Find the answer to your Linux question:
Results 1 to 7 of 7
Hello: Any help that anyone can give me or if you can at least point me in the right direction I would really appreciate it. I installed libapache-mod-ssl (on a ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2003
    Posts
    3

    Apache & SSL Problems


    Hello:

    Any help that anyone can give me or if you can at least point me in the right direction I would really appreciate it. I installed libapache-mod-ssl (on a debian system) last week and I haven't been able to get it to work. I got to the section in the readme file (from the libapache-mod-ssl documentation) that said:

    " If you don't have a virtual host but just one default server, you should call this new virtualhost <VirtualHost _default_:443>."

    This is after I had made the certificate and key, chosen a passphrase and configured httpd.conf to add the module "mod_ssl.so" file. So I went to the httpd.conf and all I did was add this block (as instructed by the sample vhosts file):

    <VirtualHost _default_:443>
    <IfModule mod_ssl.c>
    SSLEngine on
    SSLCertificateFile /etc/apache/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/apache/ssl.key/server.key
    <Files ~ "\.(cgi|shtml)$">
    SSLOptions +StdEnvVars
    </Files>
    <Directory "/usr/lib/cgi-bin">
    SSLOptions +StdEnvVars
    </Directory>
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

    </IfModule>
    </VirtualHost>

    So then when it was time to stop and start apache, I did it through Webmin and this is what I got:

    Failed to start apache:
    Starting web server: apacheApache/1.3.26 mod_ssl/2.8.9 (Pass Phrase
    Dialog)
    Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases.

    Server 192.168.1.8:443 (RSA)
    Enter pass phrase:
    Apache:mod_ssl:Error: Private key not found.
    **Stopped
    failed

    So I couldn't start Apache through the Webmin module (the samething also happens when I reboot the server and it tries to start the apache service, it will hang in that part of the boot up process until I enter in the passphrase then it will continue booting), so then I went to the command line and again I got the part that says "Enter pass phrase:" and since I was in the command line I was able to enter it in, and apache started fine. However, when I try to access apache through https://localhost or https://host-ip-address or https://host.domain.com it doesn't work it just gives me the page cannot be displayed error. It only works if I access the server through regular "http://" and not through "https://" so my 3 big questions are:

    1. How can I make it so that it doesn't ask me the pass phrase every time I start apache? And if I do disable the pass phrase feature does that mean that SSL is not started?

    But most importantly:
    2. Why are the references to any https:// address to the web server work even after I start apache in the command line and enter in the pass phrase as I am prompted to do so? How come only the http:// references work?

    3. Since the virtualHost configuration described above what can I changed so that it will work properly, I want to be able to enable SSL for the default server. How do I do that? and what virtualhosts do I have to make? for instance: do I have to make all of the following
    <virtualhost localhost:443>, <virtualhost localhost:80>, <virtualhost host-ip:443>, <virtualhost hostname:443>...etc?

    One last thing is that I checked my /var/log/apache/error.log file and I had the following lines in there..

    [Sun Jul 27 15:43:42 2003] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache/suexec)
    [Sun Jul 27 15:43:42 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)
    [Sun Jul 27 16:10:45 2003] [notice] caught SIGTERM, shutting down
    [Sun Jul 27 16:10:47 2003] [error] mod_ssl: Init: Private key not found (OpenSSL library error follows)
    [Sun Jul 27 16:10:47 2003] [error] OpenSSL: error:0D084069:asn1 encoding routines:d2i_ASN1_SET:bad tag
    [Sun Jul 27 16:10:47 2003] [error] OpenSSL: error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKeyarsing
    [Sun Jul 27 16:10:47 2003] [error] OpenSSL: error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
    [Sun Jul 27 16:16:38 2003] [error] mod_ssl: Init: Private key not found (OpenSSL library error follows)
    [Sun Jul 27 16:16:38 2003] [error] OpenSSL: error:0D084069:asn1 encoding routines:d2i_ASN1_SET:bad tag
    [Sun Jul 27 16:16:38 2003] [error] OpenSSL: error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKeyarsing
    [Sun Jul 27 16:16:38 2003] [error] OpenSSL: error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
    [Sun Jul 27 18:31:07 2003] [error] (2)No such file or directory: mod_mime_magic: can't read magic file /etc/apache/share/magic
    [Sun Jul 27 18:31:07 2003] [error] (2)No such file or directory: mod_mime_magic: can't read magic file /etc/apache/share/magic

    What is happening with this mod_ssl and OpenSSL lines in there, what do they mean? is it relate it to the problem I mentione above about the private key not being found when I try to start apache through webmin?

    I really hate asking all these questions and coming accross like I havent done my homework but I have been searching the net, mailing lists and people's configurations and I have seen some of the errors that I am getting but I cant find any posted solutions. Again I would appreciate ANY type of help, I been looking at this for a few days now I searched on the net and I can't seem to find what the problem is. Thanx a lot!

    pman

  2. #2
    Just Joined!
    Join Date
    Jul 2003
    Posts
    3

    ANYONE?!?!

    doesnt anyone have any ideas?

  3. #3
    Just Joined!
    Join Date
    Jul 2003
    Posts
    3

    Solution

    Hi all:

    If anyone is having the same problems that I mentioned here this is what I did to solve it.

    1. To solve the problem with webmin not being able to start apache: there is really not much to do here, the reason was that since I now have SSL installed and I configured it so that it would ask me a passphrase every time SSL is used it will do just that every time apache is started since at the same time apache starts it starts SSL. And since starting apache from webmin doesnt allow you to interact with the process start up webmin is not able to enter in the passphrase for you so apache is not started at all. You will only be able to start apache from the command line this way, since in the command line you will be able to enter in the passphrase when prompted for it.
    That said, there is 2 ways around this: 1. You can disable the passphrase prompt so that it doesnt ask you for it at all everytime you start SSL (start apache). If this is what you want to do, which some people dont recommend cause it makes your server that much less secure, you can do the following:
    1. Remove the encryption from the RSA private key (while preserving the original file):
    $ cp server.key server.key.org
    $ openssl rsa -in server.key.org -out server.key

    2. Make sure the server.key file is now only readable by root:
    $ chmod 400 server.key

    Go here for more details http://www.modssl.org/docs/2.7/ssl_faq.html#ToC31.
    The second way around the passphrase issue is to use the "SSLPassPhraseDialog" option in the SSL config part of the httpd.conf file. The default for the SSLPassPhraseDialog option is "builtin" but you can also use a reference to a file that has the passphrase in it which will be called everytime SSL is started, that way you will no longer be prompted for the passphrase but you wont have to turn the passphrase feature off. and example would something like:

    SSLPassPhraseDialog exec:/opt/local/apache-brownticket/conf/ssl.passwd/phrase


    2. The second problem that I was having was that even after I would fill in the passphrase in the command line and Apache would start properly, I still wouldnt be able to use https://localhost, or https://host_ip references, only http:// references would work. The problem was that in my httpd.conf file I had the following part too early in the file :

    <IfModule mod_ssl.c>
    Listen 80
    Listen 443
    </IfModule>

    The above statement block HAS TO BE after the line that reads LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so. The reason being that there is no way that you can use the line "<IfModule mod_ssl.c>" before you have even loaded the module. So it was a small thing but I totally missed it.


    And that's pretty much it kids, I am sure that some of that stuff is pretty straight forward and most people would know it but then there are those like me that might need a message like this to be pointed in the right direction.

    Latex!

  4. #4
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284
    Thanks for sharing that - Ive never worked with SSL on apache, so wouldnt be much good at troubleshooting it, but i have a better idea of what to expect (and how to fix it) now.

    Welcome to this_site_does_not_exist

    Jason

  5. #5
    Just Joined!
    Join Date
    Jan 2007
    Posts
    1

    thanks!

    just had to say thanks to PMAN on this - removing the passphrase was the right path for me. worked like a charm. thanks for the help!

  6. #6
    Just Joined!
    Join Date
    Jan 2007
    Posts
    1
    I registered just to say YOU HELPED ME SO MUCH WITH THIS POST!!

    I was kicking myself for about 2 hours trying to get my cert working, noticed apache kept telling me it couldnt find my key, messed with my key permissions for a bit, then found this! I had totally forgotten about the passphrase after i got my cert and set it all up in apache. You rock!

  7. #7
    Just Joined!
    Join Date
    May 2006
    Posts
    4
    Outstanding post. Just what I was looking for.

    Thanks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •