/htd
    ocs
    [Sun Mar 25 18:22:33 2012] [error] [client 201.94.206.149] client denied by server configuration: /etc/apache2/htd
    ocs
    [Sun Mar 25 18:22:33 2012] [error] [client 201.94.206.149] client denied by server configuration: /etc/apache2/htd
    ocs
    [Sun Mar 25 18:22:58 2012] [error] [client 201.94.206.149] client denied by server configuration: /etc/apache2/htd
    ocs
    [Sun Mar 25 18:22:58 2012] [error] [client 201.94.206.149] client denied by server configuration: /etc/apache2/htd
    ocs
    [Sun Mar 25 18:22:59 2012] [error] [client 201.94.206.149] client denied by server configuration: /etc/apache2/htd
    ocs
    [Sun Mar 25 18:22:59 2012] [error] [client 201.94.206.149] client denied by server configuration: /etc/apache2/htd
    ocs
    [Sun Mar 25 18:23:02 2012] [notice] caught SIGTERM, shutting down
    [Sun Mar 25 18:23:03 2012] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Sun Mar 25 18:23:03 2012] [warn] RSA server certificate CommonName (CN) `xicoloco' does NOT match server name!?
    [Sun Mar 25 18:23:03 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
    [Sun Mar 25 18:23:03 2012] [notice] Digest: generating secret for digest authentication ...
    [Sun Mar 25 18:23:03 2012] [notice] Digest: done
    [Sun Mar 25 18:23:03 2012] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Sun Mar 25 18:23:03 2012] [warn] RSA server certificate CommonName (CN) `xicoloco' does NOT match server name!?
    [Sun Mar 25 18:23:03 2012] [notice] Apache/2.2.16 (Debian) DAV/2 mod_fcgid/2.3.6 PHP/5.3.3-7+squeeze8 with Suhosin
    -Patch mod_ruby/1.2.6 Ruby/1.8.7(2010-08-16) mod_ssl/2.2.16 OpenSSL/0.9.8o configured -- resuming normal operation
    s
    [Sun Mar 25 18:23:07 2012] [notice] caught SIGTERM, shutting down
    
    Let me ask i cant use self signed SSL to all virtual servers ? they mess up ?

    If i have only 5 ips in rackspace for each server, there is a diferent solution to have more then one certificate in one IP ?

    i am reinstalling anyway because this is one of my tests ... i will try now the cluster confg, sorry i feel very newby right now i left computers and linux back in 1999 is hard to get in shape again ...
     
    Last edited: Mar 26, 2012
  4. xicoloco

    xicoloco New Member

    well today that happens again ....

    Code:
    [Thu Mar 29 06:42:15 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
    [Thu Mar 29 06:42:15 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
    [Thu Mar 29 06:42:17 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
    [Thu Mar 29 06:42:17 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
    [Thu Mar 29 06:42:18 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
    [Thu Mar 29 06:42:18 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
    [Thu Mar 29 06:42:19 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
    [Thu Mar 29 06:42:19 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
    [Thu Mar 29 06:42:34 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
    [Thu Mar 29 06:42:34 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
    [Thu Mar 29 06:42:54 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
    [Thu Mar 29 06:42:54 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
    [Thu Mar 29 06:43:02 2012] [notice] caught SIGTERM, shutting down
    [Thu Mar 29 06:43:03 2012] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Thu Mar 29 06:43:03 2012] [warn] RSA server certificate CommonName (CN) `xicoloco' does NOT match server name!?
    [Thu Mar 29 06:43:03 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
    [Thu Mar 29 06:43:03 2012] [notice] Digest: generating secret for digest authentication ...
    [Thu Mar 29 06:43:03 2012] [notice] Digest: done
    [Thu Mar 29 06:43:03 2012] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Thu Mar 29 06:43:03 2012] [warn] RSA server certificate CommonName (CN) `xicoloco' does NOT match server name!?
    [Thu Mar 29 06:43:03 2012] [notice] Apache/2.2.16 (Debian) DAV/2 mod_fcgid/2.3.6 PHP/5.3.3-7+squeeze8 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.7(2010-08-16) mod_ssl/2.2.16 OpenSSL/0.9.8o configured -- resuming normal operations
    [Thu Mar 29 06:43:06 2012] [notice] caught SIGTERM, shutting down
    [Thu Mar 29 06:43:07 2012] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Thu Mar 29 06:43:07 2012] [warn] RSA server certificate CommonName (CN) `xicoloco' does NOT match server name!?
    [Thu Mar 29 06:43:07 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
    [Thu Mar 29 06:43:07 2012] [notice] Digest: generating secret for digest authentication ...
    [Thu Mar 29 06:43:07 2012] [notice] Digest: done
    [Thu Mar 29 06:43:07 2012] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Thu Mar 29 06:43:07 2012] [warn] RSA server certificate CommonName (CN) `xicoloco' does NOT match server name!?
    [Thu Mar 29 06:43:07 2012] [notice] Apache/2.2.16 (Debian) DAV/2 mod_fcgid/2.3.6 PHP/5.3.3-7+squeeze8 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.7(2010-08-16) mod_ssl/2.2.16 OpenSSL/0.9.8o configured -- resuming normal operations
    [Thu Mar 29 06:43:09 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
    [Thu Mar 29 06:43:09 2012] [error] [client 189.58.110.185] client denied by server configuration: /etc/apache2/htdocs
    [Thu Mar 29 06:43:10 2012] [notice] caught SIGTERM, shutting down
    [Thu Mar 29 06:50:11 2012] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
    root@tarik01:~# 
    
    omg what fuk i doing wrong ????
     
  5. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    What's the output of
    Code:
    cd /etc/apache2
    grep -Ri SSLCertificateFile *
    ?
     
  6. xicoloco

    xicoloco New Member

    root@tarik01:/etc/apache2# grep -Ri SSLCertificateFile *
    sites-available/ispconfig.vhost: SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
    sites-available/default-ssl: # SSLCertificateFile directive is needed.
    sites-available/default-ssl: SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    sites-available/default-ssl: # the referenced file can be the same as SSLCertificateFile
    sites-enabled/000-ispconfig.vhost: SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
    root@tarik01:/etc/apache2#
     
  7. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Do /usr/local/ispconfig/interface/ssl/ispserver.crt and /etc/ssl/certs/ssl-cert-snakeoil.pem exist?
     
  8. xicoloco

    xicoloco New Member

    i already format this server because i panic, but i pretty sure this will happen again so we will continue on that ...
     
  9. DUCKFACE

    DUCKFACE New Member

    i have the samoe problem
    here is the apache.log
    Code:
    [Tue Jun 04 17:24:03 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Tue Jun 04 17:24:03 2013] [warn] RSA server certificate CommonName (CN) `Nikolay Konstantinov' does NOT match server name!?
    [Tue Jun 04 17:24:03 2013] [notice] Apache/2.2.22 (Ubuntu) DAV/2 mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_fcgid/2.3.7 PHP/5.4.9-4ubuntu2 mod_python/3.3.1 Python/2.7.4 mod_ruby/1.2.6 Ruby/1.8.7(2012-02-08) mod_ssl/2.2.22 OpenSSL/1.0.1c configured -- resuming normal operations
    PHP Deprecated:  Comments starting with '#' are deprecated in /etc/php5/cgi/conf.d/ming.ini on line 1 in Unknown on line 0
    the /usr/local/ispconfig/interface/ssl/ispserver.crt and /etc/ssl/certs/ssl-cert-snakeoil.pem exists
     
  10. thebrawnyman

    thebrawnyman New Member

    I'm having the same issue that xicoloco was having. I ran the grep on /etc/apache2 and verified that all crt files listed in the output do exist. In this case, what would be the next thing I check?
     
  11. thebrawnyman

    thebrawnyman New Member

    After some more digging I was able to figure out the issue. Turns out that when the original Private key was generated back in the day, SHA1 was used for the signature algorithm, but we were generating the new cert using SHA2 (its what the CA was set to use by default). Not sure why Apache would exit without throwing an error message about this, but thats what happens.

    I ended up using openssl commands found Here to confirm that the private key and cert did not match, and that the new cert generated with SHA1 did match.
     

Share This Page