Things weird:
1:I compiled this LAMP environment with
./configure --enable-layout=RedHat --enable-so --enable-mods-shared=all --with-ldap --enable-ldap -enable-authnz-ldap --with-ssl=/usr/local/ssl --enable-ssl && make && make install
2: This configured for name based virtualhost with SSL(not for a
single virtualhost)
3: I can start the apache service with default website, but can't
start when i config the virtualhost
4: with testing too many times, I found i can start the apache
service with default website first, then modify the http.conf file to
uncomment virtualhost config line, and exec command "apachectl -k
restart", finally the virtualhost will be up.
5: I can't find any error messages from apache error log, It just
show:
[notice] Digest: generating secret for digest authentication ...
[crit] (4)Interrupted system call: Digest: error generating secret: Interrupted system call Configuration Failed
[warn] RSA server certificate CommonName (CN) `*.example.com' does NOT match server name!?
[warn] RSA server certificate CommonName (CN) `*.example.com' does NOT match server name!?
[warn] RSA server certificate CommonName (CN) `*.example.com' does NOT match server name!?
[warn] Init: SSL server IP/port conflict: china.example.com:443 (/etc/httpd/conf.d/china.conf:49) vs. hk.example.com:443 (/etc/httpd/conf.d/hk.conf:45)
[warn] Init: SSL server IP/port conflict: korea.tkeexample.com:443 (/etc/httpd/conf.d/korea.conf:45) vs. hk.example.com:443 (/etc/httpd/conf.d/hk.conf:45)
[warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!
6: I know there are config mistake, but how can I find it, cause i
know there is not place to find out error from virtualhost
configuration.
Related
I'm trying to bring up an OwnCloud container on my docker server via docker compose. I'm using the stock OwnCloud image from Docker Hub. Here is my yaml file:
version: '3.1'
services:
owncloud:
image: owncloud
restart: always
ports:
- 80:80
- 443:443
volumes:
- '/etc/docker/owncloud/data:/var/www/html'
- '/etc/docker/owncloud/ssl.sh:/etc/apache2/ssl.sh'
networks:
default:
ipv4_address: 192.168.226.28
mysql:
image: mariadb
restart: always
environment:
MYSQL_ROOT_PASSWORD: ********
volumes:
owncloud_data:
driver: local
networks:
default:
external:
name: pub_net
It works great. The container comes up and I can access it via http. Now of course I want to access via https so you can see bash script I've sent into my container. Here are the contents of that script:
#!/bin/bash
a2enmod ssl
a2ensite default-ssl
openssl req -x509 -nodes -days 99999 -newkey rsa:2048 -subj "/C=US/ST=Ohio/L=Cleveland/O=Data/CN=fake.domain.com" -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
service apache2 restart
Now, if I manually bash into the container and run that script it works great. I can access OwnCloud via https. Here's where it get's annoying. I want to automate the process of running that script so when the container updates its part of the rebuild process. So far I've tried adding a "command" string in the yaml file like this:
version: '3.1'
services:
owncloud:
image: owncloud
restart: always
ports:
- 80:80
- 443:443
volumes:
- '/etc/docker/owncloud/data:/var/www/html'
- '/etc/docker/owncloud/ssl.sh:/etc/apache2/ssl.sh'
networks:
default:
ipv4_address: 192.168.226.28
command: /etc/apache2/ssl.sh
mysql:
image: mariadb
restart: always
environment:
MYSQL_ROOT_PASSWORD: ********
volumes:
owncloud_data:
driver: local
networks:
default:
external:
name: pub_net
When I run docker-compose up it does appear to run the script, except it runs it over and over again, and the apache service keeps restarting. Here is a snippet of the logs:
Restarting Apache httpd web server: apache2.
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
dule ssl already enabled
Site default-ssl already enabled
Generating a RSA private key
................+++++
...............+++++
writing new private key to '/etc/ssl/private/ssl-cert-snakeoil.key'
-----
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.226.28. Set the 'ServerName' directive globally to suppress this message
[Wed Oct 07 21:09:05.504798 2020] [ssl:warn] [pid 33] AH01906: 192.168.226.28:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Oct 07 21:09:05.504883 2020] [ssl:warn] [pid 33] AH01909: 192.168.226.28:443:0 server certificate does NOT include an ID which matches the server name
Restarting Apache httpd web server: apache2.
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
dule ssl already enabled
Site default-ssl already enabled
Generating a RSA private key
....................................+++++
...............................+++++
writing new private key to '/etc/ssl/private/ssl-cert-snakeoil.key'
-----
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.226.28. Set the 'ServerName' directive globally to suppress this message
[Wed Oct 07 21:09:15.145928 2020] [ssl:warn] [pid 33] AH01906: 192.168.226.28:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Oct 07 21:09:15.146014 2020] [ssl:warn] [pid 33] AH01909: 192.168.226.28:443:0 server certificate does NOT include an ID which matches the server name
Restarting Apache httpd web server: apache2.
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
dule ssl already enabled
Site default-ssl already enabled
Generating a RSA private key
...........................+++++
..........................................+++++
writing new private key to '/etc/ssl/private/ssl-cert-snakeoil.key'
-----
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.226.28. Set the 'ServerName' directive globally to suppress this message
[Wed Oct 07 21:09:29.712422 2020] [ssl:warn] [pid 33] AH01906: 192.168.226.28:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Oct 07 21:09:29.712500 2020] [ssl:warn] [pid 33] AH01909: 192.168.226.28:443:0 server certificate does NOT include an ID which matches the server name
I'm not sure where to go from here. Any ideas?
Docker container command should run for as long as you expect for container to run.
When your script starts, there is completely nothing else running in container. There is no apache2 or anything, just your script. And it ends with service apache2 restart and quits right after. It doesn't care about any background processes that you just started. It only cares that your foreground process - your bash script - has finished already.
As you can see in your image (using latest version at time of writing this): https://hub.docker.com/layers/owncloud/library/owncloud/latest/images/sha256-57e690e039c947e4de6bdae767b57b402d3ed9b9ed9f12ba5d31d3cf92def4b8?context=explore it is using CMD ["apache2-foreground"] to run. And that's how you should end your bash script so it also runs apache2 in foreground:
#!/bin/bash
a2enmod ssl
a2ensite default-ssl
openssl req -x509 -nodes -days 99999 -newkey rsa:2048 -subj "/C=US/ST=Ohio/L=Cleveland/O=Data/CN=fake.domain.com" -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
apache2-foreground
I have replaced the certificate and private key to renew my SSL certificate on my Linux server. This is for APACHE by the way. I am positive I am using the right private key, and in the ssl.config file, I have directed the path to the correct places.
i.e - SSLCertificateFile & SSLCertificateKeyFile.
But I still get this error below:
" AH01909: RSA certificate configured for hostname:443 does NOT include an ID which matches the server name
[Wed May 20 21:17:33.432341 2020] [ssl:emerg] [pid 2607] AH02238: Unable to configure RSA server private key
[Wed May 20 21:17:33.432366 2020] [ssl:emerg] [pid 2607] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch"
what could I be missing?
#Oluwatobi Elugbadebo. It sounds like you have used the wrong hostname to generate the certificates. Not knowing your environment, I cannot comment further. However I would recommend using Let's Encrypt / Certbot for free ssl and very minimal setup to turnkey add SSL to any apache2 hosted domain. It will handle everything related to the cert and modification of apache files.
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7
I'm tring to set up HTTP2 with apache2, and certbot-auto, the fact is I have another working server with HTTP2+ Apache2 + with letsencrypt cert, HTTP2 is working perfectly on this server. I have this on both server :
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"
I tryed to regen both dhparams key with :
openssl dhparam -out /etc/ssl/private/dhparams_4096.pem 4096
Restart apache, same problem , server 1 is working, server 2 no.
On ssllabs.com I have with chrome, FF, ... :
Server negotiated HTTP/2 with blacklisted suite
If I test with :
openssl s_client -host 127.0.0.1 -port 443
On the working server I have :
Server Temp Key: ECDH, P-256, 256 bits
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
On the not working server :
Server Temp Key: DH, 4096 bits
Cipher : DHE-RSA-AES128-GCM-SHA256
I know that it should be a ECDH key to work, but I don't know why it's not working as all server have exactly the same configuration !
I alway use : certbot-auto --apache -d mydomain.com to generate a cert, i work with HTTP2 on the first server, not on the second (error inadequate security, and fallback to http1.1)
Can you help me ? I want a working configuration with apache2 and SSL/HTTP2, I dont need very old browser compatibility. Or if you know a very good working tutorial to do that.
Apache 2.4.25 and open ssl 1.0.2k on both servers.
I just (re) emerged apache 2.4.25 with exactly the same compilations flags and it works now ! Maybe some cipher libs was compiled before newer openssl. I'm on gentoo.
I am currently developing an API to communicate with an external service and they require that we use a two way auth with the certificate they sent.
I have received two files: .pem and .cer, both files have the -----BEGIN CERTIFICATE-----
I've tried several different ways to configure this on Apache 2.4, using SSLCACertificateFile, but all I get is errors saying it could not start server:
[Mon Dec 05 10:29:06.434853 2016] [ssl:emerg] [pid 6112] AH02572: Failed to configure at least one certificate and key for my-server.com:443
[Mon Dec 05 10:29:06.434872 2016] [ssl:emerg] [pid 6112] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
Would it be possible to configure this auth with just this files, or should I request the .key in order to configure everything?
Best
You can configure two way client Auth SSL certificate by getting third party certificate. Apache works on OpenSSL command so you have to create CSR, private key and install CA bundle and certificate.
Install Root certificate in Apache: https://www.alphassl.com/support/install-root/apache.html
For SSL installation in Apache: https://www.alphassl.com/support/install-ssl/apache.html
I suggest you to read this article which will help you to understand more deeply: http://www.stefanocapitanio.com/configuring-two-way-authentication-ssl-with-apache/
I received my certificate by email and then created the necessary files and copied it over. I went to restart my server and received the following errors.
[Wed Feb 08 13:02:06 2012] [error] Init: Unable to read server certificate from file /home/sslcertificates/mydomain.crt
[Wed Feb 08 13:02:06 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Feb 08 13:02:06 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
Does anyone have any ideas?
Another possible source of failure which causes this errror message is:
Instead of the certificate file I linked to the certification request file.
It's recognizable when you read the first line of the file:
Either
-----BEGIN CERTIFICATE REQUEST-----
Or
-----BEGIN CERTIFICATE-----
:-)
Situation: Apache 2.4 using the StartSSL cert generating ASN encoding error
Issue:
AH02564: Failed to configure encrypted (?) private key <domain>.com:80:0, check /etc/pki/tls/certs/ssl.key
Some SSL issuers encrypts the ssl key files by default so make sure decrypt it at the server and point it from Virtual Host.
Simply echo the key file to make sure it is not encrypted.
Decrypt the key file for the mod_ssl
openssl rsa -in ssl.key -out ssl.key
For SSL config in the Apache conf (httpd.conf) add the following configurations and restart the Apache.
# SSL
<VirtualHost *:443>
ServerName gajen.com
SSLCertificateKeyFile /etc/pki/tls/certs/ssl.key
SSLCertificateFile /etc/pki/tls/certs/ssl.crt
SSLCertificateChainFile /etc/pki/tls/certs/root.ca.pem
</VirtualHost>
For troubleshooting:
Debug the Apache first tail 50 /var/log/httpd/error_log
Debug the mod_ssl tail 50 /var/log/httpd/ssl_error_log
In my case I had the certificates mixed: SSLCertificateFile had the private_key and SSLCertificateKeyFile had the cert.
Leaving this here since it's the first google search for the error: This can also be caused when you install a new passphrase protected certificate and just reload the apache configuration (rather then restart apache completely). The reload itself will not throw any errors but it also will not ask for your passphrase and is unable to decrypt the certificate.
It can be resolved by restarting apache completely which will ask for the passphrase and allow you to decrypt.
Problem solved with recreate *.key file and copy-paste content again.
Or you need before disable old password autoinput.
Comment rule like:
#SSLPassPhraseDialog exec:/etc/ssl/passphrase-script
Recently during SSL installation in Apache 2.4, we faced the same error - 'asn1 encoding routines'
We had placed all the files correctly and pointed them correctly in the .conf file. After a day of troublshooting,we realized issue was not with the configuration after we got the certificate.
We created the Certificate Signing request (CSR) using our vendors inbuilt system. This allowed us to paste the key we created. The SSL certificate which vendor returned was supposed to map this CSR which was mapped to our private key. Apparently it did not match. The SSL certificate they provided does not map to the CSR.
Possible reason
The Key to CSR transformation is wrong at vendor side due to unix line endings (\n instead of \r\n) / encoding (ANSI/UTF8) / expected new lines .
We created CSR ourselves using OpenSSL, and bypassed vendor CSR generation. It worked. So, in our case, creating the key and corresponding CSR using OpenSSL and using that to generate the public SSL worked.
OpenSSL Command
openssl req -new -sha256 -key ~/site.com.ssl/site.com.key -out ~/site.com.ssl/site.com.csr
I had this problem because I was sent the content of an IIS-style .p7b file pasted into an email. It has "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" tags, just like .pem, and the content uses a similar looking base64 encoding. I converted it to a *.pem file like so:
openssl pkcs7 -print_certs -in cert.p7b -out cert.cer
After that, Apache 2.2 was happy.
(Linux Solution) This has been posted a long time ago - but I have another way to troubleshoot this problem: Change the error logging to a more verbose mode by editing /etc/apache2.conf and find this block:
#
# LogLevel: Control the severity of messages logged to the
error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn
and change LogLevel to something lower - I chose trace1. Then restart apache:
sudo service restart apache2
I received the same error message but when I went to the error log in /var/log/apache2/error.log there were many more error messages to help troubleshoot the problem. I was able to determine I was pointing the key file descriptor to the wrong file.
Be sure to change the apache2.conf back to warn and restart the apache2 service after troubleshooting to avoid your error.log file from becoming too large.