I have configured SSL on my tomcat. I referred to the steps from the following site to configure SSL:
http://wiki.openbravo.com/wiki/How_To_Configure_SSL_For_Windows
I am using Win32 OpenSSL v0.9.8x Light installer and tomcat 7.0.22. But when I access https://server.ensarm.com:8843/ it gives the following error:
SSL connection error
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
I don't understand what could be the problem. :(
Check your Apache error log, see if it has a message similar to:
You configured HTTP(80) on the standard HTTPS(443) port!
This may indicate you have configured Apache to listen on port 443 while the SSLEngine is not on.
In httpd.conf only set ONE listen directive:
Listen *:80
Later in httpd.conf you should have something that looks like:
<IfModule ssl_module>
Include conf/httpd-ssl.conf
</IfModule>
In httpd-ssl.conf (or equivalent config file) make sure you have enabled the SSLEngine prior to the Listen directive:
SSLEngine on
listen *:443
Restart Apache and you should be good to go.
Related
Hello and thank you for reading.
I have a windows 2016 server running apache.
I am attempting to have a virtual host set up on one port (8080) and
have it automatically forward any and everything it sees to the main Apache host
(The not virtual instance? I'm unclear of the correct term to call it)
which lives on port 80
My configuration is below.
I show that the server is listening on both port 80 and 8080.
When I go to port 80. I get the default "It works" page
When I go to port 8080
I get the following error:
Internal Server Error
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator at admin#example.com to inform them of the time this error occurred, and the actions you performed just before this error.
More information about this error may be available in the server error log.
I consult the log and I see the following message
[Thu Sep 24 07:29:16.128967 2020] [proxy:warn] [pid 4860:tid 1076] [client 192.168.50.160:64768] AH01144: No protocol handler was valid for the URL / (scheme 'https'). If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
I am attempting to do this without any ssl/or encrypption
A copy of my configuration and loaded modules is listed below.
I have included only the parts of the base conf file that have been modified
What am I missing, or what should i try next to fix?
Thank you community.
You're encountering an issue as your SSL is not configured, and you're trying to go through HTTPS, as Eliezer stated you need to create your key, to do so I use LetsEncrypt (certbot) but the choice is up to you, (and I'm on Ubuntu)
Your ports.conf file should have some lines that look like this like this:
Listen 8080
IfModule ssl_module //add the missing < > around the IfModule
Listen 443
IfModule
You also need to add <VirtualHost *:443> Your configuration inside the tags</VirtualHost> tag in your conf after adding it to the listened port
And then your conf file, you need to enable SSL :
ServerName domain.com
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
I would also advise to force redirection on https, once your SSL is configured with a rewrite rule:
RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent]
This answer is base for an Apache Ubuntu config, but I think can you work from it to your Windows Server Apache config
It sounds like you're connecting to 192.168.50.160:8080 using https, not http. If you want to use HTTPS, you'll need to set up your :8080 VirtualHost to support it properly.
https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04
I'm wanting to front an AWS APIGateway URL with a reverse proxy in Apache. The reason is due to a process requiring a static IP to provision a service behind a strict firewall and that the current infrastructure has mod_proxy already in place. The solution I'm looking to implement is to simply to route https->https(apiGateway) via mod_proxy.
But.. AWS uses SNI and I can not get mod_proxy to handshake.
I have the following settings enabled
<IfModule mod_ssl.c>
<VirtualHost *:443>
ProxyPreserveHost On
SSLProxyEngine On
ProxyPass /api/1_0/ https://xxx.execute-api.eu-west-1.amazonaws.com/1_0/
ProxyPassReverse /api/1_0/ https://xxx.execute-api.eu-west-1.amazonaws.com/1_0/
The following logs are available in debug mode
proxy_util.c(2020): AH00942: HTTPS: has acquired connection for (xxx.execute-api.eu-west-1.amazonaws.com)
proxy_util.c(2610): AH00962: HTTPS: connection complete to 52.x.x.x:443 (xxx.execute-api.eu-west-1.amazonaws.com)
AH01964: Connection to child 0 established (server domain.com:443)
AH02003: SSL Proxy connect failed
SSL Library Error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
AH01998: Connection closed to child 0 with abortive shutdown (server domain.com:443)
AH01997: SSL handshake failed: sending 502
If I connect using openssl, I can demonstrate a similar error
openssl s_client -tls1_2 -connect xxx.execute-api.eu-west-
1.amazonaws.com:443
CONNECTED(00000003)
140735866254216:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure:s3_pkt.c:1494:SSL alert number 40
140735866254216:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
adding -servername for SNI, results in a valid connection
SSL handshake has read 3601 bytes and written 489 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
...
I therefore believe that mod_proxy and mod_ssl are not sending the servername to the remote https server and could be a bug.
I am running Ubuntu 14.04 with
Server version: Apache/2.4.7 (Ubuntu)
Server built: Sep 18 2017 16:37:54
OpenSSL 1.0.1f 6 Jan 2014
I have attempted to limit the SSLProxyProtocol to TLS1_2 and the cipher list too however the sslv3 alert handshake failure log still exists regardless.
Has any one come across this and know how to ensure that the SNI values are being sent or is this a restriction in the Apache modules?
This is due to ProxyPreserveHost On being set early in the configuration.
Setting ProxyPreserveHost Off under a proxy tag completes as expected:
<Proxy "https://xxx.execute-api.eu-west-1.amazonaws.com/1_0">
ProxyAddHeaders off
ProxyPreserveHost off
</Proxy>
Info on the directive:
When enabled, this option will pass the Host: line from the incoming
request to the proxied host, instead of the hostname specified in the
ProxyPass line.
This option should normally be turned Off. It is mostly useful in
special configurations like proxied mass name-based virtual hosting,
where the original Host header needs to be evaluated by the backend
server.
The answer above helped us. For the sake of "googling" it I would like to add the following scenario as well:
we use a cloud WAF infront of one of our services. Another service needs to forward specific queries to this host and pass through the WAF.
The working configuration looks like this:
<Proxy "balancer://qwertz">
ProxyPreserveHost off
BalancerMember "https://somehost.somewhere.de:443"
</Proxy>
ProxyPass "/special/webservices/" "balancer://qwertz/special/webservices/"
ProxyPassReverse "/special/webservices/" "balancer://qwertz/special/webservices/"
The apache is configured as reverse proxy and runs inside a docker container.
Note that the balancer has only one host, thus no balancing is done.
Before this answer we were getting SSL erros like:
Error during SSL Handshake with remote server returned by...
pass request body failed to...
or
server certificate does NOT include an ID which matches the server name
Like AWS the Cloud WAF also requires SNI.
Hope this post makes this answer more visible (or findable) to someone else.
Apologies this question is a mix of Chef and Apache-httpd, but ultimately I believe it's an Apache-httpd configuration issue.
I have a Chef client/node happily hitting a Chef Server w/ SSL.
Chef client/node - /etc/chef/client.rb
chef_server_url 'https://chefserverhostname/organizations/myOrg'
ssl_verify_mode :verify_peer
I'm trying to put a proxy in front of the Chef Server so I can re-point down the road if needed. Apache-httpd is installed fine (on the same box as Chef Server), all firewall and iptables are consistent with my below configuration.
Chef Server - /etc/httpd/conf/httpd.conf
Listen 8443
<VirtualHost *:8443>
ServerAdmin me#email
ServerName chefserverhostname
ServerAlias CDS-PROXY
ProxyPass / https://chefserverhostname:443/
ProxyPassReverse / https://chefserverhostname:443/
RewriteEngine On
</VirtualHost>
I reconfigure the Chef client/node's client.rb to point to https://chefserverhostname:8443/organizations/myOrg, and hope to have the request pass through the proxy. ChefServer/nginx is listening on 443 and I'm assuming that it's taking care of the SSL decrypt, and 8443 is just the 'pass-through'. But when I fire up my Chef client/node I'm getting an SSL error message:
ERROR: SSL Validation failure connecting to host: chefserverhostname - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol
You are using HTTPS but your vhost does not have any configuration to enable mod_ssl or another TLS option. As such, you should be using http://hostname:8443 but this very not recommended.
Chef Server is an appliance at heart and this kind of extra proxy layer is possible but not how things are intended to operate. You should just use the default setup which already includes a fronting nginx proxy for Erchef and friends.
You can check https://github.com/chef-cookbooks/httpd this recipe and configure properly apache ssl and additional modules.
To me is also not ok to drop SSL connection on chef server - base on your current setup.
Since you have nginx on your machine you can extend the configuration there to support reverse proxy. Later on if you remove chefserver/nginx from this machine and you want only to leave proxy, install new nginx and apply the same conf for proxy configuration.
I rather drop apache from your setup.
I'm trying to configure SSL on apache2 with geotrust SSL. I have the private key file, the certificate and the bundle sertificate.
This is the virtualhost config:
http://pastebin.com/38ygh8W1
The apache gives me error:
AH02235: Unable to configure server certificate for stapling
The https gives time out for the 443 port.
I read a lot of info for this topic but im not sure what to do anymore.
Any suggestions?
This seems to be bug that where the fix still hasn't made its way to the latest environments. I have the same problem. Here's my environment:
Server version: Apache/2.4.41
OS: Ubuntu 18.04
As a workaround, you can edit ports.conf so that the last listen directive is for a non-SSL port, i.e. Listen 80. Here's the whole file:
<IfModule ssl_module>
Listen 443 https
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
Listen 80
And the problem is gone.
I've installed Apache on CentOS and have not enabled SSL, and yet I get the following error.
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please. Hint:
https://192.168.1.50/ Apache/2.2.15 (CentOS) Server at 192.168.1.50
Port 443
The page I was testing it is a simple html page.
I did not make many changes to the fleshly installed Apache. The only things I edited are IPTABLES config file to allow LAN access on port 80 and the httpd.conf file to change document root.
I've installed Apache before(on Fedora), but didn't have this problem.
Thank you.
I managed to find the problem. I found a sll.conf file that contains all of the SSL configuration lines. The SSL was enabled by default, its weird. It is located in /etc/httpd/conf.d/ and a simple
<VirtualHost _default_:443>
SSLEngine off
</VirtualHost>
did the trick.