We got our SSL certificate today, I'm trying to add the SSL certificate to the domain so that we can access the website through https however I'm running into problems.
We have an apache server running on windows.
The configuration works perfectly for port 80 however when I add port 443 to the config everything stops working.
The error I get when starting apache is
The requested operation has failed.
I have added the following line
Listen 443
below the line:
Listen 80
I have added the following VirtualHost config
<VirtualHost _default_:443>
DocumentRoot "c:/path/to/website"
ServerName example.com
ServerAlias example.com www.example.com
SSLEngine on
SSLCertificateFile "c:/path/to/cert/cert.crt"
SSLCertificateKeyFile "c:/path/to/cert/key.key"
SSLCACertificateFile "c:/path/to/cert/bundle.ca-bundle"
</VirtualHost>
However whenever I start the apache server after adding this, it doesn't start and I get an error.
I have commented out pieces of code and have narrowed the issue down to the Listen 443 line. Is there something I am not taking into consideration when adding this?
These are the last 3 lines in the error.log
[Thu Jun 08 18:15:31.909142 2017] [mpm_winnt:notice] [pid 66428:tid 712] AH00422: Parent: Received shutdown signal -- Shutting down the server.
[Thu Jun 08 18:15:47.209776 2017] [mpm_winnt:notice] [pid 67332:tid 620] AH00364: Child: All worker threads have exited.
[Thu Jun 08 18:15:48.067933 2017] [mpm_winnt:notice] [pid 66428:tid 712] AH00430: Parent: Child process exited successfully.
Edit
This is the response from running httpd.exe -e debug
(OS 10013)An attempt was made to access a socket in a way forbidden by its access permissions. : AH00072: make_sock: could not bind to address [::]:443
(OS 10013)An attempt was made to access a socket in a way forbidden by its access permissions. : AH00072: make_sock: could not bind to address 0.0.0.0:443
AH00451: no listening sockets available, shutting down
AH00015: Unable to open logs
I don't know how your httpd.conf file looks like, maybe you deleted/changed accidentaly some value.
The very first thing you need to do is to restore your httpd.conf file and start the service without the SSL configuration. Once it works you can proceed with this steps:
In a new file separate all your SSL settings, maybe a new file called httpd-ssl.conf is a good name.
After that, at the end of your main httpd.conf add this lines to include the new file:
# Secure (SSL/TLS) connections
Include conf/httpd-ssl.conf
This as good practice to avoid changing/deleting accidentally something in the main config and limitate the source of possible errors, you'll know any error will be related to the new file included.
Your new conf/httpd-ssl.conf should look something like this (standard setup):
# HTTPS port
Listen 443
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "C:/your_httpd_path/htdocs"
ServerName www.example.com:443
ServerAdmin admin#example.com
ErrorLog "C:/your_httpd_path/logs/error.log"
TransferLog "C:/your_httpd_path/logs/access.log"
# SSL Engine Switch:
SSLEngine on
# Server Certificates:
SSLCertificateFile "c:/path/to/cert/cert.crt"
SSLCertificateKeyFile "c:/path/to/cert/key.key"
SSLCACertificateFile "c:/path/to/cert/bundle.ca-bundle"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "C:/your_httpd_path/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
CustomLog "C:/your_httpd_path/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Have you tried using httpd.exe -e debug? maybe we can find something useful in this mode.
UPDATE: Aha! you got an error! It could be a duplicated line somewhere with 443.
Could you check your files in notepad++ and search all the coincidences that match "443"? probably you already had 443 configured and you tried adding it again? You only need to have one line with:
Listen 443
Or maybe already running in that port? Check with:
netstat -na | findstr "443"
If you have something like:
TCP [::]:443 [::]:0 LISTENING
Then something else is running on your 443 port. Anyway, you can change your httpd conf and set any other port like 4443 i.e. or kill the process which is taking 443 now.
Related
After adding a self-signed SSL certificate, I am unable to get my Drupal site to work on localhost.
I have attempted various proposed solutions that I have found online but none have gotten me past a 400 error at https://localhost/
I have uncommented the following in httpd.conf:
LoadModule ssl_module modules/mod_ssl.so
I have Listen set to port 80 in this same file. When I set it to the SSL channel, 443, Apache does not load.
In my httpd-ssl.conf file:
I have set the paths for my server.crt and server.key files correctly.
I have enabled SSLEngine
<VirtualHost *:443>
# General setup for the virtual host
DocumentRoot "/Applications/MAMP/Library/htdocs"
ServerName https://127.0.0.1:443
ServerAdmin you#example.com
ErrorLog "/Applications/MAMP/Library/logs/error_log"
TransferLog "/Applications/MAMP/Library/logs/access_log"
I have tried a variety of possibilities for the ServerName. The one above along with localhost:443 both lead to 400 errors.
I have Listen set to 443 here. Setting to 80 so it matches the httpd.conf file leads to the same result described above...not able to connect Apache.
Here is my error log for Apache:
Digest: generating secret for digest authentication ...
Digest: done
FastCGI: process manager initialized (pid 1845)
Apache/2.2.34 (Unix) mod_wsgi/3.5 Python/2.7.13 PHP/7.2.14 mod_ssl/2.2.34 OpenSSL/1.0.2o DAV/2 mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_perl/2.0.9 Perl/v5.24.0 configured -- resuming normal operations
[error] [client 127.0.0.1] client denied by server configuration: /Applications/MAMP/htdocs/.DS_Store, referer: http://localhost/MAMP/?language=English
[error] [client 127.0.0.1] client denied by server configuration: /Applications/MAMP/htdocs/.DS_Store, referer: http://localhost/MAMP/?language=English
[notice] caught SIGTERM, shutting down
I don't know enough about Apache server configuration to figure out, when I start MAMP to be able to navigate with HTTPS to my Drupal project, which is in the HTDOCs file and make it run without the 400 error.
I solved the problem by commenting out the line "Document root" above in the virtual host section.
I am trying to make a VirtualHost for my Wordpress project that's being hosted on a EC2 Instance by Apache 2.4 with PHP-FPM. Most of the resources being loaded (mostly scripts and other php) are getting a 404 Error and when I look in the error log for the virtual host, I get the following errors
[Tue Mar 17 01:01:56.026492 2015] [proxy_fcgi:error] [pid 3382] (22)Invalid argument: [client 173.79.19.155:61617] AH01075: Error dispatching request to : (passing brigade to output filters), referer: http://52.21.23.15/project/
[Tue Mar 17 01:01:56.816915 2015] [proxy_fcgi:error] [pid 2895] [client 173.79.19.155:61618] AH01068: Got bogus version 116, referer: http://52.21.23.15/project/
Below is my Virtual Host portion of the conf
<VirtualHost *:80>
ServerName project.com
ServerAlias www.project.com
DocumentRoot /var/www/html/project
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/html/project/$1
<Directory /var/www/html/project>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog /var/www/html/project/logs/error.log
</VirtualHost>
And below is the address portion of the php-fpm configuration.
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses on a
; specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = 127.0.0.1:9000
Please HELP! I have looked everywhere and can not find a solution. I am allowing all traffic to all ports from EC2, I tried all kinds of combinations for different apache Directives, and I even tried to add the js|html and all that stuff to the ProxyPassMatch.
What is causing this?
Help is greatly appreciated.
I’m trying to renew the certificate for a second web serviced identified by a virtual host, call it “mysubdomain2.mydomain2.com”.
I’ve generated all the required files (mysubdomain2.crt mysubdomain2.mydomain.com.key ca.pem sub.class1.server.ca.pem).
Note that I recently successfully renewed the certificate for mysubdomain1.crt.
Here's the virtual host entry in apache:
<VirtualHost *:443>
ServerName mysubdomain2.mydomain.com
ServerAdmin myname#mycomp.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /disk2/certificates/ssl/mysubdomain2.crt
SSLCertificateKeyFile /disk2/certificates/ssl/mysubdomain.mydomain.com.key
SSLCertificateChainFile /disk2/certificates/ssl/sub.class1.server.ca.pem
SSLCACertificateFile /disk2/certificates/startssl/ca.pem
SSLOptions StrictRequire
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /var/log/apache2/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
#</VirtualHost>
But when I restart apache, it shuts down with this error message:
“caught SIGTERM, shutting down
[Tue Jan 13 13:59:16 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Tue Jan 13 13:59:17 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Tue Jan 13 13:59:17 2015] [notice] Apache/2.2.16 (Ubuntu) PHP/5.3.3-1ubuntu9.5 with Suhosin-Patch mod_ssl/2.2.16 OpenSSL/0.9.8o configured -- resuming normal operations
Additionally, from this link:
https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
it's clear that this installation of apache has SNI installed. It seems that apache should at least start, as these are supposed to be just warning messages.
The problem SNI is supposed to solve is that without it, the host name doesn't get communicated until after the SSL connection is established, meaning that apache doesn't know which certificate to use.
But, at this point, it's simply not starting at all. I'm thinking to try regenerating the certificate and key and pem files, but I was pretty careful doing that in the first place. I'd like to understand what the real problem is.
I must have done something wrong when decrypting the secret key. I tried it again, and everything was fine.
What I am trying to do is direct my website on an Amazon EC2 Instance so that I am able to open on an HTTPS protocol. My site was running before but with a warning that it did not have a valid certificate, using this link example https://my.site.name.edu but now I get a "Webpage is not Available" prompt when I try to visit the site.
Please note that I have:
Installed Drupal for this testing site on a Linux server using Apache
My EC2 Instance attached to an Elastic IP
Used the steps in this guide: Creating, Uploading, and Deleting Server Certificates
Valid CA signed Apache certificates
An openssl-1.0.1f file installed in /home/ec2-user folder
Used this link to create the Virtual Host: http://ananthakrishnanravi.wordpress.com/2012/04/15/configuring-ssl-and-https-for-your-website-amazon-ec2/
Below is when the error occurred, while trying to solve the HTTPS access issue
I tried to change the ssl.conf file in this link to see if it would solve the problem: Setup an SSL certificate on an EC2 instance
I copied a new ssl.conf file, commented the old SSLCertificateKeyFile, SSLCertificateFile and SSLCertificateChainFile. I then pasted the copied, modified file into the directory after I coded the first four lines like this:
<VirtualHost 00.00.00.00:443>
SSLCertificateKeyFile /home/ec2-user/castestingapache/privatekey.pem
SSLCertificateFile /home/ec2-user/castestingapache/my_site_name_edu.pem
SSLCertificateChainFile /home/ec2-user/castestingapache/my_site_name_edu_interm.crt
But when I restarted Apache:
service httpd restart
I received this error message:
Stopping httpd: [FAILED]
Starting httpd: [Wed May 21 14:44:31 2014] [warn] module ssl_module is already loaded, skipping
(98)Address already in use: make_sock: could not bind to address [::]:443
[ OK ]
My httpd.conf is set up like this:
<VirtualHost 00.00.00.00:443> #Same as the IP in the ssl.conf#
ServerAdmin ec2-user#ec2-00-00-00-00.compute.amazonaws.com
DocumentRoot /var/www/html
ServerName https://my.site.name.edu
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
# ErrorLog logs/errorlogs
# CustomLog logs/custom
SSLCertificateFile /home/ec2-user/castestingapache/my_site_name_edu.pem
SSLCertificateKeyFile /home/ec2-user/castestingapache/privatekey.pem
SSLCertificateChainFile /home/ec2-user/castestingapache/my_site_name_edu_interm.crt
# SSLCACertificateFile /etc/httpd/conf/bundle.txt
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
# CustomLog /usr/local/apache/logs/ssl_request_log \
# “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
</VirtualHost>
EDIT: I tried reverting back to the old ssl.conf but when I try to restart Apache it gives me the same error. THIS PROBLEM HAS BEEN SOLVED I had to delete one of the ssl.conf even though I had renamed it...
Update I have added this line onto the httpd.conf file:
NameVirtualHost 00.00.00.00:443
I believe the problem is that my certificates are not pointing to this IP address.
Update I have just ran the certificate installation checker test here http://ssltool.com/?action=sslCheckOpenSSL and this is what I got:
Note: IP 12-34-56-78 is my private IP address on my AWS EC2 Instance.
Any help is greatly appreciated.
Thanks,
Ugh.... the answer was in this link the whole time...
Setup an SSL certificate on an EC2 instance
This line in the ssl.conf:
<VirtualHost 00.000.000.00:443>
Had to be changed to:
<VirtualHost _default_:443>
Add the rest:
SSLCertificateKeyFile /etc/ssl/mydomain_com.key
SSLCertificateFile /etc/ssl/mydomain_com.crt
SSLCertificateChainFile /etc/ssl/mydomain_com.ca-bundle
</VirtualHost>
And voilah! Your HTTPS: link should work...
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
i got a ssl cert and im running ubuntu
the domain.crt and domain.ca-bundle files and in the folder as specified but no matter what i keep getting these errors
[Sat Jul 27 06:35:00 2013] [error] Unable to configure verify locations for client authentication
[Sat Jul 27 06:35:00 2013] [error] SSL Library Error: 218570875 error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
[Sat Jul 27 06:36:55 2013] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/apache2/sites-enabled/default-ssl:2)
my port.conf is
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
NameVirtualHost *:443
Listen 443
</IfModule>
and my default-ssl is as follows
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName www.domain.com
ServerAlias domain.com
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
-----------
---------------
-------------------- more configs
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
# SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateFile /etc/ssl/private/domain.crt
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateChainFile /etc/ssl/private/domain.ca-bundle
Solution
I added these in /etc/apache2/apache2.conf
SSLCertificateFile your.crt
SSLCertificateKeyFile your.key
SSLCertificateChainFile your_bundle.crt
Long part
There was some message when I enabled ssh in apache to read file /usr/share/doc/apache2.2-common/README.Debian.gz, it says:
6) Message "Server should be SSL-aware but has no certificate configured" in
error log
Since 2.2.12, Apache is stricter about certain misconfigurations concerning
name based SSL virtual hosts. See NEWS.Debian.gz for more details.
And NEWS says:
* The new support for TLS Server Name Indication added in 2.2.12 causes
Apache to be stricter about certain misconfigurations involving name
based SSL virtual hosts. This may result in Apache refusing to start
with the logged error message:
Server should be SSL-aware but has no certificate configured
[Hint: SSLCertificateFile]
Up to 2.2.11, Apache accepted configurations where the necessary SSL
configuration statements were included in the first (default)
<Virtualhost *:443> block but not in subsequent <Virtualhost *:443>
blocks. Starting with 2.2.12, every VirtualHost block used with SSL must
contain the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile
directives (SSLCertificateKeyFile is optional in some cases).
When you encounter the above problem, the output of the command
egrep -ir '^[^#]*(sslcertificate|sslengine|virtualhost)' \
/etc/apache2/*conf* /etc/apache2/*enabled
may be useful to determine which VirtualHost sections need to be changed.
There is more there.
You can try these for SSL certificate integration.
This should be under httpd.conf file under virtual host and please locate the virtual host section for the site that the SSL certificate will secure.
SSLCACertificateFile - This will need to point to the appropriate
to root CA certificate.
SSLCertificateChainFile - This will need to point to the appropriate
intermediate root CA certificates
SSLCertificateFile - This will need to point to the end entity
certificate (the one you have called "mydomain.crt")
SSLCertificateKeyFile – This will need to point to the private key file associated with your certificate.