We Keep Coding

Apache SSL certificate is not working without error [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
I want to put a ssl certificate which was generated today on a website but it doesn't work. The secured page is not loading, but the insecure one works. This is my conf:
<VirtualHost *:80>
ServerName example.com
ServerAdmin example#gmail.com
ServerAlias www.example.com
DocumentRoot /var/www/example
<Directory /var/www/example>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
</Directory>
ErrorLog /var/log/example-error.log
CustomLog /var/log/example-access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAdmin example#gmail.com
ServerAlias www.example.com
DocumentRoot /var/www/example
<Directory /var/www/example>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
</Directory>
SSLEngine on
SSLCertificateFile /root/certs/example.crt
SSLCertificateKeyFile /root/XXX.key
SSLCertificateChainFile /root/certs/example.crt
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel debug
</VirtualHost>
It is weird that I don't have errors in ssl_error_log:
[Fri Apr 02 22:33:55.266922 2021] [ssl:info] [pid 12429] AH02200: Loading certificate & private key of SSL-aware server 'example.com:443'
[Fri Apr 02 22:33:55.267378 2021] [ssl:debug] [pid 12429] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Fri Apr 02 22:33:55.267430 2021] [ssl:info] [pid 12429] AH01914: Configuring server example.com:443 for SSL protocol
[Fri Apr 02 22:33:55.267738 2021] [ssl:debug] [pid 12429] ssl_engine_init.c(886): AH01904: Configuring server certificate chain (1 CA certificate)
[Fri Apr 02 22:33:55.267751 2021] [ssl:debug] [pid 12429] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Fri Apr 02 22:33:55.267762 2021] [ssl:debug] [pid 12429] ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
[Fri Apr 02 22:33:55.267939 2021] [ssl:debug] [pid 12429] ssl_util_ssl.c(508): AH02412: [example.com:443] Cert matches for name 'example.com' [subject: CN=example.com / issuer: CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1,O=DigiCert Inc,C=US / serial: example / notbefore: Apr 2 00:00:00 2021 GMT / notafter: May 3 23:59:59 2022 GMT]
[Fri Apr 02 22:33:55.267957 2021] [ssl:debug] [pid 12429] ssl_engine_init.c(988): AH02236: Configuring RSA server private key
[Fri Apr 02 22:33:55.310426 2021] [ssl:info] [pid 12429] AH02200: Loading certificate & private key of SSL-aware server 'example.com:443'
[Fri Apr 02 22:33:55.310726 2021] [ssl:debug] [pid 12429] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Fri Apr 02 22:33:55.310770 2021] [ssl:info] [pid 12429] AH01914: Configuring server example.com:443 for SSL protocol
[Fri Apr 02 22:33:55.310983 2021] [ssl:debug] [pid 12429] ssl_engine_init.c(886): AH01904: Configuring server certificate chain (1 CA certificate)
[Fri Apr 02 22:33:55.310994 2021] [ssl:debug] [pid 12429] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Fri Apr 02 22:33:55.311002 2021] [ssl:debug] [pid 12429] ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
[Fri Apr 02 22:33:55.311108 2021] [ssl:debug] [pid 12429] ssl_util_ssl.c(508): AH02412: [example.com:443] Cert matches for name 'example.com' [subject: CN=example.com / issuer: CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1,O=DigiCert Inc,C=US / serial: XXX / notbefore: Apr 2 00:00:00 2021 GMT / notafter: May 3 23:59:59 2022 GMT]
[Fri Apr 02 22:33:55.311117 2021] [ssl:debug] [pid 12429] ssl_engine_init.c(988): AH02236: Configuring RSA server private key
[root#vps httpd]# curl https: //xxx.com
curl: (7) Failed connect to xxx.com:443; Connection refused
The port is open is firewall.
Any idea?

Other than what Ryan wrote which is absolutely corrent, you should fix (or remove)
SSLCertificateChainFile /root/certs/example.crt
If you want to fix it, you shouldn't use the certificate here but the chain which means the certificate used to sign your csr. The chain may or may not include the root: I personally never include the root.
On a side note, i suggest you to move certificates outside root home directory: you can create a sub-folder in apache root directory (/etc/{apache2,httpd}/certs) for example.

Apache2.4 will not restart after including httpd-ssl.conf

My company has just provided us SSL certificates that I had to attempt to install and configure using Apache2.4 on a Windows Server 2019.
I created a folder called "certs" within the conf folder on Apache24.
Within the certs folder, I have the following certs:
MYCOMPANY_Intermediate.cer
MYCOMPANY_Root.cer
mycompany_name_com.cer
private.cer
private.key
I have updated the httpd-ssl.conf file to include the certs, as follows:
<VirtualHost _default_:443>
DocumentRoot "D:/htdocs"
ServerName mycompany.name.com:443
ServerAdmin mycompany#email.com
ErrorLog "${SRVROOT}/logs/error-ssl.log"
TransferLog "${SRVROOT}/logs/access-ssl.log"
# SSL Engine Switch:
SSLEngine on
# Server Certificate:
SSLCertificateFile "${SRVROOT}/conf/certs/mycompany_name_com.cer"
# Server Private Key:
SSLCertificateKeyFile "${SRVROOT}/conf/certs/private.key"
# Server Certificate Chain:
SSLCertificateChainFile "${SRVROOT}/conf/certs/MYCOMPANY_Intermediate.cer"
</VirtualHost>
Back in the httpd.conf file, when I include the following:
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
Apache fails to restart.
Within the error log, the only thing noticeable that I am finding is maybe this:
[Sat Jan 23 10:56:32.453519 2021] [mpm_winnt:notice] [pid 8552:tid 772] AH00455: Apache/2.4.46 (Win64) mod_authnz_sspi/0.1.1 OpenSSL/1.1.1h PHP/7.4.12 configured -- resuming normal operations
[Sat Jan 23 10:56:32.453519 2021] [mpm_winnt:notice] [pid 8552:tid 772] AH00456: Apache Lounge VS16 Server built: Oct 2 2020 11:45:39
[Sat Jan 23 10:56:32.453519 2021] [core:notice] [pid 8552:tid 772] AH00094: Command line: 'C:\\Apache24\\bin\\httpd.exe -d C:/Apache24'
[Sat Jan 23 10:56:32.463520 2021] [mpm_winnt:notice] [pid 8552:tid 772] AH00418: Parent: Created child process 17204
[Sat Jan 23 10:56:33.684738 2021] [ssl:warn] [pid 17204:tid 808] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Sat Jan 23 10:56:33.729741 2021] [mpm_winnt:notice] [pid 17204:tid 808] AH00354: Child: Starting 64 worker threads.
As you will see, there are no errors, just warnings. I do not know why Apache is failing to restart, and I really need to get this to work.
Edit
In the Event View, under Windows Log under System, I see the following error:
The Apache2.4 service terminated with the following service-specific error:
Incorrect function.
I also see an event ID number 7024. I am not sure what that means.

I found my problem...
A typo.
Yup, it was a typo.
In the httpd-ssl.conf file, this part:
# Server Certificate:
SSLCertificateFile "${SRVROOT}/conf/certs/mycompany_name_com.cer"
mycompany_name_com.cer was mispelled.
thecompany_name_com.cer is the correct spelling.

503 service unavailable. Apache crashes once in 7-10 days

I use Apache server on Ubuntu 14.04. In order redirect all requests from mypage.com to mypage.com:8080/myapp I use mod_proxy. My 000-default.conf looks as follows:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyPass / http://mypage.com:8080/myapp/ retry=0 timeout=10
ProxyPassReverse / http://mypage.com:8080/myapp/
ServerName mypage.com
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
And that is my ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 80
Listen 81
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
And everything works fine until in a several days I always get 503 Service Unavailable error page. and this is written in error.log before error occurs
[Sun Oct 25 21:22:27.779422 2015] [core:error] [pid 14595] [client 38.104.233.252:45239] AH00126: Invalid URI in request GET HTTP/1.1 HTTP/1.1
[Mon Oct 26 02:30:20.925532 2015] [core:error] [pid 15416] [client 190.252.95.102:53508] AH00126: Invalid URI in request GET: index.php HTTP/1.0
[Mon Oct 26 08:22:27.771751 2015] [proxy:error] [pid 15402] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.1.1:8080 (mypage.com) failed
[Mon Oct 26 08:22:27.774040 2015] [proxy:error] [pid 15402] AH00959: ap_proxy_connect_backend disabling worker for (mypage.com) for 0s
[Mon Oct 26 08:22:27.774111 2015] [proxy_http:error] [pid 15402] [client 5.28.160.27:48692] AH01114: HTTP: failed to make connection to backend: mypage.com
[Mon Oct 26 10:55:51.655213 2015] [proxy:error] [pid 15406] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.1.1:8080 (mypage.com) failed
[Mon Oct 26 10:55:51.655422 2015] [proxy:error] [pid 15406] AH00959: ap_proxy_connect_backend disabling worker for (mypage.com) for 0s
[Mon Oct 26 10:55:51.655470 2015] [proxy_http:error] [pid 15406] [client 169.57.5.20:60000] AH01114: HTTP: failed to make connection to backend: mypage.com
[Mon Oct 26 13:32:00.442031 2015] [proxy:error] [pid 15408] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.1.1:8080 (mypage.com) failed
[Mon Oct 26 13:32:00.442356 2015] [proxy:error] [pid 15408] AH00959: ap_proxy_connect_backend disabling worker for (mypage.com) for 0s
[Mon Oct 26 13:32:00.442413 2015] [proxy_http:error] [pid 15408] [client 217.168.189.15:50222] AH01114: HTTP: failed to make connection to backend: mypage.com, referer: http://mypage.com/admn
[Mon Oct 26 13:32:12.245050 2015] [proxy:error] [pid 15402] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.1.1:8080 (mypage.com) failed
[Mon Oct 26 13:32:12.245179 2015] [proxy:error] [pid 15402] AH00959: ap_proxy_connect_backend disabling worker for (mypage.com) for 0s
[Mon Oct 26 13:32:12.245190 2015] [proxy_http:error] [pid 15402] [client 217.168.189.15:50225] AH01114: HTTP: failed to make connection to backend: mypage.com, referer: http://mypage.com/admn
[Mon Oct 26 13:34:44.343614 2015] [mpm_prefork:notice] [pid 991] AH00169: caught SIGTERM, shutting down
[Mon Oct 26 13:36:07.703185 2015] [mpm_prefork:notice] [pid 991] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.11 configured -- resuming normal operations
[Mon Oct 26 13:36:07.708761 2015] [core:notice] [pid 991] AH00094: Command line: '/usr/sbin/apache2'
[Tue Oct 27 01:20:23.236327 2015] [mpm_prefork:notice] [pid 991] AH00169: caught SIGTERM, shutting down
[Tue Oct 27 01:20:24.265160 2015] [mpm_prefork:notice] [pid 3247] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.11 configured -- resuming normal operations
[Tue Oct 27 01:20:24.265243 2015] [core:notice] [pid 3247] AH00094: Command line: '/usr/sbin/apache2'
[Tue Oct 27 01:41:17.177723 2015] [mpm_prefork:notice] [pid 3247] AH00169: caught SIGTERM, shutting down
[Tue Oct 27 01:41:18.219244 2015] [mpm_prefork:notice] [pid 11636] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.11 configured -- resuming normal operations
[Tue Oct 27 01:41:18.219351 2015] [core:notice] [pid 11636] AH00094: Command line: '/usr/sbin/apache2'
After I restart my machine it works fine again. Then in 7-10 days it crashes again. Tried a lots of things in internet but always get this error at most in several weeks. Struggling with already for some months.
SELinux is disabled.

The problem is not with Apache because its still serving a 503 page
The problem is with the application running on port number 8080, you are reverse proxying / to http://mypage.com:8080/myapp/ and when Apache is trying to proxy the request its not getting back the response from the 8080 app and so its trowing the message 'Service Unavailable' . Its inferred from the underlying part of the log.
[Mon Oct 26 13:32:00.442031 2015] [proxy:error] [pid 15408] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.1.1:8080 (mypage.com) failed
[Mon Oct 26 13:32:00.442356 2015] [proxy:error] [pid 15408] AH00959: ap_proxy_connect_backend disabling worker for (mypage.com) for 0s
[Mon Oct 26 13:32:00.442413 2015] [proxy_http:error] [pid 15408] [client 217.168.189.15:50222] AH01114: HTTP: failed to make connection to backend: mypage.com, referer: http://mypage.com/admn
[Mon Oct 26 13:32:12.245050 2015] [proxy:error] [pid 15402] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.1.1:8080 (mypage.com) failed
So check and post(if necessary) the logs of the server running on port number 8080

Apache (httpd) - You don't have permission to access

I'm trying to run the below command from my linux server
curl -T helloworld.txt -u user:pwd http://<ip>/record/helloworld.txt
Not able to upload a helloworld.txt file to my http url
Error:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /record/helloworld.txt
on this server.</p>
<hr>
<address>Apache/2.2.3 (Red Hat) Server at <ip> Port 80</address>
</body>
</html>
httpd.conf:
Alias /record /usr/bin/Test/web/record
<Directory /usr/bin/Test/web/record>
DAV On
Options Indexes MultiViews FollowSymLinks
EnableSendfile off
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Location "/record">
DAV On
AuthType Basic
AuthName "user"
AuthUserFile /usr/bin/Test/web/.htpasswd
Require valid-user
RewriteEngine off
</Location>
httpd error logs:
[Thu Aug 27 16:54:39 2015] [notice] caught SIGTERM, shutting down
[Thu Aug 27 16:54:39 2015] [notice] SELinux policy enabled; httpd running as context root:system_r:httpd_t:s0
[Thu Aug 27 16:54:39 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Aug 27 16:54:39 2015] [notice] Digest: generating secret for digest authentication ...
[Thu Aug 27 16:54:39 2015] [notice] Digest: done
[Thu Aug 27 16:54:39 2015] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Thu Aug 27 16:56:41 2015] [error] [client <ip>] Unable to PUT new contents for /record/helloworld.txt. [403, #0]
[Thu Aug 27 16:56:41 2015] [error] [client <ip>] (13)Permission denied: An error occurred while opening a resource. [500, #0]

Apache as Proxy for Tomcat with Subdomain

Even though I found some similar reports on SO no suggestion solved my issue. So I decided to raise a question myself.
I am running Confluence (and Jira) as WARs on a Tomcat instance on Ubuntu. The application is accessible via http://localhost:8080/confluence. I would like to configure apache as a proxy to allow public access via http://confluence.<servername>.de. Following the instructions on https://confluence.atlassian.com/display/DOC/Using+Apache+with+mod_proxy#UsingApachewithmod_proxy-complex I did the following steps:
appended the attributes proxyName="confluence.<servername>.de" and proxyPort="80" to the Connector element in /var/lib/tomcat7/conf/server.xml.
Defined a virtual host in /etc/apache2/sites-enabled/confluence.conf
The confluence.conf has the following content:
<VirtualHost *:80>
ServerName confluence.<servername>.de
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/confluence
ProxyPassReverse / http://localhost:8080/confluence
ProxyHTMLURLMap / /confluence/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
With this configuration I cannot invoke http://localhost:8080/confluence due to this (wget) output:
--2014-12-23 08:38:13-- http://localhost:8080/confluence
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:8080... failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://confluence.<servername>.de/confluence/ [following]
--2014-12-23 08:38:13-- http://confluence.<servername>.de/confluence/
Resolving confluence.<servername>.de (confluence.<servername>.de)... 92.51.163.197
Connecting to confluence.<servername>.de (confluence.<servername>.de)|92.51.163.197|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-12-23 08:38:13 ERROR 404: Not Found.
If I remove the attributes proxyName and proxyPort this access is possible. However, the invocation via http://confluence.<servername>.de still yields errors. The output of Apache log suggests that the URL rewrite is corrupt:
[Tue Dec 23 08:50:47.952647 2014] [authz_core:debug] [pid 24715:tid 140609413170944] mod_authz_core.c(828): [client 37.201.226.149:11808] AH01628: authorization result: granted (no directives)
[Tue Dec 23 08:50:47.952809 2014] [proxy:debug] [pid 24715:tid 140609413170944] mod_proxy.c(1104): [client 37.201.226.149:11808] AH01143: Running scheme http handler (attempt 0)
[Tue Dec 23 08:50:47.952838 2014] [proxy:debug] [pid 24715:tid 140609413170944] proxy_util.c(2020): AH00942: HTTP: has acquired connection for (localhost)
[Tue Dec 23 08:50:47.952851 2014] [proxy:debug] [pid 24715:tid 140609413170944] proxy_util.c(2072): [client 37.201.226.149:11808] AH00944: connecting http://localhost:8080/confluence to localhost:8080
[Tue Dec 23 08:50:47.953069 2014] [proxy:debug] [pid 24715:tid 140609413170944] proxy_util.c(2206): [client 37.201.226.149:11808] AH00947: connected /confluence to localhost:8080
[Tue Dec 23 08:50:47.953176 2014] [proxy:debug] [pid 24715:tid 140609413170944] proxy_util.c(2483): (111)Connection refused: AH00957: HTTP: attempt to connect to [::1]:8080 (localhost) failed
[Tue Dec 23 08:50:47.953277 2014] [proxy:debug] [pid 24715:tid 140609413170944] proxy_util.c(2610): AH00962: HTTP: connection complete to [::1]:8080 (localhost)
[Tue Dec 23 08:50:47.956860 2014] [proxy:debug] [pid 24715:tid 140609413170944] proxy_util.c(2035): AH00943: http: has released connection for (localhost)
[Tue Dec 23 08:50:47.988123 2014] [authz_core:debug] [pid 24715:tid 140609402681088] mod_authz_core.c(828): [client 37.201.226.149:11808] AH01628: authorization result: granted (no directives)
[Tue Dec 23 08:50:47.988231 2014] [proxy:debug] [pid 24715:tid 140609402681088] mod_proxy.c(1104): [client 37.201.226.149:11808] AH01143: Running scheme http handler (attempt 0)
[Tue Dec 23 08:50:47.988250 2014] [proxy:debug] [pid 24715:tid 140609402681088] proxy_util.c(2020): AH00942: HTTP: has acquired connection for (localhost)
[Tue Dec 23 08:50:47.988264 2014] [proxy:debug] [pid 24715:tid 140609402681088] proxy_util.c(2072): [client 37.201.226.149:11808] AH00944: connecting http://localhost:8080/confluenceconfluence/ to localhost:8080
[Tue Dec 23 08:50:47.988277 2014] [proxy:debug] [pid 24715:tid 140609402681088] proxy_util.c(2206): [client 37.201.226.149:11808] AH00947: connected /confluenceconfluence/ to localhost:8080
[Tue Dec 23 08:50:47.990134 2014] [proxy:debug] [pid 24715:tid 140609402681088] proxy_util.c(2035): AH00943: http: has released connection for (localhost)
Am I missing anything? By the way, if I adjust the virtual host configuration in a way that the URL http://<servername>.de/confluence is used as a proxy everything works fine.
Any suggestion would be greatly appreciated.

My personal preference is to deploy applications in subfolders and set up proxy like:
ProxyPass "/confluence/" "http://localhost:8080/confluence/"
ProxyPassReverse "/confluence/" "http://localhost:8080/confluence/"
No need for ProxyHTMLURLMap, that's probably why you see "AH00944: connecting http://localhost:8080/confluenceconfluence/ to localhost:8080"
Setting up like you intended might be a little tricky, since you need the fully qualified domain name of your machine to be confluence.servername.de and you need an A record in your local DNS for this as well. I second Slash's question: can you ping confluence.servername.de?
When this is taken care of, you may also want to look into using these directives, as needed:
ProxyRequests Off
ProxyVia Off
RemoteIPHeader X-Forwarded-For
RequestHeader unset Accept-Encoding
ProxyHTMLEnable On
ProxyHTMLExtended On
<Proxy *>
Require all granted
</Proxy>