I am new to https ( HTTP using SSL). I have managed to generate a self signed certificate file and have added the following lines to the apache conf file:
SSLEngine on
SSLCertificateFile /path/to/cert/file/myfile.crt
SSLCertificateKeyFile /path/to/key/file/myfile.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
The issue I am having is that when I try to restart my server I get the following error and am confused why it is not able to read it:
Starting web server apache2
Syntax error on line 1 of /path/to/cert/file/myfile.crt:
Invalid command 'MIIDtTCCAx6gAwIBAgIJAOnu0fcwBt1BMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYD', perhaps misspelled or defined by a module not included in the server configuration
...fail!
Any ideas?
Maybe it tries to interpret the certificate file as a script. Is the crt file executable?
man this is outdated.. well i guess you should start from the beginning with a good howto. just google apache2 ssl howto.
propably apache has no ssl module loaded.
on debian you could try apache2ctl -M to list all loaded modules.
Related
I've been having problems attempting to implement a reverse SSL proxy on Apache for an HTTP application on Ubuntu 14.04. As a baseline, the application works fine when I access it via port 8000 in the browser normally. For all intents and purposes, let's say the IP of my app is 192.141.56.11 (I do not have a domain name yet). The application runs with HTTP Basic Auth, I don't know if it's relevant. Basically I'm fishing for some glaring error here and would be grateful if you could help me out. Here is a log of my process:
I created my SSL cert and key and put them in the following locations:
/etc/apache/ssl/apache.crt (I performed chmod 644 here)
/etc/apache/ssl/apache.key (I performed chmod 400 here)
I then installed:
apt-get install apache2
a2enmod proxy
a2enmod ssl
a2enmod proxy_http
I then disabled the default config with:
a2dissite 000-default
I created the file "/etc/apache2/sites-available/redirect.conf"
I then created the file "/etc/apache2/sites-available/redirect.conf" and copied the text below:
<VirtualHost *:80>
Redirect "/" "https://192.141.56.11"
</VirtualHost>
After, I created the file "/etc/apache2/sites-available/reverse_proxy.conf" and copied below:
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache/ssl/apache.crt
SSLCertificateKeyFile /etc/apache/ssl/apache.key
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
and did:
service apache2 restart
I now attempt to access the UI of the application on another machine in the Chrome browser. When trying:
https://192.141.56.11
I get a general SSL connection error.
However, trying
http://192.141.56.11:8000
gives me the application, as if none of my config changed anything. However,
192.141.56.11:80
gives me an "Index Of" page with an html folder that says "Apache/2.4.7 (Ubuntu) Server at 192.141.56.11 Port 80"
192.141.56.11:443
gives me the same result except with "Apache/2.4.7 (Ubuntu) Server at 192.141.56.11 Port 443"
I've tried all manners of configurations but can't get what I want -- any ideas here?
EDIT: I tried https[:]//192.141.56.11 and got a more specific SSL error:
received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)
EDIT2: After running apache, I get this warning;
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
I suppose this is fine as I am using an IP and not a domain name.
EDIT3: It turns out I needed to do:
a2ensite reverse_proxy.conf.
Now https[:]//192.141.56.11 works but defaults to an apache page. working on this.
EDIT4: I had to do
a2dissite default-ssl.conf
Now It actually redirects to the app on https[:]//192.141.56.11!! But I can still access the app via port 8000, which is bad {still working on}
EDIT5: IN the end, I couldn't figure out how to block access to the original app via port 8000 on Apache. Instead, I just implemented iptables on the server so that it can only be accessed via HTTPS. This is probably not the correct method. but all I could think of.
I am trying to set up SSL for my website. In my Apache website hosts file I am using:
SSLEngine On
SSLCertificateFile /etc/ssl/localcerts/www.website.com.crt
SSLCertificateKeyFile /etc/ssl/localcerts/www.website.com.key
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/ssl/localcerts/ca-client.pem
I am getting this error message when restarting Apache:
* Restarting web server apache2 [fail]
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 25 of /etc/apache2/sites-enabled/website.com.conf:
SSLCACertificateFile takes one argument, SSL CA Certificate file ('/path/to/file' - PEM encoded)
Action 'configtest' failed.
The Apache error log may have more information.
If I comment out the SSLCACertifcateFile lines, the website works perfectly. As expected the SSL is "Not Trusted" without the CACertificate.
How can I debug this to figure out why I can't include the SSLCACertificateFile? What does the error mean?
You say your 'hosts' file had the SSLCACertificateFile line, maybe that is the problem? Move it to your virtual website config file (/etc/apache2/sites-available/yourwebsite.com.conf) or to your default config file if that's what you're using (same directory but default.conf or 000-default.conf)
I'm not exactly sure what your problem is, but for me I had a comment after the SSLCACertificateFile line in my site conf.
I am using debian 8.5
nano /etc/apache2/sites-available/yourwebsite.com.conf
I had a comment after it, like so
SSLCACertificateFile /etc/ssl/certs/ca.pem #comment
I removed it and it worked again
SSLCACertificateFile /etc/ssl/certs/ca.pem
Also be sure you have a TAB after SSLCACertificateFile, instead of a space.
Another thought would be, are you using service apache2 reload or service apache2 restart...? I'd suggest giving restart a try and see (if it's reload that isn't working).
This error may also happen on Windows Apache installations if folder to .pem or .crt file contains whitespaces.
Instead of:
SSLCertificateFile C:\Users\John Doe\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\example.org-crt.pem
Use quotes:
SSLCertificateFile "C:\Users\John Doe\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\example.org-crt.pem"
I am trying to set ssl on local host i have follwed the http://madurad.wordpress.com/2014/04/25/redirect-http-to-https-with-wamp-server/ and many others but unable to get success. i stuck in the syntax of httpd-ssl.conf. my apache server get down when i set the
<Directory "c:/wamp/www/">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
SSLOptions +StdEnvVars
</Directory>
i have tried many others like
<Directory "c:/wamp/www/">
SSLOptions +StdEnvVars
</Directory>
what is issue not able to get....
How to Configure WAMPServer to use HTTPS SSL
This is not a trivial process. This tutorial will, hopefully, get SSL working for you.
However getting it configured correctly once it is working is TOTALLY DOWN TO YOU.
Additional reading for all who travel this road
Ok,
I have based this tutorial on the creation of a site called www.wamphelpers.dev So whereever you see that name change it to the site name you are trying to secure.
I started by creating a unsecured site, in \wamp\www\wamphelpers
added a Virtual Host for that site, in \wamp\bin\apache\apache{version}\conf\extra\httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "c:/wamp/www"
ServerName localhost
ServerAlias localhost
<Directory "c:/wamp/www">
AllowOverride All
Require local
</Directory>
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "c:/wamp/www/wamphelpers"
ServerName wamphelpers.dev
ServerAlias www.wamphelpers.dev
<Directory "c:/wamp/www/wamphelpers">
AllowOverride All
Require local
</Directory>
</VirtualHost>
Added its domainname to the C:\windows\system32\drivers\etc\hosts
Some virus checkers block access to the HOSTS file so you may need to disable your virus checker, or configure it not to block the hosts file temporarily.
127.0.0.1 wamphelpers.dev www.wamphelpers.dev
::1 wamphelpers.dev www.wamphelpers.dev
Now restart the dnscache as follows from a command windows launched using 'Run as Administrator'
ipconfig /flushdns
Then created a simple script in \wamp\www\wamphelpers\index.php
<?php
echo 'Hello, this is the WAMPHELPERS.DEV site homepage';
?>
Now to activate the new Virtual Hosts you have defined, edit \wamp\bin\apache\apache{version}\conf\httpd.conf and find this line
# Virtual hosts
#Include conf/extra/httpd-vhosts.conf
and remove the # comment character like so
# Virtual hosts
Include conf/extra/httpd-vhosts.conf
Save the file.
Now restart Apache and make sure that your simple unsecured Virtually Hosted site is working before continuing.
The openssl toolkit.
The openssl.exe, ssleay32.dll and libeay32.dll come with, and are located in, the C:\wamp\bin\apache\apachex.y.z\bin folder
This should be all you need to create your self signed certificate !!
HOWEVER: These did not work for me on any of the versions of Apache that I had installed.
I always got this error message.
Where the ordinal number changed depending on the apache version folder I was in.
If you get this error dont worry this is what you need to do.
install the latest version of the OPENSSL TOOLKIT
This can be obtained from here
NOTE: Dont use the V1.1 version yet, the PHP team have not yet compiled PHP with these new linkages, so stick to the V1.0.? versions until they do.
Pick the Latest version of 'Win32 OpenSSLv xxx Light' or 'Win64 OpenSSLv xxx Light' to match your installed version of WAMPServer, as this is all you need.
This will download an .exe file which you can run to install this toolkit.
It will ask the following question, I suggest you answer it like this so you dont end up installing something into C:\windows\system32.
Afterall this is a toolkit and it changes reasonably often. Best to keep these things seperate and not make them system global.
Once that is installed ( to whichever folder you specified in the install )you should be ready to start the process of generating keys and certificates!
Generate keys and Certificates.
STEP 1: Generate an RSA Private Key
First we need to create ourselves a certificate.
The normal (paid for) process is to create your certificate and then pass it to a signing authority.
This is why it costs money, as they have to do, due dilligence, to check that you are who you say you are and that site that you will use the certificate on is real and legitimate.
The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request) to be used for our Certificate.
The first step is to create your RSA Private Key.
This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.
Open up a Command window (Dos box) using [b]Run as Administrator[/b]
Change Directory to where you installed the OpenSSL Toolkit above.
In my case this is
CD c:\apps\OpenSSL-Win32\bin
Make a folder for the output to be put in ( to keep the bin folder tidy ) I used website
md website
Now enter this command:
openssl genrsa -out website\server.key 2048
This should have created a file in the website folder called server.key, without a pass phrase key, check it exists.
Step 2: Generate a CSR (Certificate Signing Request)
During the generation of the CSR, you will be prompted for several pieces of information.
These are the X.509 attributes of the certificate.
One of the prompts will be for "Common Name (e.g. server FQDN or YOUR name) []:".
It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL.
So if the website to be protected will be https://www.wamphelpers.dev, then enter www.wampheplers.dev at this prompt. I used wamphelper.dev as my ServerName is ServerName wamphelpers.dev
Do not enter anything to the question: A challenge password []:] Just press Enter.
If you do enter a passphrase here when you come to start Apache with SSL configured Apache will not start and will give this error message :-
[error] Init: SSLPassPhraseDialog builtin is not supported on Win32
Basically if you do enter a passphrase Apache is supposed to challenge you for that passphrase each time it starts.
This is obviously not going to make your life any easier but primarily on windows it does not actually work and will
cause Apache to crash when it attempts to ask for the passphrase, with the above error.
The command to generate the CSR is as follows:
openssl req -new -key website\server.key -out website\server.csr
Example question and answers:
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]: Hampshire
Locality Name (eg, city) []: Portsmouth
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Wamp Helpers Ltd
Organizational Unit Name (eg, section) []: Information Technology
Common Name (e.g. server FQDN or YOUR name) []: wamphelpers.dev
Email Address []: me#wamphelpers.dev
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ( leave blank just hit the enter key )
An optional company name []: ( leave blank just hit the enter key )
Step 3: Generating a Self-Signed Certificate
At this point you will need to generate a self-signed certificate because
you either don't plan on having your certificate signed by a CA, or you wish to test
your new SSL implementation while the CA is signing your certificate.
PRE - WARNING
This certificate will generate an error in the client browser to the effect that
the signing certificate authority is unknown and not trusted.
This is unavoidable as we are signing the certificate ourselves, but of course the web of trust does not know who we are.
See example later in this document showing how to tell your browser that you actually trust this certificate
openssl x509 -req -days 365 -in website\server.csr -signkey website\server.key -out website\server.crt
Example output:
Loading 'screen' into random state - done
Signature ok
subject=/C=GB/ST=Hampshire/L=Portsmouth/O=WampHelpers Ltd/OU=Information Technology/CN=www.wamphelpers.dev/emailAddress=riggsfolly#wamphelpers.dev
Getting Private key
Step 4: Installing the Private Key and Certificate
Create these 2 directories under the version of Apache you are using.
md c:\wamp\bin\apache\apachex.y.z\conf\ssl.key
md c:\wamp\bin\apache\apachex.y.z\conf\ssl.crt
And copy the file we have just generated into them like so:
copy website\server.crt c:\wamp\bin\apache\apachex.y.z\conf\ssl.crt
copy website\server.key c:\wamp\bin\apache\apachex.y.z\conf\ssl.key
Step 5: Configure Apache to activate SSL
Edit httpd.conf, Check that this line is uncommented
LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Remove the comment '#' from this line also
Include conf/extra/httpd-ssl.conf
Then move that line after this block .... like so
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
Step 6: Configure PHP to activate SSL
Edit your php.ini ( use the wampmanager menus so you edit the correct one )
Remove the comment ';' from this line
extension=php_openssl.dll
Step 7: Configure your secure sites Virtual Host
Yup for all you Virtual Host nay sayers, now you cannot avoid the process.
Edit \wamp\bin\apache\apachex.y.z\conf\extra\httpd-ssl.conf
This file is released by Apache and contains some default file location.
We can leave most of this file as it is, but we need to configure the virtual host in here to match our actual sites location and a few other things so:
find these lines
DocumentRoot "c:/Apache2/htdocs"
ServerName www.example.com:443
ServerAdmin admin#example.com
ErrorLog "c:/Apache2/logs/error.log"
TransferLog "c:/Apache2/logs/access.log"
and change them to
DocumentRoot "c:/wamp/www/wamphelpers"
ServerName wamphelpers.dev:443
ErrorLog "c:/wamp/logs/ssl_error.log"
TransferLog "c:/wamp/logs/ssl_access.log"
Find
SSLCertificateFile "c:/Apache2/conf/server.crt"
and change to
SSLCertificateFile "c:/wamp/bin/apache/apachex.y.x/conf/ssl.crt/server.crt"
Find
SSLCertificateKeyFile "c:/Apache2/conf/server.key"
and change to
SSLCertificateKeyFile "c:/wamp/bin/apache/apachex.y.x/conf/ssl.key/server.key"
Find
<Directory "c:/Apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
and change to
Apache 2.2 Syntax
<Directory "c:/wamp/www/wamphelpers">
SSLOptions +StdEnvVars
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 localhost ::1
</Directory>
Apache 2.4 Syntax
<Directory "c:/wamp/www/wamphelpers">
SSLOptions +StdEnvVars
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require local
</Directory>
Find
SSLSessionCache "shmcb:c:/Apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
and change it to
SSLSessionCache "shmcb:c:/wamp/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
Find
CustomLog "c:/Apache24/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
and change to
CustomLog "c:/wamp/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Basically look through the conf file and any command that is not commented out, but has a reference to a file or folder
should be changed to reference the WAMPServer folder structure and not 'C:/Apache2....'
Now make sure all these files we have changed are saved, and restart Apache using the wampmanager menus.
First test that the unprotected site is still working.
Then try using your new protected site by adding the 'https://' to the front of the domain name
i.e. https://www.wamphelpers.dev without the single quotes of course.
If Apache does not restart you have probably spelt something wrong. Test the configs like so :-
Open a command window
cd \wamp\bin\apache\apachex.y.z\bin
httpd -t
This will parse all the config files and should give you a file name and a line number where an error has been found.
Fix it and try again.
First access to your site will generate a message page something like this.
This is using FireFox, others will be slightly different, but the concept it the same.
This is because your certificate is not signed by a trusted authority, DONT PANIC, this is supposed to happen.
Click on, 'I Understand the risk' and that will show you a button saying 'Add Exception'
Press the Add Exception button, after checking that the certificates site details are in fact yours,
and you will not see this message again unless you clear the exception list.
BIG NOTE
As of Apache v2.2.12 and OpenSSL v0.9.8j it is now possible to secure more than one site per Apache instance.
This tutorial does not cover that process.
See here for more details:
Here
and Here
and Here
And like I said at the top, now you need to do some reseach on all the options available in the SSL config and make thing work as you want rather than using the default.
It is necessary activate the module LoadModule socache_shmcb_module modules/mod_socache_shmcb.so in the file httpd.conf in wampserver 2.5. If not apache throws the next message:
AH00526: Syntax error on line 75 of C:/wamp/bin/apache/apache2.4.9/conf/extra/httpd-ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
If you have the error something like this:
Cannot load modules/mod_ssl.so into server: The specified module could
not be found.
You may want to try to searching libeay32.dll in your wamp folder, you probably find it in {wamp folder}/bin/php/php{version 7}/
Copy libeay32.dll and ssleay32.dll and paste them into {wamp folder}/bin/apache/apache{version 2.x}/bin/ AND {wamp folder}/bin/php/php{verion 5.x}. MAKE SURE you backup anything you are placing.
run httpd -t and test the syntax
NOTE: I believe it is due to the mistake in apache openssl part for wamp 3.0.6. Fortunately in php7 folder those dlls are compatible for the apache and php5.
#RiggsFolly:
some small errors/typos/additions in your tutorial. Below is used in combination with WAMPServer 2.5 64bits (Apache 2.4.9 and PHP 5.5.12) on Windows 7 SP1 64bits:
-httpd-vhosts.conf is located in extra/httpd-vhosts.conf
-when you try to edit your hosts file be sure to disable any virusscanner. Some of them block access to hosts file.
-be sure to open your texteditor as administrator when editing your hosts file or else you get an error trying to save.
-don't forget to remove # at the beginning of the host line if any
-if you use WAMPServer 64bit be sure to download the 64bit version of OpenSSL
-the step openssl genrsa -out website\server.key 2048
creates a server.key file and not a privkey.pem!
-file \wamp\bin\apache\apachex.y.z\conf\httpd-ssl.conf is located at \wamp\bin\apache\apachex.y.z\conf\extra\httpd-ssl.conf (maybe this depends on the WAMPServer version)
-I had to use different ports for http (80->8080) and https(443->444) as these ports where used by I think Skype. When you use different ports be sure to use these everywhere you see 80 or 443 in this tutorial
-I also had to enable socache_shmcb_module. The "httpd -t" also mentioned this.
#RiggsFolly: Self-signed certificate with key could be easily generated for example here... http://www.selfsignedcertificate.com/, so I could start the tutorial from step 4 (I also had standard :80 virtual server running).
Anyways some mentioned things were already enabled in default WAMP installation (I guess it changes from version to version), but the rest helped me a lot. And actually one thing was missing... I also had to uncomment the following line in "httpd.conf"
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
If you have the error :
Cannot load modules/mod_ssl.so into server: The operating system
cannot run %1
Then you have to :
Install Win32 OpenSSL here http://slproweb.com/products/Win32OpenSSL.html
Copy / paste libeay32.dll, ssleay32.dll into your wamp php bin folder (C:\wamp64\bin\php\php5.6.19)
Restart apache
Note: Tested on Wamp server 3
Before all:
1).Shutdown WAMP and proceed to C:\wamp\scripts\config.inc.php move from array libeay32.dll,ssleay32.dll, lines 133,139
2).Install OpenSSL from official site,pay attention on version of the your OS x64 or not.
Command prompt:
3).cd C:\wamp\bin\apache\apache2.4.23\bin
4). openssl req -new > localhost.csr
5). openssl rsa -in privkey.pem -out localhost.key
6). openssl x509 -in localhost.csr -out localhost.crt -req -signkey localhost.key -days 365 -sha256 -extfile v3.ext
Update: from Chrome 58 we will need to provide Subject Alternative Name.
This name we can obtain from extension file v3.ext:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = #alt_names
[alt_names]
DNS.1 = 127.0.0.1
DNS.2 = localhost
Very important in Common Name to insert 'localhost'
7).Grab localhost.key and localhost.crt and put them to C:\wamp\bin\apache\apache2.4.23\conf\key (sure,before create appropriate directory)
Configuration:
8).enable in C:\wamp\bin\apache\apache2.4.23\bin\php.ini and
C:\wamp\bin\php\php5.6.25\php.ini extension=php_openssl.dll
9).proceed to C:\wamp\bin\apache\apache2.4.23\conf\httpd.conf and uncomment:
LoadModule ssl_module modules/mod_ssl.so,
Include conf/extra/httpd-ssl.conf,
Include conf/extra/httpd-vhosts.conf,
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
10). proceed to C:\wamp\bin\apache\apache2.4.23\conf\extra\httpd-ssl.conf
and make changes :
SSLSessionCache "shmcb:c:/wamp/bin/apache/apache2.4.23/logs/ssl_scache(512000)" ,
SSLSessionCacheTimeout 300,
VirtualHost _default_:443,
DocumentRoot "c:/wamp/www/",
ServerName localhost:443,
ErrorLog "c:/wamp/bin/apache/apache2.4.23/logs/ssl_error.log"
, (create file if not exists)
TransferLog "c:/wamp/bin/apache/apache2.4.23/logs/access.log",
SSLCertificateFile "c:/wamp/bin/apache/apache2.4.23/conf/key/localhost.crt",
SSLCertificateKeyFile "c:/wamp/bin/apache/apache2.4.23/conf/key/localhost.key",
<Directory "c:/wamp/www/">
SSLOptions +StdEnvVars
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require local
</Directory>
,
CustomLog "c:/wamp/bin/apache/apache2.4.23/logs/ssl_request.log"
Certificate handling:
11).press Win+R and insert 'certmgr.msc',import servercert.crt into 'Trusted Root Certificated Authorities'
12). Check your server in command prompt 'httpd -t' should be 'Syntax OK'
13). Launch Wamp and proceed to link https://localhost
I am hope this will help
Note: please read this article about Mozilla behavior :
https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
I have Apache2 (listening on 443) and a web app running on Tomcat7 (listening on 8443) on Ubuntu.
I set apache2 as reverse proxy so that I access the web app through port 443 instead of 8443. Besides, I need to have SSL communication not only between browser and apache2 but also between apache2 and tomcat7, thus I set SSL on both apache2 and tomcat7.
If I try to access the web app by directly contacting tomcat7, everything is fine.
The problem is that when I try to access the tomcat's web app through apache2 (reverse proxy), on the browser appears the error:
Proxy Error
The proxy server could not handle the request GET /web_app.
Reason: Error during SSL Handshake with remote server
The comment by MK pointed me in the right direction.
In the case of Apache 2.4 and up, there are different defaults and a new directive.
I am running Apache 2.4.6, and I had to add the following directives to get it working:
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
I have 2 servers setup on docker, reverse proxy & web server.
This error started happening for all my websites all of a sudden after 1 year.
When setting up earlier, I generated a self signed certificate on the web server.
So, I had to generate the SSL certificate again and it started working...
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ssl.key -out ssl.crt
On a remote OEL (Oracle Enterprise Linux) 7.8 server, i have a backend web application running with HTTPS/8009. As its a third party app, I did not have choice to disable SSL or change port.
As i needed to access the web app from my local machine's browser, i thought of setting up a reverse proxy (HTTP to HTTPS mapping) using Apache httpd. Now i can access the web app from my local browser through below URL:
http://10.157.146.97:1234/
FYI, CURL commands working inside the Linux Machine were below ones:
curl http://10.157.146.97:1234/
curl -k https://localhost:8009/
Here is my reverse proxy setup :
/etc/httpd/conf/httpd.conf
Listen 1234
<VirtualHost *:1234>
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost On
ProxyPass / https://localhost:8009/
ProxyPassReverse / https://localhost:8009/
</VirtualHost>
One aspect i struggled a lot, earlier i was trying with url pattern (/sample) in ProxyPass/ProxyPassReverse but that was causing HTTP 404 (not found) for css/js files as web-app's welcome page contains indirect css/js paths (sample code below). So replacing url pattern (/sample) with (/) solved that problem too.
previous Not working config:
ProxyPass /sample https://localhost:8009/
ProxyPassReverse /sample https://localhost:8009/
<script defer src="abc.js"></script><link href="xyz.css" rel="stylesheet"></head>
Faced the same problem as OP:
Tomcat returned response when accessing directly via SOAP UI
Didn't load html files
When used Apache properties mentioned by the previous answer, web-page appeared but AngularJS couldn't get HTTP response
Tomcat SSL certificate was expired while a browser showed it as secure - Apache certificate was far from expiration. Updating Tomcat KeyStore file solved the problem.
Here is my variation on this theme, inspired by this Git gist. The server is a Docker container with an internal self-signed SSL certificate, reachable at https://localhost:8443. Proxied to server.example.org:443. Relevant config details:
<VirtualHost AAA.BBB.CCC.DDD:443>
ServerName server.example.org
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# These settings are definitely needed
SSLEngine On
SSLProxyEngine On
ProxyRequests Off
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
# These may not be needed, depending on proxied application
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto https
ProxyPass "/" "https://localhost:8443/"
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) "wss://localhost:8443/$1" [P,L]
ProxyPassReverse "/" "https://localhost:8443/"
</VirtualHost>
The section between SSLEngine On and RequestHeader... I put together via Googling and trial and error. Maybe some of these settings are not needed, YMMV.
Note: the RewriteRule with "wss" was needed because the server uses secure websockets.
Platform: Ubuntu 20.04.3 LTS, Apache 2.4.41.
My problem was having one Apache server behind another and having mismatched certificates on each server.
It took me a while to realise that
SSLCertificateFile
and
SSLCertificateKeyFile
were pointing to files with the same names on each server, but that the first first server had an updated certificate and private key compared with the second one, so the content of the files was different.
Note that the error might also occur when your system have TLSv1 disabled. Like e.g Ubuntu 20.x have TLSv1.0 disabled by default. For example if you have something like this:
Apache 2.4.41 on Ubutntu20 (proxy) --[https]--> old Apache serving TLS v1.0
SSLProxyVerify etc will not help you.
What you need to do is to enable TLS 1.0 in openssl.conf. At least until you can update the old server 🙊...
Enabling old TLS on Ubuntu
So in Ubuntu 20.04.3 TLS to effectively enable TLSv1 change /etc/ssl/openssl.cnf. At the top of the file (before any sections) add:
# Added to enable TLS1.0
openssl_conf = default_conf
And on the very end of the file
##
# Added to enable TLS1.0
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
CipherString = DEFAULT#SECLEVEL=1
##
Comments are obviously not required 😉, but will help when you want to disable TLS1 again.
Once you restart / reboot everything should work fine.
Note that this is a global (system-wide) change. So it is not ideal, but it just works. See also: more notes about Ubuntu and default TLS versions.
If the host of your apache proxy
is different from the host
of the proxy target (or its sni name),
set -
ProxyPreserveHost Off
I have an EC2 instance on AWS, with Apache server.
I purchased an SSL certificate from Comodo and installed the following files in /etc/pki/tls/private/:
server.ca-bundle server.crt server.key
I also added the following lines to /etc/httpd/conf/httpd.conf:
<VirtualHost www.mydomain.com:443>
ServerName www.mydomain.com
DocumentRoot "/var/www/html"
SSLENGINE on
SSLCertificateFile /etc/pki/tls/private/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
SSLCertificateChainFile /etc/pki/tls/private/server.ca-bundle
</VirtualHost>
and restarted the http server.
But when trying to access my site through https://www.mydomain.com there is a certificate error warning (but if I continue through the warning, the site shows well).
I checked with ssltool.com and got:
The site tested www.mydomain.com is NOT the same as the Subject CN ip-10-203-65-225!
Needless to say, the key file was created with my domain name (CN=www.mydomain.com) and not with the name containing the ip.
When I enter "hostname" in the unix shell, I indeed get 'ip-10-203-65-225', which is something that Amazon gave it automatically. But even if I change it (in /etc/sysconfig/network) it is still seen as ip-10-203-65-225.
On the other hand, the same problem is viewed without installing the keys: Even if I remove those lines from httpd.conf, and remove the key files, the browsers warn about a certificate error, as if there is a self-signed certificate and with the same error on ssltool.com. So it seems that it's not that my key files are invalid but rather that the server doesn't use them at all...
I'm totally confused. Please can anybody help?
For some reasons, none of the pages I visited to seek for the answer mentioned that the above lines should be in
/etc/httpd/conf.d/ssl.conf
and not in
/etc/httpd/conf/httpd.conf
(and not inside a <virtualHost> section)
Your certificate was issued to a Common Name (CN) matching the hostname of your EC2 instance. You need to create a new CSR using the correct hostname and go through the entire process again. When you generate the new CSR, be sure to change the CN rather than accept the default.