After adding a self-signed SSL certificate, I am unable to get my Drupal site to work on localhost.
I have attempted various proposed solutions that I have found online but none have gotten me past a 400 error at https://localhost/
I have uncommented the following in httpd.conf:
LoadModule ssl_module modules/mod_ssl.so
I have Listen set to port 80 in this same file. When I set it to the SSL channel, 443, Apache does not load.
In my httpd-ssl.conf file:
I have set the paths for my server.crt and server.key files correctly.
I have enabled SSLEngine
<VirtualHost *:443>
# General setup for the virtual host
DocumentRoot "/Applications/MAMP/Library/htdocs"
ServerName https://127.0.0.1:443
ServerAdmin you#example.com
ErrorLog "/Applications/MAMP/Library/logs/error_log"
TransferLog "/Applications/MAMP/Library/logs/access_log"
I have tried a variety of possibilities for the ServerName. The one above along with localhost:443 both lead to 400 errors.
I have Listen set to 443 here. Setting to 80 so it matches the httpd.conf file leads to the same result described above...not able to connect Apache.
Here is my error log for Apache:
Digest: generating secret for digest authentication ...
Digest: done
FastCGI: process manager initialized (pid 1845)
Apache/2.2.34 (Unix) mod_wsgi/3.5 Python/2.7.13 PHP/7.2.14 mod_ssl/2.2.34 OpenSSL/1.0.2o DAV/2 mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_perl/2.0.9 Perl/v5.24.0 configured -- resuming normal operations
[error] [client 127.0.0.1] client denied by server configuration: /Applications/MAMP/htdocs/.DS_Store, referer: http://localhost/MAMP/?language=English
[error] [client 127.0.0.1] client denied by server configuration: /Applications/MAMP/htdocs/.DS_Store, referer: http://localhost/MAMP/?language=English
[notice] caught SIGTERM, shutting down
I don't know enough about Apache server configuration to figure out, when I start MAMP to be able to navigate with HTTPS to my Drupal project, which is in the HTDOCs file and make it run without the 400 error.
I solved the problem by commenting out the line "Document root" above in the virtual host section.
Related
Updates in the bottom, I kind of solved it but not sure if the solution is a correct one.
I have Apache running on CentOS with a proxy to localhost port 8080 where I have Flask app running using Gunicorn. This setup works on Apache port 80 (HTTP) and I can connect to it using my domain http://example.com with a browser but now I have tried to setup SSL/HTTPS and it just doesn't work.
Navigating to https://example.com tries to load the page for a while (like 30ish seconds) and then it shows 502 error page:
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /.
Reason: Error reading from remote server
Apache error log:
[proxy_http:error] [pid 30209] (103)Software caused connection abort: [client xx.xxx.xxx.xxx:60556] AH01102: error reading status line from remote server localhost:8080
[proxy:error] [pid 30209] [client xx.xxx.xxx.xxx:60556] AH00898: Error reading from remote server returned by /
Gunicorn error log (first 7 lines are from Gunicorn startup, no idea why this info is in error log, last 3 lines are when the HTTPS request returns 502 error):
[29478] [INFO] Listening at: http://127.0.0.1:8080 (29478)
[29478] [INFO] Using worker: sync
[29480] [INFO] Booting worker with pid: 29480
[29481] [INFO] Booting worker with pid: 29481
[29482] [INFO] Booting worker with pid: 29482
[29483] [INFO] Booting worker with pid: 29483
[29484] [INFO] Booting worker with pid: 29484
[29478] [CRITICAL] WORKER TIMEOUT (pid:29480)
[29480] [INFO] Worker exiting (pid: 29480)
[29554] [INFO] Booting worker with pid: 29554
Apache config which is working for HTTP (/etc/httpd/conf/httpd.conf):
Listen 80
#other default config values here
<VirtualHost *:80>
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
IncludeOptional conf.d/*.conf
Apache config which is not working for HTTPS (/etc/httpd/conf.d/ssl.conf):
Listen 443 https
#other default config values here
<VirtualHost *:443>
#other default config values here too
SSLCertificateFile /etc/pki/tls/certs/cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/cert.key
SSLProxyEngine on
ProxyPass / https://localhost:8080/
ProxyPassReverse / https://localhost:8080/
</VirtualHost>
If I remove/comment the SSLProxyEngine, ProxyPass amd ProxyPassReverse lines and restart Apache I get the default Apache welcome page and HTTPS works just fine so clearly the problem is in the Proxy somehow?
The flask app is started with Gunicorn by:
gunicorn --config gunicorn_config.py app:app
gunicorn_config.py:
workers = 5
bind = '127.0.0.1:8080'
umask = 0o007
reload = True
accesslog = 'log_gunicorn_access.txt'
errorlog = 'log_gunicorn_error.txt'
app.py:
from flask import Flask
app = Flask(__name__)
#app.route('/')
def hello_world():
return 'Hello world!'
if __name__ == '__main__':
app.run(host='127.0.0.1', port=8080)
And once again, this works when navigating to my domain using HTTP but doesn't work when using HTTPS.
Any help?
UPDATE:
I managed to get another error. Now navigating to https://example.com loads instantly and shows 500 error page:
Proxy Error
The proxy server could not handle the request GET /.
Reason: Error during SSL Handshake with remote server
Apache error log:
[proxy:error] [pid 32385] (502)Unknown error 502: [client xx.xxx.xxx.xxx:50932] AH01084: pass request body failed to [::1]:8080 (localhost)
[proxy:error] [pid 32385] [client xx.xxx.xxx.xxx:50932] AH00898: Error during SSL Handshake with remote server returned by /
[proxy_http:error] [pid 32385] [client xx.xxx.xxx.xxx:50932] AH01097: pass request body failed to [::1]:8080 (localhost) from xx.xxx.xxx.xxx ()
No more any errors in Gunicorn error log.
I added these two lines to gunicorn_config.py:
keyfile = '/etc/pki/tls/private/cert.key'
certfile = '/etc/pki/tls/certs/cert.pem'
and made sure both files are accessible by the user running Gunicorn (chmod o+r cert.key/pem).
No idea if I was supposed to change it like this as I thought the traffic should go like: client --https--> Apache and then Apache --http--> Gunicorn.
Also HTTP (http://example.com) no longer works and gives the previous 502 error page but I guess running Gunicorn with the cert configs doesn't allow HTTP anymore and would need to run the app twice with different configs).
UPDATE 2:
I added more Apache logging by adding this line to /etc/httpd/conf.d/ssl.conf inside virtual host:
LogLevel info
And now I got additional info in Apache error log:
[ssl:info] [pid 3808] [remote 127.0.0.1:8080] AH02411: SSL Proxy: Peer certificate does not match for hostname localhost
Then I added new line to /etc/httpd/conf.d/ssl.conf inside virtual host:
SSLProxyCheckPeerName off
And now I got another Apache error:
[ssl:info] [pid 3999] [remote 127.0.0.1:8080] AH02005: SSL Proxy: Peer certificate CN mismatch: Certificate CN: example.com Requested hostname: localhost
Added new line to /etc/httpd/conf.d/ssl.conf inside virtual host:
SSLProxyCheckPeerCN off
Aaaand now navigating to https://example.com correctly works and I get "Hello world" back from the app!
Now I guess my question needs update as well: Is it bad practice, wrong or insecure to use SSLProxyCheckPeerName off and SSLProxyCheckPeerCN off in this context? Or is there a better way as I don't think there's a way to order an official SSL certificate on localhost?
You're using
ProxyPass / http://localhost:8080/
and
ProxyPass / https://localhost:8080/
(note the 1 letter difference).
Your localhost:8080 will serve either http or https. Based on your description (and common expectations) it's serving http. If you proxy even your :443 virtual host to http, it'll work better.
You might run into more issues, as the proxied application doesn't really know that it's actually served through https, but that's a different beast than this question.
We got our SSL certificate today, I'm trying to add the SSL certificate to the domain so that we can access the website through https however I'm running into problems.
We have an apache server running on windows.
The configuration works perfectly for port 80 however when I add port 443 to the config everything stops working.
The error I get when starting apache is
The requested operation has failed.
I have added the following line
Listen 443
below the line:
Listen 80
I have added the following VirtualHost config
<VirtualHost _default_:443>
DocumentRoot "c:/path/to/website"
ServerName example.com
ServerAlias example.com www.example.com
SSLEngine on
SSLCertificateFile "c:/path/to/cert/cert.crt"
SSLCertificateKeyFile "c:/path/to/cert/key.key"
SSLCACertificateFile "c:/path/to/cert/bundle.ca-bundle"
</VirtualHost>
However whenever I start the apache server after adding this, it doesn't start and I get an error.
I have commented out pieces of code and have narrowed the issue down to the Listen 443 line. Is there something I am not taking into consideration when adding this?
These are the last 3 lines in the error.log
[Thu Jun 08 18:15:31.909142 2017] [mpm_winnt:notice] [pid 66428:tid 712] AH00422: Parent: Received shutdown signal -- Shutting down the server.
[Thu Jun 08 18:15:47.209776 2017] [mpm_winnt:notice] [pid 67332:tid 620] AH00364: Child: All worker threads have exited.
[Thu Jun 08 18:15:48.067933 2017] [mpm_winnt:notice] [pid 66428:tid 712] AH00430: Parent: Child process exited successfully.
Edit
This is the response from running httpd.exe -e debug
(OS 10013)An attempt was made to access a socket in a way forbidden by its access permissions. : AH00072: make_sock: could not bind to address [::]:443
(OS 10013)An attempt was made to access a socket in a way forbidden by its access permissions. : AH00072: make_sock: could not bind to address 0.0.0.0:443
AH00451: no listening sockets available, shutting down
AH00015: Unable to open logs
I don't know how your httpd.conf file looks like, maybe you deleted/changed accidentaly some value.
The very first thing you need to do is to restore your httpd.conf file and start the service without the SSL configuration. Once it works you can proceed with this steps:
In a new file separate all your SSL settings, maybe a new file called httpd-ssl.conf is a good name.
After that, at the end of your main httpd.conf add this lines to include the new file:
# Secure (SSL/TLS) connections
Include conf/httpd-ssl.conf
This as good practice to avoid changing/deleting accidentally something in the main config and limitate the source of possible errors, you'll know any error will be related to the new file included.
Your new conf/httpd-ssl.conf should look something like this (standard setup):
# HTTPS port
Listen 443
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "C:/your_httpd_path/htdocs"
ServerName www.example.com:443
ServerAdmin admin#example.com
ErrorLog "C:/your_httpd_path/logs/error.log"
TransferLog "C:/your_httpd_path/logs/access.log"
# SSL Engine Switch:
SSLEngine on
# Server Certificates:
SSLCertificateFile "c:/path/to/cert/cert.crt"
SSLCertificateKeyFile "c:/path/to/cert/key.key"
SSLCACertificateFile "c:/path/to/cert/bundle.ca-bundle"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "C:/your_httpd_path/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
CustomLog "C:/your_httpd_path/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Have you tried using httpd.exe -e debug? maybe we can find something useful in this mode.
UPDATE: Aha! you got an error! It could be a duplicated line somewhere with 443.
Could you check your files in notepad++ and search all the coincidences that match "443"? probably you already had 443 configured and you tried adding it again? You only need to have one line with:
Listen 443
Or maybe already running in that port? Check with:
netstat -na | findstr "443"
If you have something like:
TCP [::]:443 [::]:0 LISTENING
Then something else is running on your 443 port. Anyway, you can change your httpd conf and set any other port like 4443 i.e. or kill the process which is taking 443 now.
I’m trying to renew the certificate for a second web serviced identified by a virtual host, call it “mysubdomain2.mydomain2.com”.
I’ve generated all the required files (mysubdomain2.crt mysubdomain2.mydomain.com.key ca.pem sub.class1.server.ca.pem).
Note that I recently successfully renewed the certificate for mysubdomain1.crt.
Here's the virtual host entry in apache:
<VirtualHost *:443>
ServerName mysubdomain2.mydomain.com
ServerAdmin myname#mycomp.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /disk2/certificates/ssl/mysubdomain2.crt
SSLCertificateKeyFile /disk2/certificates/ssl/mysubdomain.mydomain.com.key
SSLCertificateChainFile /disk2/certificates/ssl/sub.class1.server.ca.pem
SSLCACertificateFile /disk2/certificates/startssl/ca.pem
SSLOptions StrictRequire
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /var/log/apache2/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
#</VirtualHost>
But when I restart apache, it shuts down with this error message:
“caught SIGTERM, shutting down
[Tue Jan 13 13:59:16 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Tue Jan 13 13:59:17 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Tue Jan 13 13:59:17 2015] [notice] Apache/2.2.16 (Ubuntu) PHP/5.3.3-1ubuntu9.5 with Suhosin-Patch mod_ssl/2.2.16 OpenSSL/0.9.8o configured -- resuming normal operations
Additionally, from this link:
https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
it's clear that this installation of apache has SNI installed. It seems that apache should at least start, as these are supposed to be just warning messages.
The problem SNI is supposed to solve is that without it, the host name doesn't get communicated until after the SSL connection is established, meaning that apache doesn't know which certificate to use.
But, at this point, it's simply not starting at all. I'm thinking to try regenerating the certificate and key and pem files, but I was pretty careful doing that in the first place. I'd like to understand what the real problem is.
I must have done something wrong when decrypting the secret key. I tried it again, and everything was fine.
i have a windows machine and have ubuntu as a guest OS on VM. i set up apache onubuntu and im trying to configure ssl on that server but apache keeps crashing after following all instructions i found on the internet.
I have my ssl files in
/etc/apache2/ssl/server.crt
/etc/apache2/ssl/server.key
I have a default-ssl conf file with:
DocumentRoot /var/www-ssl/html/
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
In the vhost and I also have the same in a vhost i am setting up(forums) forums-ssl conf file.
Mod ssl is already enabled
In my guest host file I have: 127.0.0.1 localhost test tribunal
When I restart apache, it asks me for my pass phrase, I enter it and it says ok, although it spits out those notices. But when I navigate to the page it times out.
and here is the error in apache error_log:
[Sun Mar 04 20:23:59 2012] [notice] caught SIGTERM, shutting down
[Sun Mar 04 20:24:04 2012] [notice] Apache/2.2.17 (Ubuntu) PHP/5.3.5-1ubuntu7.7 with Suhosin-Patch mod_ssl/2.2.17 OpenSSL/0.9.8o configured -- resuming normal operations
does anyone know why this is happening?
I'm trying to set up a virtual host for a project that I need to do.
As many tutorials define I activated the virtual host file
Include conf/extra/httpd-vhosts.conf
Placed a virtual host in te file
<VirtualHost *80>
DocumentRoot "C:\Users\Jeroen\Work\Ba\CMS\trunk"
ServerName local.ba-check.be
</VirtualHost>
The hosts file also got a line extr
127.0.0.1 local.ba-check.be
My localhost works, but it returns my document root. Also the error log always gives me this error.
[Thu Jul 07 14:22:55 2011] [error] [client 127.0.0.1] client denied by server configuration: C:/httpd-2.2-x64, referer: http://local.ba-check.be/
I hope somebody could help me.
Thanks
Problems solved
After some time I just reinstalled WAMP and then it worked great.