View previous topic :: View next topic |
Author |
Message |
carpman Advocate
Joined: 20 Jun 2002 Posts: 2202 Location: London - UK
|
Posted: Mon Oct 29, 2007 4:48 pm Post subject: apache2 update ssl not working [solved] |
|
|
Hello, ok updated apache2 over weekend and having issues as so many changes to config files.
Have got it working as non ssl but when trying as ssl i get 'unable to connect' message?
/etc/conf.d/apache
Code: |
APACHE2_OPTS="-D DEFAULT_VHOST -D SSL_DEFAULT_VHOST -D PHP5"
|
grep -v "#" /etc/apache2/vhosts.d/00_default_vhost.conf
Code: |
<IfDefine DEFAULT_VHOST>
Listen 80
NameVirtualHost *:80
<VirtualHost *:80>
<IfModule mpm_peruser_module>
ServerEnvironment apache apache
</IfModule>
</VirtualHost>
<VirtualHost 192.168.1.3:80>
ServerName mydomain.co.uk
DocumentRoot /var/www/localhost/htdocs
<Directory "/var/www/localhost/htdocs">
Options MultiViews Indexes Includes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
</IfDefine>
|
grep -v "#" /etc/apache2/httpd.conf
Code: |
ServerRoot "/usr/lib/apache2"
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
<IfDefine CACHE>
LoadModule cache_module modules/mod_cache.so
</IfDefine>
LoadModule cgi_module modules/mod_cgi.so
<IfDefine DAV>
LoadModule dav_module modules/mod_dav.so
</IfDefine>
<IfDefine DAV>
LoadModule dav_fs_module modules/mod_dav_fs.so
</IfDefine>
<IfDefine DAV>
LoadModule dav_lock_module modules/mod_dav_lock.so
</IfDefine>
LoadModule dbd_module modules/mod_dbd.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
<IfDefine CACHE>
LoadModule disk_cache_module modules/mod_disk_cache.so
</IfDefine>
LoadModule env_module modules/mod_env.so
LoadModule expires_module modules/mod_expires.so
LoadModule ext_filter_module modules/mod_ext_filter.so
<IfDefine CACHE>
LoadModule file_cache_module modules/mod_file_cache.so
</IfDefine>
LoadModule filter_module modules/mod_filter.so
LoadModule headers_module modules/mod_headers.so
LoadModule ident_module modules/mod_ident.so
LoadModule imagemap_module modules/mod_imagemap.so
LoadModule include_module modules/mod_include.so
<IfDefine INFO>
LoadModule info_module modules/mod_info.so
</IfDefine>
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
<IfDefine CACHE>
LoadModule mem_cache_module modules/mod_mem_cache.so
</IfDefine>
LoadModule mime_module modules/mod_mime.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule negotiation_module modules/mod_negotiation.so
<IfDefine PROXY>
LoadModule proxy_module modules/mod_proxy.so
</IfDefine>
<IfDefine PROXY>
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
</IfDefine>
<IfDefine PROXY>
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
</IfDefine>
<IfDefine PROXY>
LoadModule proxy_connect_module modules/mod_proxy_connect.so
</IfDefine>
<IfDefine PROXY>
LoadModule proxy_http_module modules/mod_proxy_http.so
</IfDefine>
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule speling_module modules/mod_speling.so
<IfDefine SSL>
LoadModule ssl_module modules/mod_ssl.so
</IfDefine>
<IfDefine INFO>
LoadModule status_module modules/mod_status.so
</IfDefine>
<IfDefine SUEXEC>
LoadModule suexec_module modules/mod_suexec.so
</IfDefine>
LoadModule unique_id_module modules/mod_unique_id.so
<IfDefine USERDIR>
LoadModule userdir_module modules/mod_userdir.so
</IfDefine>
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
User apache
Group apache
Include /etc/apache2/modules.d/*.conf
Include /etc/apache2/vhosts.d/*.conf
|
grep -v "#" /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Code: |
<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
Listen 443
<VirtualHost _default_:443>
Include /etc/apache2/vhosts.d/default_vhost.include
ErrorLog /var/logs/ssl_error_log
<IfModule log_config_module>
TransferLog /var/log/apache2/ssl_access_log
</IfModule>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/new.cert.cert
SSLCertificateKeyFile /etc/apache2/ssl/new.cert.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/localhost/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
<IfModule setenvif_module>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
<IfModule log_config_module>
CustomLog /var/log/apache2/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</IfModule>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>
|
logs show no ssl errors?
any ideas what is amiss, worked fine before update!!
many thanks _________________ Work Station - 64bit
Gigabyte GA X48-DQ6 Core2duo E8400
8GB GSkill DDR2-1066
SATA Areca 1210 Raid
BFG OC2 8800 GTS 640mb
--------------------------------
Notebook
Samsung Q45 7100 4gb
Last edited by carpman on Thu Nov 01, 2007 11:14 pm; edited 1 time in total |
|
Back to top |
|
|
RayDude Advocate
Joined: 29 May 2004 Posts: 2062 Location: San Jose, CA
|
Posted: Tue Oct 30, 2007 11:17 pm Post subject: |
|
|
Code: | APACHE2_OPTS="-D DEFAULT_VHOST -D SSL_DEFAULT_VHOST -D PHP5" |
Shouldn't this read:
Code: | APACHE2_OPTS="-D SSL -D DEFAULT_VHOST -D SSL_DEFAULT_VHOST -D PHP5" |
Raydude _________________ Some day there will only be free software. |
|
Back to top |
|
|
jexxie Tux's lil' helper
Joined: 12 Oct 2007 Posts: 82 Location: Vancouver, BC
|
Posted: Tue Oct 30, 2007 11:25 pm Post subject: |
|
|
I would agree with RayDude, you need '-D SSL' in the /etc/conf.d/apache2 file to have Apache start it up for domains beyond the default localhost vhost.
Cheers. _________________ Rambling sysadmin
My personal site and blog: Phil Dufault |
|
Back to top |
|
|
carpman Advocate
Joined: 20 Jun 2002 Posts: 2202 Location: London - UK
|
Posted: Wed Oct 31, 2007 9:02 am Post subject: |
|
|
thanks for replies but still the same problem even with -D SSL ? _________________ Work Station - 64bit
Gigabyte GA X48-DQ6 Core2duo E8400
8GB GSkill DDR2-1066
SATA Areca 1210 Raid
BFG OC2 8800 GTS 640mb
--------------------------------
Notebook
Samsung Q45 7100 4gb |
|
Back to top |
|
|
RayDude Advocate
Joined: 29 May 2004 Posts: 2062 Location: San Jose, CA
|
Posted: Wed Oct 31, 2007 4:18 pm Post subject: |
|
|
carpman wrote: | thanks for replies but still the same problem even with -D SSL ? |
Did you restart apache with:
Code: | /etc/init.d/apache2 stop
/etc/init.d/apache2 start |
I don't think restart or reload will work here. restart might but I wouldn't risk it.
Do you have ssl installed?
Have you run revdep-rebuild to insure all libraries are up to date?
When you start apache it should tell you that ssl is initializing in the apache log, is it?
If not what's the error message?
Raydude _________________ Some day there will only be free software. |
|
Back to top |
|
|
carpman Advocate
Joined: 20 Jun 2002 Posts: 2202 Location: London - UK
|
Posted: Wed Oct 31, 2007 5:12 pm Post subject: |
|
|
RayDude wrote: | carpman wrote: | thanks for replies but still the same problem even with -D SSL ? |
Did you restart apache with:
Code: | /etc/init.d/apache2 stop
/etc/init.d/apache2 start |
I don't think restart or reload will work here. restart might but I wouldn't risk it.
Do you have ssl installed?
Have you run revdep-rebuild to insure all libraries are up to date?
When you start apache it should tell you that ssl is initializing in the apache log, is it?
If not what's the error message?
Raydude |
Yep yep yep and no
Things were working fine until update and config changes, there are no error messages but apache error logs show following on restart:
Code: |
/var/log/apache2/error_log:[Wed Oct 31 17:03:24 2007] [notice] Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8f configured -- resuming normal operations
|
_________________ Work Station - 64bit
Gigabyte GA X48-DQ6 Core2duo E8400
8GB GSkill DDR2-1066
SATA Areca 1210 Raid
BFG OC2 8800 GTS 640mb
--------------------------------
Notebook
Samsung Q45 7100 4gb |
|
Back to top |
|
|
RayDude Advocate
Joined: 29 May 2004 Posts: 2062 Location: San Jose, CA
|
Posted: Wed Oct 31, 2007 6:04 pm Post subject: |
|
|
Okay lets step back a bit.
How do you know ssl isn't working?
What address are you hitting? http://...
What does your vhost look like for your ssl website?
Raydude _________________ Some day there will only be free software. |
|
Back to top |
|
|
carpman Advocate
Joined: 20 Jun 2002 Posts: 2202 Location: London - UK
|
Posted: Wed Oct 31, 2007 10:33 pm Post subject: |
|
|
RayDude wrote: | Okay lets step back a bit.
How do you know ssl isn't working?
What address are you hitting? http://...
What does your vhost look like for your ssl website?
Raydude |
Hello and thanks for reply, i am using https://site here
Look at first post for vhost config. _________________ Work Station - 64bit
Gigabyte GA X48-DQ6 Core2duo E8400
8GB GSkill DDR2-1066
SATA Areca 1210 Raid
BFG OC2 8800 GTS 640mb
--------------------------------
Notebook
Samsung Q45 7100 4gb |
|
Back to top |
|
|
kpswalin n00b
Joined: 01 Nov 2007 Posts: 8
|
Posted: Thu Nov 01, 2007 3:35 am Post subject: apache2 update ssl not working |
|
|
I am having the exact same issue. I upgraded Apache and it required several config changes to the vhosts for the HTTP sites I host, which are all now working. HTTPS however is not functioning. I appear to get in the site but get the following error in my browser:
Code: | Forbidden
You don't have permission to access /"Directory Name" on this server.
Apache Server at "FQDN" Port 443 |
I have verified that the permissions have not changed during the upgrade and the site was functional prior to the upgrade.
I am guessing it has something to do with the default vhost for SSL.
Here are my results for the vhosts:
grep -v "#" /etc/apache2/vhosts.d/00_default_vhost.conf
Code: | NameVirtualHost *:80
<IfDefine DEFAULT_VHOST>
<VirtualHost *:80>
DocumentRoot "/var/www"
<Directory "/var/www">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<IfModule peruser.c>
ServerEnvironment apache apache
MinSpareProcessors 4
MaxProcessors 20
</IfModule>
<IfModule itk.c>
AssignUserID apache apache
MaxClientsVHost 50
</IfModule>
</VirtualHost>
</IfDefine>
|
grep -v "#" /etc/apache2/modules.d/41_mod_ssl.default-vhost.conf
Code: | <IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
DocumentRoot "/var/www/localhost/htdocs"
ServerName "FQDN"
ServerAdmin webmaster@"Domain Name"
ErrorLog logs/ssl_error_log
<IfModule mod_log_config.c>
TransferLog logs/ssl_access_log
</IfModule>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/new.cert.cert
SSLCertificateKeyFile /etc/apache2/ssl/new.cert.key
<Files ~ "\.(cgi|shtml|phtml|php?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/localhost/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
<IfModule mod_setenvif.c>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
<IfModule mod_log_config.c>
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteOptions inherit
</IfModule>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>
|
[/list][/post]
Last edited by kpswalin on Thu Nov 01, 2007 4:05 am; edited 1 time in total |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5934
|
Posted: Thu Nov 01, 2007 4:04 am Post subject: |
|
|
-D SSL before -D SSL_DEFAULT_VHOST
cheers _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
Back to top |
|
|
kpswalin n00b
Joined: 01 Nov 2007 Posts: 8
|
Posted: Thu Nov 01, 2007 4:23 am Post subject: |
|
|
In my case "-D SSL" is before "-D SSL_DEFAULT_VHOST" and the problem still exists.
/etc/conf.d/apache2
Code: | APACHE2_OPTS="-D DEFAULT_VHOST -D PHP5 -D SSL -D SSL_DEFAULT_VHOST" |
|
|
Back to top |
|
|
carpman Advocate
Joined: 20 Jun 2002 Posts: 2202 Location: London - UK
|
Posted: Thu Nov 01, 2007 9:18 am Post subject: |
|
|
bunder wrote: | -D SSL before -D SSL_DEFAULT_VHOST
cheers |
Happy now, that worked for apache, have following in
/etc/conf.d/apache2
Code: |
APACHE2_OPTS="-D DEFAULT_VHOST -D SSL -D SSL_DEFAULT_VHOST -D PHP5"
|
The above works fine.
Should note that i did have -D SSL before SSL_DEFAULT_VHOST but also in front of DEFAULT_VHOST like this:
Code: |
APACHE2_OPTS=" -D SSL -D DEFAULT_VHOST -D SSL_DEFAULT_VHOST -D PHP5"
|
This did not work.
cheers _________________ Work Station - 64bit
Gigabyte GA X48-DQ6 Core2duo E8400
8GB GSkill DDR2-1066
SATA Areca 1210 Raid
BFG OC2 8800 GTS 640mb
--------------------------------
Notebook
Samsung Q45 7100 4gb |
|
Back to top |
|
|
kpswalin n00b
Joined: 01 Nov 2007 Posts: 8
|
Posted: Thu Nov 01, 2007 3:12 pm Post subject: |
|
|
I realized as I continued to work this issue that my Directory settings in the 41_mod_ssl.default-vhost.conf were gone after the upgrade. I added the following and all is well.
Code: | <Directory "/var/www/localhosts/htdocs">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory> |
Last edited by kpswalin on Thu Nov 01, 2007 6:31 pm; edited 1 time in total |
|
Back to top |
|
|
RayDude Advocate
Joined: 29 May 2004 Posts: 2062 Location: San Jose, CA
|
Posted: Thu Nov 01, 2007 3:56 pm Post subject: |
|
|
Glad you guys got it all working.
OP can you please put [solved] in the subject?
Thanks,
Raydude _________________ Some day there will only be free software. |
|
Back to top |
|
|
|