Apache SSL error - Unable to configure server certificate for stapling - apache

I'm trying to configure SSL on apache2 with geotrust SSL. I have the private key file, the certificate and the bundle sertificate.
This is the virtualhost config:
http://pastebin.com/38ygh8W1
The apache gives me error:
AH02235: Unable to configure server certificate for stapling
The https gives time out for the 443 port.
I read a lot of info for this topic but im not sure what to do anymore.
Any suggestions?

This seems to be bug that where the fix still hasn't made its way to the latest environments. I have the same problem. Here's my environment:
Server version: Apache/2.4.41
OS: Ubuntu 18.04
As a workaround, you can edit ports.conf so that the last listen directive is for a non-SSL port, i.e. Listen 80. Here's the whole file:
<IfModule ssl_module>
Listen 443 https
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
Listen 80
And the problem is gone.

Related

How to set Caddy as a reverse proxy for apache

Caddy 2 is a powerful, open source web server with automatic HTTPS written in Go. I have a web app where users can point their custom domains. So caddy can easily generate ssl with tls on demand. https://caddyserver.com/docs/automatic-https
So I want to set caddy as a reverse-proxy for apache, so I edited my ports.conf file and set it to
Listen 8080
<IfModule ssl_module>
Listen 8443
</IfModule>
<IfModule mod_gnutls.c>
Listen 8443
</IfModule>
And my caddy file is set to:
mydomain:80 {
reverse_proxy localhost:8080
}
mydomain:443{
reverse_proxy localhost:8443
However http works fine with it, but https doesn't work at all. I even tried checking if the port 8443 is free even, changed it to 44301. But it doesnt work.
My questions:
1) How to properly configure caddy as reverse proxy for apache?
2) Should I also change the ports from VirtualHost file? (Tried changing to 8080, but apache wont start)
3) Is there anything I am missing setting it up as a reverse proxy with apache?
Appreciate your help!!

ports.conf changed by certbot

I have two http servers running:
nginx (80/443)
apache2 (8080/8081)
My ports.conf (apache2) looks like this:
Listen 8080
<IfModule ssl_module>
Listen 8081
</IfModule>
<IfModule mod_gnutls.c>
Listen 8081
</IfModule>
Usually both (nginx & apache) run in parallel which is no problem.
Periodically certbot from letsencrypt runs (dunno why, it's not listend in crontab) and appends the following lines to the above-mentioned file:
#vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<IfModule mod_ssl.c>
Listen 443
</IfModule>
Apache2 then tries to restart, but fails, because port 443 is already in use by nginx.
I tried to delete or comment the new lines, but they get overwritten each time certbot runs. Also changing the port from 443 to 8081 lead to the same result.
I have written a wrapper script that stops nginx, resets apache ports to defaults, updates the certificates and changes them back.
Is it possible to prevent certbot from running automatically?
Instead I would like to add my wrapper script to the crontab.
I had this problem as well. I realized that I had installed the certificate configured to use apache, which was then being proxied by nginx. To solve, I simply created a new certificate for that domain using nginx as the server instead.
It no longer tries to configure the port number during it's attempt to renew.

SSL issue with Apache httpd reverse proxy scheme

Apologies this question is a mix of Chef and Apache-httpd, but ultimately I believe it's an Apache-httpd configuration issue.
I have a Chef client/node happily hitting a Chef Server w/ SSL.
Chef client/node - /etc/chef/client.rb
chef_server_url 'https://chefserverhostname/organizations/myOrg'
ssl_verify_mode :verify_peer
I'm trying to put a proxy in front of the Chef Server so I can re-point down the road if needed. Apache-httpd is installed fine (on the same box as Chef Server), all firewall and iptables are consistent with my below configuration.
Chef Server - /etc/httpd/conf/httpd.conf
Listen 8443
<VirtualHost *:8443>
ServerAdmin me#email
ServerName chefserverhostname
ServerAlias CDS-PROXY
ProxyPass / https://chefserverhostname:443/
ProxyPassReverse / https://chefserverhostname:443/
RewriteEngine On
</VirtualHost>
I reconfigure the Chef client/node's client.rb to point to https://chefserverhostname:8443/organizations/myOrg, and hope to have the request pass through the proxy. ChefServer/nginx is listening on 443 and I'm assuming that it's taking care of the SSL decrypt, and 8443 is just the 'pass-through'. But when I fire up my Chef client/node I'm getting an SSL error message:
ERROR: SSL Validation failure connecting to host: chefserverhostname - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol
You are using HTTPS but your vhost does not have any configuration to enable mod_ssl or another TLS option. As such, you should be using http://hostname:8443 but this very not recommended.
Chef Server is an appliance at heart and this kind of extra proxy layer is possible but not how things are intended to operate. You should just use the default setup which already includes a fronting nginx proxy for Erchef and friends.
You can check https://github.com/chef-cookbooks/httpd this recipe and configure properly apache ssl and additional modules.
To me is also not ok to drop SSL connection on chef server - base on your current setup.
Since you have nginx on your machine you can extend the configuration there to support reverse proxy. Later on if you remove chefserver/nginx from this machine and you want only to leave proxy, install new nginx and apply the same conf for proxy configuration.
I rather drop apache from your setup.

Self signed certificate on Ubuntu 12.04 and Apache 2.4.9

I am trying to install a self-signed certificate on an Apache server. First, I did
sudo a2enmod ssl
and got the following output:
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restart
Then, I restarted apache2 and got the following error:
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
AH00015: Unable to open logs
In ports.conf, I have the following:
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
If I comment the line Listen 443 inside <IfModule ssl_module>, I get no errors. However, that seems like I won't be able to listen to 443 requests.
What can I do to be able to put listen 443 and get no errors ?

Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error

I have configured SSL on my tomcat. I referred to the steps from the following site to configure SSL:
http://wiki.openbravo.com/wiki/How_To_Configure_SSL_For_Windows
I am using Win32 OpenSSL v0.9.8x Light installer and tomcat 7.0.22. But when I access https://server.ensarm.com:8843/ it gives the following error:
SSL connection error
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
I don't understand what could be the problem. :(
Check your Apache error log, see if it has a message similar to:
You configured HTTP(80) on the standard HTTPS(443) port!
This may indicate you have configured Apache to listen on port 443 while the SSLEngine is not on.
In httpd.conf only set ONE listen directive:
Listen *:80
Later in httpd.conf you should have something that looks like:
<IfModule ssl_module>
Include conf/httpd-ssl.conf
</IfModule>
In httpd-ssl.conf (or equivalent config file) make sure you have enabled the SSLEngine prior to the Listen directive:
SSLEngine on
listen *:443
Restart Apache and you should be good to go.