SSL related problems

Discussion in 'Installation/Configuration' started by senzapaura, Dec 28, 2005.

  1. senzapaura

    senzapaura New Member

    I am having trouble accessing my server in https mode,
    I can access it fine via http, but not in secure mode.
    I have configured a public (CA) Certificate and I believe it is correct because apache2 asks for the passphrase and I can go into secure mode if I use the servers name. I get the following messages when restarting apache. The messages are followed by the apahce2 Vhosts_ispconfig.conf file. Any help would be much appreciated. I am way behind on this project.

    Messages when restarting apache2

    amgsrv1:/etc/apache2/vhosts # /etc/init.d/apache2 restart
    [Wed Dec 28 15:58:05 2005] [warn] VirtualHost 192.168.3.170:443 overlaps with VirtualHost 192.168.3.170:443, the first has precedence, perhaps you need a NameVirtualHost directive
    [Wed Dec 28 15:58:05 2005] [warn] NameVirtualHost 192.168.3.170:80 has no VirtualHosts
    Syntax OK
    Shutting down httpd2 (waiting for all children to terminate) done

    Starting httpd2 (prefork) [Wed Dec 28 15:58:16 2005] [warn] VirtualHost 192.168.3.170:443 overlaps with VirtualHost 192.168.3.170:443, the first has precedence, perhaps you need a NameVirtualHost directive
    [Wed Dec 28 15:58:16 2005] [warn] NameVirtualHost 192.168.3.170:80 has no VirtualHosts
    Apache/2.0.54 mod_ssl/2.0.54 (Pass Phrase Dialog)
    Some of your private key files are encrypted for security reasons.
    In order to read them you have to provide us with the pass phrases.

    Server www.amg01.info:443 (RSA)
    Enter pass phrase:
    done

    /etc/aphache2/vhosts/Vhosts_ispconfig.conf file

    ###################################
    #
    # ISPConfig vHost Configuration File
    # Version 1.0
    #
    ###################################
    #
    #NameVirtualHost 192.168.3.170:80
    #<VirtualHost 192.168.3.170:80>
    # ServerName localhost
    # ServerAdmin root@localhost
    # DocumentRoot /var/www/sharedip
    #</VirtualHost>
    #
    #
    ######################################
    # Vhost: www.amg01.info:80
    ######################################
    #
    #
    NameVirtualHost 192.168.3.170:80
    <VirtualHost 192.168.3.170:80>
    #<VirtualHost www.amg01.info:80>
    ServerName www.amg01.info:80
    ServerAdmin webmaster@amg01.info
    DocumentRoot /var/www/web1/web
    ServerAlias 192.168.3.170
    DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
    ScriptAlias /cgi-bin/ /var/www/web1/cgi-bin/
    AddHandler cgi-script .cgi
    AddHandler cgi-script .pl
    ErrorLog /var/www/web1/log/error.log
    AddType application/x-httpd-php .php .php3 .php4 .php5
    <Files *.php>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    <Files *.php3>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    <Files *.php4>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    <Files *.php5>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    php_admin_flag safe_mode Off
    php_admin_value open_base_dir /var/www/web1/
    php_admin_value file_uploads 1
    php_admin_value upload_tmp_dir /var/www/web1/phptmp/
    php_admin_value session.save_path /var/www/web1/phptmp/
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    Alias /error/ "/var/www/web1/web/error/"
    ErrorDocument 400 /error/invalidSyntax.html
    ErrorDocument 401 /error/authorizationRequired.html
    ErrorDocument 403 /error/forbidden.html
    ErrorDocument 404 /error/fileNotFound.html
    ErrorDocument 405 /error/methodNotAllowed.html
    ErrorDocument 500 /error/internalServerError.html
    ErrorDocument 503 /error/overloaded.html
    AliasMatch ^/~([^/]+)(/(.*))? /var/www/web1/user/$1/web/$3
    AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web1/user/$1/web/$3
    </VirtualHost>
    #
    <IfModule mod_ssl.c>
    <VirtualHost 192.168.3.170:443>
    #<VirtualHost www.amg01.info:443>
    ServerName www.amg01.info:443
    ServerAdmin webmaster@amg01.info
    DocumentRoot /var/www/web1/web
    ServerAlias 192.168.3.170
    DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
    ScriptAlias /cgi-bin/ /var/www/web1/cgi-bin/
    AddHandler cgi-script .cgi
    AddHandler cgi-script .pl
    ErrorLog /var/www/web1/log/error.log
    AddType application/x-httpd-php .php .php3 .php4 .php5
    <Files *.php>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    <Files *.php3>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    <Files *.php4>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    <Files *.php5>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    php_admin_flag safe_mode Off
    php_admin_value open_base_dir /var/www/web1/
    php_admin_value file_uploads 1
    php_admin_value upload_tmp_dir /var/www/web1/phptmp/
    php_admin_value session.save_path /var/www/web1/phptmp/
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    SSLEngine on
    SSLCertificateFile /var/www/web1/ssl/www.amg01.info.crt
    SSLCertificateKeyFile /var/www/web1/ssl/www.amg01.info.key
    SSLCertificateChainFile /var/www/web1/ssl/sf_issuing.crt
    Alias /error/ "/var/www/web1/web/error/"
    ErrorDocument 400 /error/invalidSyntax.html
    ErrorDocument 401 /error/authorizationRequired.html
    ErrorDocument 403 /error/forbidden.html
    ErrorDocument 404 /error/fileNotFound.html
    ErrorDocument 405 /error/methodNotAllowed.html
    ErrorDocument 500 /error/internalServerError.html
    ErrorDocument 503 /error/overloaded.html
    AliasMatch ^/~([^/]+)(/(.*))? /var/www/web1/user/$1/web/$3
    AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web1/user/$1/web/$3
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    </VirtualHost>
    </IfModule>
    #
     
  2. falko

    falko Super Moderator

    Is /etc/aphache2/vhosts/Vhosts_ispconfig.conf included maybe more than once in your Apache configuration file?
     
  3. senzapaura

    senzapaura New Member

    Thank you. I could swear I checked that twice.
    That fixed error messages, but I still cannot get to the https side of the site. It looks like it times out and basically gives a cannot find page error.
     
  4. till

    till Super Moderator

    Have you tried firefox to access the SSL site, it gives better error messages then IE.
     
  5. senzapaura

    senzapaura New Member

    Till thanks for looking at this. Firefox returns a time out message. I think the problem is somehow related to the fact that the machine is named amgsrv1.anthem-group.com. It is on a local domain named anthem-group.com. I have defined www.amg01.info as a virtual host and send both http and https requests from the fire wall to the IP & port defined for the virtual server which is named www.amg01,info. This is the same as the machines IP address. I can reach the machine using https:amgsrv1.anthem-group.com, but the certifcate indicates that the domain name in the certificate was not matched.
    I just happed to think, what would happen if I used a different IP address to define the virtual host? I will try that, in the meantime I hope I have provided enough info to help solve my problem.

    No Luck I still cannot access https://www.amg01.info even though apache apparently "sees" the certificates because it requires me to enter one before apache will boot.
    Happy new year to all.
     
    Last edited: Jan 2, 2006
  6. senzapaura

    senzapaura New Member

    Still no luck getting the SSL to work.:confused:
     
  7. falko

    falko Super Moderator

    What's the exact error message now? What's in the logs?
     
  8. senzapaura

    senzapaura New Member

    Well, in my haste to find a solution I screwed things up so bad I had to reinstall everything to make sure I brought everything back to where it was before my screw up. I was hoping that by reinstalling my problem would miraculously go away, so much for miracles. I guess the good news is I am right back where I started. The bad news is I still have the problem. I can access my site by a domain name using http, but the browser times out when trying to access the site via https.

    Along this tortuous reinstallation road I learned a couple of things about Ispconfig. First is, if you modify/add any PHP settings in the /etc/apache2/vhosts/Vhosts_ispconfig.conf file and then change the site via Ispconfig you lose those PHP settings. I do not know how to make these changes in Ispconfig, so I must edit the file directly. The second is, do not make any mistakes when creating a web site using Ispconfig. If you do make a mistake and try again Ispconfig adds one to the web site and by the time you create a “good” site it is web3 or web4. I am not sure if the implicit save is a good thing for my bad typing. :) Also, is there a problem if I use the newest version of phpMyAdmin? I noticed that the current version is several versions ahead of the one I have been using.

    I have added the public SSL certificate and when I reboot apache2 it asks for the passphrase, when entered apache2 starts OK, so it looks like apache2 knows there is a valid SSL certificate.

    These are my current settings for the /etc/apache2/vhosts/Vhosts_ispconfig.conf file, followed by my host and domain settings. – Falko which log files?

    ###################################
    #
    # ISPConfig vHost Configuration File
    # Version 1.0
    #
    ###################################
    #
    #NameVirtualHost 192.168.3.170:80
    #<VirtualHost 192.168.3.170:80>
    # ServerName localhost
    # ServerAdmin root@localhost
    # DocumentRoot /var/www/sharedip
    #</VirtualHost>
    #
    #
    ######################################
    # Vhost: www.amg01.info:80
    ######################################
    #
    #
    <VirtualHost 192.168.3.170:80>
    ServerName www.amg01.info:80
    ServerAdmin webmaster@amg01.info
    DocumentRoot /var/www/web1/web
    ServerAlias amg01.info
    DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
    ScriptAlias /cgi-bin/ /var/www/web1/cgi-bin/
    AddHandler cgi-script .cgi
    AddHandler cgi-script .pl
    ErrorLog /var/www/web1/log/error.log
    AddType application/x-httpd-php .php .php3 .php4 .php5
    <Files *.php>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    <Files *.php3>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    <Files *.php4>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    <Files *.php5>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    php_admin_flag safe_mode Off
    php_admin_value open_base_dir /var/www/web1/
    php_admin_value file_uploads 1
    php_admin_value upload_tmp_dir /var/www/web1/phptmp/
    php_admin_value session.save_path /var/www/web1/phptmp/
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    Alias /error/ "/var/www/web1/web/error/"
    ErrorDocument 400 /error/invalidSyntax.html
    ErrorDocument 401 /error/authorizationRequired.html
    ErrorDocument 403 /error/forbidden.html
    ErrorDocument 404 /error/fileNotFound.html
    ErrorDocument 405 /error/methodNotAllowed.html
    ErrorDocument 500 /error/internalServerError.html
    ErrorDocument 503 /error/overloaded.html
    AliasMatch ^/~([^/]+)(/(.*))? /var/www/web1/user/$1/web/$3
    AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web1/user/$1/web/$3
    </VirtualHost>
    #
    <IfModule mod_ssl.c>
    <VirtualHost 192.168.3.170:443>
    ServerName www.amg01.info:443
    ServerAdmin webmaster@amg01.info
    DocumentRoot /var/www/web1/web
    ServerAlias amg01.info
    DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
    ScriptAlias /cgi-bin/ /var/www/web1/cgi-bin/
    AddHandler cgi-script .cgi
    AddHandler cgi-script .pl
    ErrorLog /var/www/web1/log/error.log
    AddType application/x-httpd-php .php .php3 .php4 .php5
    <Files *.php>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    <Files *.php3>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    <Files *.php4>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    <Files *.php5>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    php_admin_flag safe_mode Off
    php_admin_value open_base_dir /var/www/web1/
    php_admin_value file_uploads 1
    php_admin_value upload_tmp_dir /var/www/web1/phptmp/
    php_admin_value session.save_path /var/www/web1/phptmp/
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    SSLEngine on
    SSLCertificateFile /var/www/web1/ssl/www.amg01.info.crt
    SSLCertificateKeyFile /var/www/web1/ssl/www.amg01.info.key
    SSLCertificateChainFile /var/www/web1/ssl/sf_issuing.crt
    Alias /error/ "/var/www/web1/web/error/"
    ErrorDocument 400 /error/invalidSyntax.html
    ErrorDocument 401 /error/authorizationRequired.html
    ErrorDocument 403 /error/forbidden.html
    ErrorDocument 404 /error/fileNotFound.html
    ErrorDocument 405 /error/methodNotAllowed.html
    ErrorDocument 500 /error/internalServerError.html
    ErrorDocument 503 /error/overloaded.html
    AliasMatch ^/~([^/]+)(/(.*))? /var/www/web1/user/$1/web/$3
    AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web1/user/$1/web/$3
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    </VirtualHost>
    </IfModule>
    #
    #
    ==============================================
    amgsrv1:/etc/apache2/vhosts # hostname
    amgsrv1
    amgsrv1:/etc/apache2/vhosts # hostname -d
    anthem-group.com

    This is a copy of the top lines of IE error I get when I try to access the site using https://www.amg01.info.

    The page cannot be displayed
    The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.
     
  9. till

    till Super Moderator

    Did you use any of the howtos provided at howtoforge to setup your server for ISPConfig?

    Simply put you additional directives in the Apache directives field of the website.

    Whats the problem with that? Websites are referenced in ISPConfig by the domain, the web ID's are only for internal use in ISPConfig.


    You can use any version you want. But make sure you configure it correctly. Have a look in the config file that ISPConfig uses for PHPMyAdmin.

    I guess you dont added the certificate with ISPCOnfig, beacuse ISPConfig makes sure the the certificates dont ask for the password when you restart apache. If you setup an SSL certificate manually you have to select "n" in steps 6 and 7 of the openSSL certificate setup.
     
    Last edited: Jan 7, 2006
  10. falko

    falko Super Moderator

    On the "Basis" tab of a web site in ISPConfig, there's the field "Apache Directives" where you can put your additional directives.


    What error message do you get when you use Firefox instead of IE?
     
  11. senzapaura

    senzapaura New Member

    Thanks to Till and Falko for your help.

    I do use the excellent howtos at howtoforge to install Suse 10 and Ispconfig. Without them I would be unable to begin learning the process for setting up an ISP. Most of my frustrations are caused by “operator error” and the fact I am in a learning phase.

    My problem with the changing web site names is I am using Dreamweaver to program and implement the web site. In order to help me keep things straight, I setup a web1 (or webx) user to access the server for publishing and testing the site. Admittedly this is probably my problem, I must figure out a better way to coordinate these packages.

    Unfortunately when I originally setup the certificate for the www.amg01.info domain I installed it with a passphrase. I will reissue the certificate when everything is working. My entering the passphrase when rebooting apache2 is not a major problem at this time. I was concerned that I entered the certificate correctly and the fact that apache2 recognizes it makes me think I did it correctly.

    The Firefox alert message I get is: The operation timed out when attempting to contact www.amg01.info.

    IE alert through Microsoft Word when trying to connect to the https side is: Unable to open https://www.amg01.info/ Cannot locate the Internet server or proxy server.

    You should be able to access the site using: http://www.amg01.info and then try https://www.amg01.info and get the same error message.

    Thanks again.
     
  12. till

    till Super Moderator

    I'am using dreamweaver too for managing my sites. I do not enter a sitename at all in dreamweaver. Can you describe where you get the problems with using dreamweaver and i will try to help you.

    If you want to add an SSL enabled site in ISPConfig, check the SSL checkbox on the basis tab. Then save the website. If you pen it again, ypu have a new SSL tab, where you can enter the details for thecertificate, there you can chose "Create certificate" and ISPConfig does all the steps nescessary for creating a valid cert for you.
     
  13. senzapaura

    senzapaura New Member

    This is what I think is happening for the Dreamweaver issue.

    When I set-up a remote site for publishing my web application in Dreamweaver, I also setup a user. This user must have all the appropriate privileges for the particular site in order for me to publish and test (I also setup the server as a test server). Since I have multiple virtual sites on the web server, I use multiple users identified in Dreamweaver (and the operating system) as user web1, web2 and so forth. I set-up a user based on the virtual host directory, that is if my site in ISPConfig is web1 I have a web1 user, but if I reinstall (using ISPConfig) I may get the web site identified as web3 (because I made mistakes setting up the site). When this happens then the Dreamweaver interface will not connect to the server for publishing or as a test server unless I fix all permissions for the Dreamweaver user or create a new user. I setup multiple users to protect one user site from another based on the operating systems permissions. Theoretically each web site could be maintained by a different developer each one protected from the others. Maybe there is a better way to do this or maybe I do not understand things correctly.

    This is what I think for the https issue.

    After, I applied and received the certificate from the CA. I used the information to install from ISPConfig. Then I copied the .crt and .key files to the appropriate directory. I thought I read somewhere in this forum that was the procedure to use if you already had the .crt and .key files. If my .crt and .key files are in the correct directory and they are specified in the /etc/apache2/vhosts/Vhosts_ispconfig.conf shouldn’t I be able to access the virtual host?
     
  14. falko

    falko Super Moderator

    For each web site you must create an admin user in ISPConfig, and then you can use this admin user in Dreamweaver to connect to the site with FTP. The web site IDs do not have to be the same on different ISPConfig installations, as you've already recognized.

    Normally you check the SSL check box on a web site's "Basis" tab in ISPConfig, then you go to the SSL tab and create a new certificate. You copy the csr (certificate signing request) from the text box and send it to your CA which then sends you an official certificate which you copy into the certificate text box. You save that certificate, and you're finished.

    However, I get the impression that your Apache isn't able to speak https because of missing modules. Please post the output of
    Code:
    netstat -tap
     
  15. senzapaura

    senzapaura New Member

    I am not sure, but it looks like apache2 is trying to speak https?
    amgsrv1:~ # netstat -tap
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 *:mysql *:* LISTEN 4085/mysqld
    tcp 0 0 *:sunrpc *:* LISTEN 3801/portmap
    tcp 0 0 *:hosts2-ns *:* LISTEN 3391/ispconfig_http
    tcp 0 0 *:ftp *:* LISTEN 21272/proftpd: (acc
    tcp 0 0 amgsrv1.anthem-g:domain *:* LISTEN 4076/named
    tcp 0 0 localhost:domain *:* LISTEN 4076/named
    tcp 0 0 *:smtp *:* LISTEN 29228/master
    tcp 0 0 localhost:953 *:* LISTEN 4076/named
    tcp 0 0 *:www-http *:* LISTEN 5754/httpd2-prefork
    tcp 0 0 *:ssh *:* LISTEN 4008/sshd
    tcp 0 0 *:smtp *:* LISTEN 29228/master
    tcp 0 0 localhost:953 *:* LISTEN 4076/named
    tcp 0 0 *:https *:* LISTEN 5754/httpd2-prefork
    tcp 0 148 amgsrv1.anthem-grou:ssh 192.168.3.10:ttntspauto ESTABLISHED 2414/0
    amgsrv1:~ #
     
  16. falko

    falko Super Moderator

    Yes, looks like that... But it's possible that Apache is configured to listen on port 443, but without SSL support...
    Which distribution are you using? Did you follow any of the "Perfect Setup" tutorials?
     
  17. senzapaura

    senzapaura New Member

    I followed the perfect setup described in howtoforge for a Suse 10 implementation. I tried to setup apache2 and PHP5 as described starting on page 5 of this perfect setup.

    Version Apache/2.0.54 (Linux/SUSE)s -

    While checking to see how apache was running I executed the following commands, trying to make sure ssl was running. The results follow:

    amgsrv1:~ # /etc/init.d/apache2 stop
    Shutting down httpd2 (waiting for all children to terminate) done
    amgsrv1:~ # /etc/init.d/apache2 startssl
    Starting httpd2 (prefork) Apache/2.0.54 mod_ssl/2.0.54 (Pass Phrase Dialog)
    Some of your private key files are encrypted for security reasons.
    In order to read them you have to provide us with the pass phrases.

    Server www.amg01.info:443 (RSA)
    Enter pass phrase:

    Ok: Pass Phrase Dialog successful.
    done
    amgsrv1:~ # /etc/init.d/apache2 configtest
    Syntax OK

    It looks OK to me but maybe you can see a problem. In fact it looks to me like it is supposed to be going to SSL for the server I am trying to reach via SSL.
    I have tried looking at the SSL certificate using the openssl command. Maybe I have a mistake here?

    Thanks for hanging in there and helping.
     
  18. till

    till Super Moderator

    Why have you created encrypted SSL certificates. Its not described in the howto and this is what stops your server. Remove the config part that that you added which is not described in the howto. ISPConfig will manage the SSL certs for you properly.
     
  19. senzapaura

    senzapaura New Member

    I am sorry, I do not understand what you are asking me to do?
     
  20. till

    till Super Moderator

    Have you followed the SuSe 10 howto to the letter or did you do any additional configuration?

    How have you added this SSL certificate?
     

Share This Page