Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 17
Hello, I am trying to install ssl yum install mod_ssl mkdir /etc/httpd/ssl openssl req -new -x509 -days 365 -nodes -out /etc/httpd/ssl/httpd.pem -keyout /etc/httpd/ssl/httpd.key Then created this file /etc/httpd/conf.d/vhost.conf and added ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2012
    Posts
    12

    SSL on Apache with Fedora 17


    Hello,

    I am trying to install ssl

    yum install mod_ssl
    mkdir /etc/httpd/ssl
    openssl req -new -x509 -days 365 -nodes -out /etc/httpd/ssl/httpd.pem -keyout /etc/httpd/ssl/httpd.key

    Then created this file
    /etc/httpd/conf.d/vhost.conf

    and added
    <VirtualHost ***.***.***.***:443>
    SSLEngine On
    SSLCertificateFile /etc/httpd/ssl/httpd.pem
    SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

    ServerAdmin infoATmydomainDOTcom
    ServerName mydomainDOTcom
    DocumentRoot /srv/www/mydomain.com/public_html/
    ErrorLog /srv/www/mydomain.com/logs/error.log
    CustomLog /srv/www/mydomain.com/logs/access.log combined
    </VirtualHost>

    then resrated apache but got error:
    #: service httpd restart

    Redirecting to /bin/systemctl restart httpd.service
    Job failed. See system journal and 'systemctl status' for details.

    #: service httpd status
    Redirecting to /bin/systemctl status httpd.service
    httpd.service - The Apache HTTP Server (prefork MPM)
    Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
    Active: failed (Result: exit-code) since Wed, 07 Nov 2012 13:36:29 +0000; 10s ago
    Process: 2374 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=1/FAILURE)
    CGroup: name=systemd:/system/httpd.service

    Please, can you suggest any useful tips.

    Thanks.

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Hello and welcome!

    Before even looking at specifics, have you checked the Apache error log? It will hopefully contain more info:

    Code:
    cat /var/log/httpd/error_log
    and possibly also

    Code:
    cat /srv/www/mydomain.com/logs/error.log

  3. #3
    Just Joined!
    Join Date
    Nov 2012
    Posts
    12
    Thanks.This is what I saw on the log file:

    [Fri Nov 09 15:05:42 2012] [notice] caught SIGTERM, shutting down
    Attempt to free unreferenced scalar: SV 0xb82114a8, Perl interpreter: 0xb81daa88 during global destruction.
    (13)Permission denied: httpd: could not open error log file /etc/httpd/ssl/logs/error.log.
    Unable to open logs

  4. $spacer_open
    $spacer_close
  5. #4
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by yereke View Post
    Thanks.This is what I saw on the log file:

    [Fri Nov 09 15:05:42 2012] [notice] caught SIGTERM, shutting down
    Attempt to free unreferenced scalar: SV 0xb82114a8, Perl interpreter: 0xb81daa88 during global destruction.
    (13)Permission denied: httpd: could not open error log file /etc/httpd/ssl/logs/error.log.
    Unable to open logs
    so i am guessing that either parent dir does not exist. or you are not running apache chrooted as root, and the apache user does not have write permissions to the dir.

    Check if it is the former:
    Code:
    ls -ld /etc/httpd/ssl/logs/
    See how apache is running (who it is running as):
    Code:
    ps -eo user,cmd|egrep 'httpd|apache'

  6. #5
    Just Joined!
    Join Date
    Nov 2012
    Posts
    12
    The log dir exists:
    Code:
    drwxr-xr-x. 2 apache apache 4096 Nov  7 12:41 /etc/httpd/ssl/logs/
    And this is for the latter command:
    Code:
    root     /usr/sbin/httpd -k start
    apache   /usr/sbin/httpd -k start
    apache   /usr/sbin/httpd -k start
    apache   /usr/sbin/httpd -k start
    apache   /usr/sbin/httpd -k start
    apache   /usr/sbin/httpd -k start
    apache   /usr/sbin/httpd -k start
    apache   /usr/sbin/httpd -k start
    apache   /usr/sbin/httpd -k start
    apache   /usr/sbin/httpd -k start
    root     egrep --color=auto httpd|apache

  7. #6
    Just Joined!
    Join Date
    Nov 2012
    Posts
    12

    Solved!

    I have Fedora 17, therefore the instructions I followed above do not work. Those were probably for FC14. Tried this link instead:

    http://www.server-world.info/en/note...17&p=httpd&f=5

    (sorry for the comma, Im not allowed to post links yet)

    I removed and reinstalled mod_ssl and it worked fine using the server's browser.
    This was a good progress.

    Still I can open using http from another machine in the network.
    But I cannot access the page using https.
    The page simply does not ask to accept any certificate. What could be the solution?

    The log file in /etc/httpd/logs/ssl_error_log has:
    Code:
    [Tue Nov 13 14:15:34 2012] [warn] RSA server certificate CommonName (CN) `myhost.com' does NOT match server name!
    The log from apache log/error_log has such errors:
    Code:
    SV 0xb9420270, Perl interpreter: 0xb9403c20 during global destruction.
    [Tue Nov 13 16:47:36 2012] [notice] Digest: generating secret for digest authentication ...
    [Tue Nov 13 16:47:36 2012] [notice] Digest: done
    [Tue Nov 13 16:47:36 2012] [notice] SSL FIPS mode disabled
    [Tue Nov 13 16:47:36 2012] [notice] Apache/2.2.22 (Unix) DAV/2 PHP/5.4.6 mod_ssl/2.2.22 OpenSSL/1.0.0j-fips SVN/1.7.7 mod_perl/2.0.5 Perl/v5.14.2 configured -- resuming normal operations
    I also tested on different OS.
    The page works on Linux and does not for MacOS, Windows.
    Any hints?
    Last edited by atreyu; 11-14-2012 at 02:46 AM. Reason: fixed link

  8. #7
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by yereke View Post
    (sorry for the comma, Im not allowed to post links yet)
    Fixed the link for you.

    The log file in /etc/httpd/logs/ssl_error_log has:
    Code:
    [Tue Nov 13 14:15:34 2012] [warn] RSA server certificate CommonName (CN) `myhost.com' does NOT match server name!
    Don't you have to specify the server name when create the SSL certificate? What do you have for the ServerName declarative in your apache conf file (usually something like /etc/httpd/conf/httpd.conf but is distro dependent)? Whatever it is, it should match what you use for the SSL cert hostname, and it should also be resolvable on your system (like in /etc/hosts for example).

    I also tested on different OS.
    The page works on Linux and does not for MacOS, Windows.
    I don't understand what this part means. Are you saying SSL works from Linux clients but not Mac/Windows clients?

    Also, this is not really solved until you work out the SSL issue, right?

  9. #8
    Just Joined!
    Join Date
    Nov 2012
    Posts
    12
    Quote Originally Posted by atreyu View Post
    Don't you have to specify the server name when create the SSL certificate? What do you have for the ServerName declarative in your apache conf file (usually something like /etc/httpd/conf/httpd.conf but is distro dependent)?
    I have ServerName mydomain.com:80. Of course, instead of mydomain, I have a valid link.

    Quote Originally Posted by atreyu View Post
    Whatever it is, it should match what you use for the SSL cert hostname, and it should also be resolvable on your system (like in /etc/hosts for example
    You might be right, because hostname command, gives mydomain.localdomain and I am not sure if this could be the cause. What do you recon? I will try to add a line to /etc/hosts to set it as in ServerName and get rid of .localdomain part.

    Quote Originally Posted by atreyu View Post
    I don't understand what this part means. Are you saying SSL works from Linux clients but not Mac/Windows clients?

    Also, this is not really solved until you work out the SSL issue, right?
    Yes, I agree. Just thought it might be of any help. Really it seems odd; any Linux (Fedora) machine can open the Server page using https, but it is impossible to do so with another OS.

  10. #9
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by yereke View Post
    I have ServerName mydomain.com:80. Of course, instead of mydomain, I have a valid link.
    This is still kind of confusing to me. Does the ServerName variable in ssl.conf and in httpd.conf match?

    You might be right, because hostname command, gives mydomain.localdomain and I am not sure if this could be the cause. What do you recon? I will try to add a line to /etc/hosts to set it as in ServerName and get rid of .localdomain part.
    You can modify the line in /etc/hosts - just add the mydomain part, e.g., change this:
    Code:
    192.168.1.2 mydomain.localdomain
    to this:
    Code:
    192.168.1.2 mydomain mydomain.localdomain
    But you referenced mydomain.com in your last post. So are you using that domain name in httpd.conf and ssl.conf? Is it real DNS domain name?

    Yes, I agree. Just thought it might be of any help. Really it seems odd; any Linux (Fedora) machine can open the Server page using https, but it is impossible to do so with another OS.
    that makes it sound like the https port (typically 443) is being blocked on those clients.

  11. #10
    Just Joined!
    Join Date
    Nov 2012
    Posts
    12
    Quote Originally Posted by atreyu View Post
    This is still kind of confusing to me. Does the ServerName variable in ssl.conf and in httpd.conf match?
    in ssl.conf ServerName is mydomain.com:443
    in httpd.conf it is mydomain.com:80
    so they do match but use different ports.

    Quote Originally Posted by atreyu View Post
    You can modify the line in /etc/hosts - just add the mydomain part, e.g., change this:
    Code:
    192.168.1.2 mydomain.localdomain
    to this:
    Code:
    192.168.1.2 mydomain mydomain.localdomain
    Changing /etc/hosts file didn't resolve the hostname. Instead I changed the file /etc/sysconfig/network
    Edited: HOSTNAME="hostname"
    Now I don't have .localdomain suffix.

    Quote Originally Posted by atreyu View Post
    But you referenced mydomain.com in your last post. So are you using that domain name in httpd.conf and ssl.conf? Is it real DNS domain name?
    Yes, the server has a static IP address with specific DNS domain name, connected through university IT service provider and it is identified by mydomain hostname. So it is accessed like mydomain.university.com (e.g.)

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •