SSL on Apache with Fedora 17

[yereke]

Hello,

I am trying to install ssl

yum install mod_ssl
mkdir /etc/httpd/ssl
openssl req -new -x509 -days 365 -nodes -out /etc/httpd/ssl/httpd.pem -keyout /etc/httpd/ssl/httpd.key

Then created this file
/etc/httpd/conf.d/vhost.conf

and added
<VirtualHost ***.***.***.***:443>
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/httpd.pem
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

ServerAdmin infoATmydomainDOTcom
ServerName mydomainDOTcom
DocumentRoot /srv/www/mydomain.com/public_html/
ErrorLog /srv/www/mydomain.com/logs/error.log
CustomLog /srv/www/mydomain.com/logs/access.log combined
</VirtualHost>

then resrated apache but got error:
#: service httpd restart

Redirecting to /bin/systemctl restart httpd.service
Job failed. See system journal and 'systemctl status' for details.

#: service httpd status
Redirecting to /bin/systemctl status httpd.service
httpd.service - The Apache HTTP Server (prefork MPM)
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
Active: failed (Result: exit-code) since Wed, 07 Nov 2012 13:36:29 +0000; 10s ago
Process: 2374 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=1/FAILURE)
CGroup: name=systemd:/system/httpd.service

Please, can you suggest any useful tips.

Thanks.

[atreyu]

Hello and welcome!

Before even looking at specifics, have you checked the Apache error log? It will hopefully contain more info:

Code:

cat /var/log/httpd/error_log

and possibly also

Code:

cat /srv/www/mydomain.com/logs/error.log

[yereke]

Thanks.This is what I saw on the log file:

[Fri Nov 09 15:05:42 2012] [notice] caught SIGTERM, shutting down
Attempt to free unreferenced scalar: SV 0xb82114a8, Perl interpreter: 0xb81daa88 during global destruction.
(13)Permission denied: httpd: could not open error log file /etc/httpd/ssl/logs/error.log.
Unable to open logs

[atreyu]

Thanks.This is what I saw on the log file:

[Fri Nov 09 15:05:42 2012] [notice] caught SIGTERM, shutting down
Attempt to free unreferenced scalar: SV 0xb82114a8, Perl interpreter: 0xb81daa88 during global destruction.
(13)Permission denied: httpd: could not open error log file /etc/httpd/ssl/logs/error.log.
Unable to open logs

so i am guessing that either parent dir does not exist. or you are not running apache chrooted as root, and the apache user does not have write permissions to the dir.

Check if it is the former:

Code:

ls -ld /etc/httpd/ssl/logs/

See how apache is running (who it is running as):

Code:

ps -eo user,cmd|egrep 'httpd|apache'

[yereke]

The log dir exists:

Code:

drwxr-xr-x. 2 apache apache 4096 Nov  7 12:41 /etc/httpd/ssl/logs/

And this is for the latter command:

Code:

root     /usr/sbin/httpd -k start
apache   /usr/sbin/httpd -k start
apache   /usr/sbin/httpd -k start
apache   /usr/sbin/httpd -k start
apache   /usr/sbin/httpd -k start
apache   /usr/sbin/httpd -k start
apache   /usr/sbin/httpd -k start
apache   /usr/sbin/httpd -k start
apache   /usr/sbin/httpd -k start
apache   /usr/sbin/httpd -k start
root     egrep --color=auto httpd|apache

[yereke]

I have Fedora 17, therefore the instructions I followed above do not work. Those were probably for FC14. Tried this link instead:

http://www.server-world.info/en/note...17&p=httpd&f=5

(sorry for the comma, Im not allowed to post links yet)

I removed and reinstalled mod_ssl and it worked fine using the server's browser.
This was a good progress.

Still I can open using http from another machine in the network.
But I cannot access the page using https.
The page simply does not ask to accept any certificate. What could be the solution?

The log file in /etc/httpd/logs/ssl_error_log has:

Code:

[Tue Nov 13 14:15:34 2012] [warn] RSA server certificate CommonName (CN) `myhost.com' does NOT match server name!

The log from apache log/error_log has such errors:

Code:

SV 0xb9420270, Perl interpreter: 0xb9403c20 during global destruction.
[Tue Nov 13 16:47:36 2012] [notice] Digest: generating secret for digest authentication ...
[Tue Nov 13 16:47:36 2012] [notice] Digest: done
[Tue Nov 13 16:47:36 2012] [notice] SSL FIPS mode disabled
[Tue Nov 13 16:47:36 2012] [notice] Apache/2.2.22 (Unix) DAV/2 PHP/5.4.6 mod_ssl/2.2.22 OpenSSL/1.0.0j-fips SVN/1.7.7 mod_perl/2.0.5 Perl/v5.14.2 configured -- resuming normal operations

I also tested on different OS.
The page works on Linux and does not for MacOS, Windows.
Any hints?

[atreyu]

(sorry for the comma, Im not allowed to post links yet)

Fixed the link for you.

The log file in /etc/httpd/logs/ssl_error_log has:

Code:

[Tue Nov 13 14:15:34 2012] [warn] RSA server certificate CommonName (CN) `myhost.com' does NOT match server name!

Don't you have to specify the server name when create the SSL certificate? What do you have for the ServerName declarative in your apache conf file (usually something like /etc/httpd/conf/httpd.conf but is distro dependent)? Whatever it is, it should match what you use for the SSL cert hostname, and it should also be resolvable on your system (like in /etc/hosts for example).

I also tested on different OS.
The page works on Linux and does not for MacOS, Windows.

I don't understand what this part means. Are you saying SSL works from Linux clients but not Mac/Windows clients?

Also, this is not really solved until you work out the SSL issue, right?

[yereke]

Don't you have to specify the server name when create the SSL certificate? What do you have for the ServerName declarative in your apache conf file (usually something like /etc/httpd/conf/httpd.conf but is distro dependent)?

I have ServerName mydomain.com:80. Of course, instead of mydomain, I have a valid link.

Whatever it is, it should match what you use for the SSL cert hostname, and it should also be resolvable on your system (like in /etc/hosts for example

You might be right, because hostname command, gives mydomain.localdomain and I am not sure if this could be the cause. What do you recon? I will try to add a line to /etc/hosts to set it as in ServerName and get rid of .localdomain part.

I don't understand what this part means. Are you saying SSL works from Linux clients but not Mac/Windows clients?

Also, this is not really solved until you work out the SSL issue, right?

Yes, I agree. Just thought it might be of any help. Really it seems odd; any Linux (Fedora) machine can open the Server page using https, but it is impossible to do so with another OS.

[atreyu]

I have ServerName mydomain.com:80. Of course, instead of mydomain, I have a valid link.

This is still kind of confusing to me. Does the ServerName variable in ssl.conf and in httpd.conf match?

You might be right, because hostname command, gives mydomain.localdomain and I am not sure if this could be the cause. What do you recon? I will try to add a line to /etc/hosts to set it as in ServerName and get rid of .localdomain part.

You can modify the line in /etc/hosts - just add the mydomain part, e.g., change this:

Code:

192.168.1.2 mydomain.localdomain

to this:

Code:

192.168.1.2 mydomain mydomain.localdomain

But you referenced mydomain.com in your last post. So are you using that domain name in httpd.conf and ssl.conf? Is it real DNS domain name?

Yes, I agree. Just thought it might be of any help. Really it seems odd; any Linux (Fedora) machine can open the Server page using https, but it is impossible to do so with another OS.

that makes it sound like the https port (typically 443) is being blocked on those clients.

[yereke]

This is still kind of confusing to me. Does the ServerName variable in ssl.conf and in httpd.conf match?

in ssl.conf ServerName is mydomain.com:443
in httpd.conf it is mydomain.com:80
so they do match but use different ports.

You can modify the line in /etc/hosts - just add the mydomain part, e.g., change this:

Code:

192.168.1.2 mydomain.localdomain

to this:

Code:

192.168.1.2 mydomain mydomain.localdomain

Changing /etc/hosts file didn't resolve the hostname. Instead I changed the file /etc/sysconfig/network
Edited: HOSTNAME="hostname"
Now I don't have .localdomain suffix.

But you referenced mydomain.com in your last post. So are you using that domain name in httpd.conf and ssl.conf? Is it real DNS domain name?

Yes, the server has a static IP address with specific DNS domain name, connected through university IT service provider and it is identified by mydomain hostname. So it is accessed like mydomain.university.com (e.g.)