I'm trying to learn how to get ssl up and running on an apache 2.4 webserver (Windows Server 2012). I had the web server and PHP up and running perfectly fine without SSL.
I Generated my cert and key and placed them in C:\Apache24\conf
I Modified httpd.conf in the following way:
LoadModule ssl_module modules/mod_ssl.so
Include C:/Apache24/conf/openssl.cnf
I modified c:/Apache24/conf/extra/httpd-ssl.conf in the following way:
SSLCertificateFile "c:/Apache24/conf/server.crt"
SSLCertificateKeyFile "c:/Apache24/conf/server.key"
DocumentRoot "c:/Apache24/htdocs"
Added the following System Environment Variable
Variable Name: OPENSSL_CONF
Variable Value: C:\Apache24\conf\openssl.cnf
I've hit a point where apache will not start due to the following error.
running httpd -t in powershell gives the result:
: Syntax error on line 8 of C:/Apache24/conf/openssl.cnf:
Invalid command 'HOME', perhaps misspelled or defined by a module not included in the server configuration
The following are lines 6 through 9 of openssl.cnf ( I have not modified this file. )
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
Any help is appreciated.
Thanks !
You are basically trying to include a third party config file inside httpd configuration, which will never yield a good result because Apache httpd will never recognize what's in there. Remove that include.
If you want to add system variables you can use PassEnv directive from mod_env module.
To get SSL up and running all you need is a SSL virtualhost like this:
In your server config something like:
LoadModule ssl_module modules/mod_ssl.so
<IfModule mod_ssl.c>
Listen 443
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLRandomSeed startup file:/dev/urandom 2048 # perhaps this need to be adapted for windows
SSLRandomSeed connect file:/dev/urandom 2048 # same with this
SSLSessionCache shmcb:/path/to/logs/ssl_gcache_data(512000)
</IfModule>
And the Virtualhost:
<Virtualhost *:443>
ServerName myssllvh.example.com
DocumentRoot /filesystem/path/to/docroot
CustomLog /path/to/logs/mysslvh.log combined
ErrorLog /path/to/logs/mysslvh-error.log
SSLEngine on
SSLCertificateFile /path/to/certs/mysslvh.crt
SSLCertificateKeyFile /path/to/certs/mysslvh.key
# Other stuff here
</VirtualHost>
I've obtained an SSL certificate from Comodo. I try to install it on an apache server using the following steps:
Upload to the directory /home/perica these files:
bedbids_com.crt
bedbids_com.key
bedbids_com.ca-bundle
Edit /etc/apache2/sites-available/default-ssl.conf with
SSLEngine on
SSLCertificateFile "/home/perica/bedbids_com.crt"
SSLCertificateKeyFile "/home/perica/bedbids.key"
SSLCertificateChainFile "/home/perica/bedbids_com.ca-bundle"
but at this point ssl is still not enabled. What do I miss?
Check that the ssl module is enabled with:
sudo a2enmod ssl
(assuming you use a debian based linux distribution)
Then you should add to your configuration file something like:
NameVirtualHost [your IP address]:443
< VirtualHost [your IP address]:443>
ServerSignature On
SSLCertificateFile /path/to/the/certificate/from/your/certificate/company/apache.crt
SSLCertificateKeyFile /path/to/the/file/created/in/step/1.key [can be a .pem file too I think]
SSLCertificateChainFile /path/to/intermediate/cert.crt [optional, only if yout certificate compay provides you with one]
SSLEngine On
</VirtualHost>
You will find detailled instructions here:
http://wiki.vpslink.com/Enable_SSL_on_Apache2
I am using WAMP 2.0 with apache 2.2.11 on windows server 2008 R2.I am setting up only one domain on this WAMP server.
i have converted the .pfx file and extracted .crt and .key file using openSSL.
In the conf/extra/httpd-ssl.conf, i have made following changes
SSLEngine on
<VirtualHost 162.62.90.11:443>
ServerAdmin webadmin#oursite.com
DocumentRoot "D:/webpages"
ServerName www.oursite.com
ErrorLog "logs/SSLerror.log"
CustomLog "logs/SSLaccess.log" common
</VirtualHost>
SSLCertificateFile "c:/wamp/bin/apache/apache2.2.11/conf/server.crt"
SSLCertificateKeyFile "c:/wamp/bin/apache/apache2.2.11/conf/server.key"
i checked in command prompt with httpd -t and i get syntax Ok.
But when i open the site with prefix https it does not open. In the error log it shows RSA certificate common name not matching with server name.
i tried replacing the IP address in virtual host with server name in certificate and the one in error log. Still it does not work.
It seems i'm missing something. Plz help me in rectifying this.
Thanx
Did you open the port 443. For example,
** <VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost> **
when i re did the whole thing , i found https site was acessible from same webserver with prefix https.
i checked through telnet if i could connect from another domain PC
but couldn't connect.
Firewall was blocking inbound connection for port 443.added an exception and is working fine
Relieved now
Thanks to all who took time to respond and guide.
What I am trying to do is direct my website on an Amazon EC2 Instance so that I am able to open on an HTTPS protocol. My site was running before but with a warning that it did not have a valid certificate, using this link example https://my.site.name.edu but now I get a "Webpage is not Available" prompt when I try to visit the site.
Please note that I have:
Installed Drupal for this testing site on a Linux server using Apache
My EC2 Instance attached to an Elastic IP
Used the steps in this guide: Creating, Uploading, and Deleting Server Certificates
Valid CA signed Apache certificates
An openssl-1.0.1f file installed in /home/ec2-user folder
Used this link to create the Virtual Host: http://ananthakrishnanravi.wordpress.com/2012/04/15/configuring-ssl-and-https-for-your-website-amazon-ec2/
Below is when the error occurred, while trying to solve the HTTPS access issue
I tried to change the ssl.conf file in this link to see if it would solve the problem: Setup an SSL certificate on an EC2 instance
I copied a new ssl.conf file, commented the old SSLCertificateKeyFile, SSLCertificateFile and SSLCertificateChainFile. I then pasted the copied, modified file into the directory after I coded the first four lines like this:
<VirtualHost 00.00.00.00:443>
SSLCertificateKeyFile /home/ec2-user/castestingapache/privatekey.pem
SSLCertificateFile /home/ec2-user/castestingapache/my_site_name_edu.pem
SSLCertificateChainFile /home/ec2-user/castestingapache/my_site_name_edu_interm.crt
But when I restarted Apache:
service httpd restart
I received this error message:
Stopping httpd: [FAILED]
Starting httpd: [Wed May 21 14:44:31 2014] [warn] module ssl_module is already loaded, skipping
(98)Address already in use: make_sock: could not bind to address [::]:443
[ OK ]
My httpd.conf is set up like this:
<VirtualHost 00.00.00.00:443> #Same as the IP in the ssl.conf#
ServerAdmin ec2-user#ec2-00-00-00-00.compute.amazonaws.com
DocumentRoot /var/www/html
ServerName https://my.site.name.edu
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
# ErrorLog logs/errorlogs
# CustomLog logs/custom
SSLCertificateFile /home/ec2-user/castestingapache/my_site_name_edu.pem
SSLCertificateKeyFile /home/ec2-user/castestingapache/privatekey.pem
SSLCertificateChainFile /home/ec2-user/castestingapache/my_site_name_edu_interm.crt
# SSLCACertificateFile /etc/httpd/conf/bundle.txt
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
# CustomLog /usr/local/apache/logs/ssl_request_log \
# “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
</VirtualHost>
EDIT: I tried reverting back to the old ssl.conf but when I try to restart Apache it gives me the same error. THIS PROBLEM HAS BEEN SOLVED I had to delete one of the ssl.conf even though I had renamed it...
Update I have added this line onto the httpd.conf file:
NameVirtualHost 00.00.00.00:443
I believe the problem is that my certificates are not pointing to this IP address.
Update I have just ran the certificate installation checker test here http://ssltool.com/?action=sslCheckOpenSSL and this is what I got:
Note: IP 12-34-56-78 is my private IP address on my AWS EC2 Instance.
Any help is greatly appreciated.
Thanks,
Ugh.... the answer was in this link the whole time...
Setup an SSL certificate on an EC2 instance
This line in the ssl.conf:
<VirtualHost 00.000.000.00:443>
Had to be changed to:
<VirtualHost _default_:443>
Add the rest:
SSLCertificateKeyFile /etc/ssl/mydomain_com.key
SSLCertificateFile /etc/ssl/mydomain_com.crt
SSLCertificateChainFile /etc/ssl/mydomain_com.ca-bundle
</VirtualHost>
And voilah! Your HTTPS: link should work...
I'm trying to configure Apache on my server to work with ssl, but everytime I visit my site, I get the following message in my browser:
SSL connection error.
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
The error message above seems to be native to Google Chrome. However, even though the messages are different, ssl for the site is not working on any browser.
Just some background on the situation: I am using Ubuntu 10.04 desktop edition.
I installed apache by installing zend server (it installed apache automatically).
I then installed openssl. Non-https pages work fine on the site.
I tried getting trial certificates from multiple certificate sites but nothing is working (same error).
I was previously hosting my site on another server on which ssl worked just fine. I also tried using the key and cert file from that server, but I got the same error.
The domain name and IP are still the same though. My SSLCertificateFile and SSLCertificateKeyFile are pointing to the correct directory and files.
I also do not have SSLVerifyClient enabled.
If anyone has any suggestions, it would be most appreciated.
I had the same problem as #User39604, and had to follow VARIOUS advices. Since he doesnt remember the precise path he followed, let me list my path:
check if you have SSL YES using <?php echo phpinfo();?>
if necessary
A. enable ssl on apache sudo a2enmod ssl
B. install openssl sudo apt-get install openssl
C. check if port 443 is open sudo netstat -lp
D. if necessary, change /etc/apache2/ports.conf, this works
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
NameVirtualHost *:443
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
acquire a key and a certificate by
A. paying a Certificating Authority (Comodo, GoDaddy, Verisign) for a pair
B. generating your own* - see below (testing purposes ONLY)
change your configuration (in ubuntu12 /etc/apache2/httpd.conf - default is an empty file) to include a proper <VirtualHost>
(replace MYSITE.COM as well as key and cert path/name to point to your certificate and key):
<VirtualHost _default_:443>
ServerName MYSITE.COM:443
SSLEngine on
SSLCertificateKeyFile /etc/apache2/ssl/MYSITE.COM.key
SSLCertificateFile /etc/apache2/ssl/MYSITE.COM.cert
ServerAdmin MYWEBGUY#localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/errorSSL.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/accessSSL.log combined
</VirtualHost>
while many other virtualhost configs wil be available in /etc/apache2/sites-enabled/ and in /etc/apache2/sites-available/ it was /etc/apache2/httpd.conf that was CRUCIAL to solving all problems.
for further info:
http://wiki.vpslink.com/Enable_SSL_on_Apache2
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert
*generating your own certificate (self-signed) will result in a certificate whose authority the user's browser will not recognize. therefore, the browser will scream bloody murder and the user will have to "understand the risks" a dozen times before the browser actually opens up the page. so, it only works for testing purposes. having said that, this is the HOW-TO:
goto the apache folder (in ubuntu12 /etc/apache2/)
create a folder like ssl (or anything that works for you, the name is not a system requirement)
goto chosen directory /etc/apache2/ssl
run sudo openssl req -new -x509 -nodes -out MYSITE.COM.crt -keyout MYSITE.COM.key
use MYSITE.COM.crt and MYSITE.COM.key in your <VirtualHost> tag
name format is NOT under a strict system requirement, must be the same as the file :)
- names like 212-MYSITE.COM.crt, june2014-Godaddy-MYSITE.COM.crt should work.
I was getting the same error in chrome (and different one in Firefox, IE).
Also in error.log i was getting [error] [client cli.ent.ip.add] Invalid method in request \x16\x03
Following the instructions form this site I changed my configuration FROM:
<VirtualHost subdomain.domain.com:443>
ServerAdmin admin#domain.com
ServerName subdomain.domain.com
SSLEngine On
SSLCertificateFile conf/ssl/ssl.crt
SSLCertificateKeyFile conf/ssl/ssl.key
</VirtualHost>
TO:
<VirtualHost _default_:443>
ServerAdmin admin#domain.com
ServerName subdomain.domain.com
SSLEngine On
SSLCertificateFile conf/ssl/ssl.crt
SSLCertificateKeyFile conf/ssl/ssl.key
</VirtualHost>
Now it's working fine :)
Step to enable SSL correctly.
sudo a2enmod ssl
sudo apt-get install openssl
Configure the path of SSL certificates in your SSL config file (default-ssl.conf) that might be located in /etc/apache2/sites-available. I have stored certificates under /etc/apache2/ssl/
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/certificate.crt
SSLCertificateChainFile /etc/apache2/ssl/ca_bundle.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
Enable SSL config file
sudo a2ensite default-ssl.conf
A common cause I wanted to suggest for this situation:
Sometimes a customer is running Skype, which is using port 443 without their realizing it. When they go to start Tomcat or Apache, it appears to start but cannot bind with port 443. This is the exact message that the user would receive in the browser. The fix is to stop what was running on port 443 and re-start the webserver so it can bind with port 443.
The customer can re-start Skype after starting the webserver, and Skype will detect that port 443 is in use and choose a different port to use.
#Make sure that you specify the port for both http and https ie.
NameVirtualHost:80
NameVirtualHost:443
#and
<VirtualHost *:80>
<VirtualHost *:443>
#mixing * and *:443 does not work it has to be *:80 and *:443
I got this problem and the solution was a bit silly.
I am using Cloudflare which acts as a proxy to my website. In order to be able to login via SSH, I added an entry to my /etc/hosts file so I didn't need to remember my server's IP address.
xxx.xx.xx.xxx example.com
So in my browser when I went to https://www.example.com, I was using the Cloudflare proxy, and when I went to to https://example.com I was going directly to the server. Because the Cloudflare setup doesn't require you to add the intermediate certificates, I was seeing this security exception in my browser when I went to https://example.com, but https://www.example.com was working.
The solution: remove the entry from my laptop's /etc/hosts file.
If this isn't your problem, I recommend using one of the many online SSL checker tools to try diagnose your problem.
I also recommend using ping to check the IP address being reported and check it against the IP address expected.
ping https://www.example.com/
Another very helpful SSL resource is the Mozilla SSL Configuration Generator. It can generate SSL configuration for you.
I didn't know what I was doing when I started changing the Apache configuration. I picked up bits and pieces thought it was working until I ran into the same problem you encountered, specifically Chrome having this error.
What I did was comment out all the site-specific directives that are used to configure SSL verification, confirmed that Chrome let me in, reviewed the documentation before directive before re-enabling one, and restarted Apache. By carefully going through these you ought to be able to figure out which one(s) are causing your problem.
In my case, I went from this:
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +StrictRequire
SSLRequireSSL On
to this
<Location /sessions>
SSLRequireSSL
SSLVerifyClient require
</Location>
As you can see I had a fair number of changes to get there.
I had this error when I first followed instructions to set up the default apache2 ssl configuration, by putting a symlink for /etc/apache2/sites-available/default-ssl in /etc/apache2/sites-enabled. I then subsequently tried to add another NameVirtualHost on port 443 in another configuration file, and started getting this error.
I fixed it by deleting the /etc/apache2/sites-enabled/default-ssl symlink, and then just having these lines in another config file (httpd.conf, which probably isn't good form, but worked):
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine on
SSLCertificateChainFile /etc/apache2/ssl/chain_file.crt
SSLCertificateFile /etc/apache2/ssl/site_certificate.crt
SSLCertificateKeyFile /etc/apache2/ssl/site_key.key
ServerName www.mywebsite.com
ServerAlias www.mywebsite.com
DocumentRoot /var/www/mywebsite_root/
</VirtualHost>
I encounter this problem, because I have <VirtualHost> defined both in httpd.conf and httpd-ssl.conf.
in httpd.conf, it's defined as
<VirtualHost localhost>
in httpd-ssl.conf, it's defined as
<VirtualHost _default_:443>
The following change solved this problem, add :80 in httpd.conf
<VirtualHost localhost:80>
This is what fixed it for me on Ubuntu.
Enabled the module: a2enmod ssl
Moved all cert related files to a folder /usr/local/ssl and made it world readable: chmod -R +r /usr/local/ssl
Changed <VirtualHost *:80> to <VirtualHost *:*> in my virtual host.
Added SSLEngine On before all other SSL directives in my virtual host.
If you set a pass phrase on the cert, Apache should prompt you for it on restart.
Similar to other answers, this error can be experienced when there are no sites configured to use SSL.
I had the error when I upgraded from Debian Wheezy to Debian Jessie. The new version of Apache requires a site configuration file ending in .conf. Because my configuration file didn't, it was being ignored, and there were no others configured to serve SSL connections.
I encountered this issue, also due to misconfiguration. I was using tomcat and in the server.xml had specified my connector as such:
<Connector port="17443" SSLEnabled="true"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keyAlias="wrong" keystorePass="secret"
keystoreFile="/ssl/right.jks" />
When i fixed it thusly:
<Connector port="17443" SSLEnabled="true"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keyAlias="right" keystorePass="secret"
keystoreFile="/ssl/right.jks" />
It worked as expected. In other words, verify that you not only have the right keystore, but that you have specified the correct alias underneath it. Thanks for the invaluable hint user396404.
I solved it by commenting out:
AcceptFilter https none
in httpd.conf
according to:
http://www.apachelounge.com/viewtopic.php?t=4461
It turns out that the SSL certificate was installed improperly. Re-installing it properly fixed the problem