Need help with SSL on Apache

Issues related to applications and software problems
cheddargeorge
Posts: 24
Joined: 2019/05/18 01:23:19

Need help with SSL on Apache

Post by cheddargeorge » 2020/03/21 18:00:07

Hi,

So, I have Apache/2.4.6 running on a CentOS 7 virtual machine on Azure, and it's been happily doing it's thing for several months, with multiple websites on the same IP. More recently I added a new site, with its own IP, which is also working fine. None of the sites currently use SSL.

Now I'm trying to add SSL for the newer site (and only that one site). I've purchased the certificate through GoDaddy and downloaded the cert and the key, and created two files on the server, as guided by some instructions I found (path names provided below).

However, I'm a bit stuck on how to proceed from here. Obviously the server already listens on port 80 for all current web traffic, and I somehow need to listen on port 443 for traffic for the one site I need SSL for.

I did already install mod_ssl:

Code: Select all

$ sudo yum install mod_ssl
So I tried just adding "Listen 443" to httpd.conf, below "Listen 80", but the server then failed to start at all:

Code: Select all

$ sudo journalctl -xe

-- Unit httpd.service has begun starting up.
Mar 21 17:14:59 dgbvm httpd[77384]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf/httpd.conf:382
Mar 21 17:14:59 dgbvm httpd[77384]: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
Mar 21 17:14:59 dgbvm systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Mar 21 17:14:59 dgbvm kill[77385]: kill: cannot find process ""
Mar 21 17:14:59 dgbvm systemd[1]: httpd.service: control process exited, code=exited status=1
Mar 21 17:14:59 dgbvm systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
Also tried just modifying the virtual host section, as below, to listen on 443 (which I didn't expect to work and I was not disappointed):

Code: Select all

<VirtualHost 10.0.0.5:443>
ServerName blah...
ServerAlias www.blah...

DocumentRoot "/var/www/sites/blah/"
...
SSLCertificateFile      /etc/httpd/conf/ssl.crt/blah.crt
SSLCertificateKeyFile   /etc/httpd/conf/ssl.key/blah.key
</VirtualHost>
I don't imagine I'm a million miles away from getting it working, but I'm obviously missing something completely obvious. Despite being somewhat familiar with Apache over many years, I've never actually installed an SSL certificate, so this whole ball game is new to me.

Any help would be much appreciated! Thanks.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Need help with SSL on Apache

Post by TrevorH » 2020/03/21 19:19:37

Mar 21 17:14:59 dgbvm httpd[77384]: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
Address already in use. The installation of mod_ssl creates and ssl.conf in /etc/httpd/conf.d that already listens on port 443 so if you created another one and told it to listen there too then it will cause this.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

cheddargeorge
Posts: 24
Joined: 2019/05/18 01:23:19

Re: Need help with SSL on Apache

Post by cheddargeorge » 2020/03/21 19:27:58

Okay, that makes sense, but should I not then just be able to do:

Code: Select all

<VirtualHost 10.0.0.5:443>
...
...
The only two files I created (knowingly) were the cert and key files at the paths given. Other than what may have been created by installing mod_ssl I haven't created any other files.

When I just try to listen to 443, per above, by adding the port to the IP, (instead of using the "Listen 443" directive) the site just defaults to the default site for the configuration (i.e. another site entirely), as if there is nothing listening on port 443.

I don't think there's anything Azure specific about any of this, with the exception of the local IP, which is the way to add secondary IPs to Azure VMs. (which, in any case, works for port 80, as expected).

User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Need help with SSL on Apache

Post by KernelOops » 2020/03/21 22:23:02

If I remember correctly, the default configuration for mod_ssl, is to listen at ports 80/443 for ALL virtualhosts by default. That happens because the httpd.conf adds one listen for port 80 and ssl.conf adds a second listen for port 443, when apache parses the configs, the result looks like:

Listen 80
Listen 443 https

So ALL virtualhosts may get https. If you want to restrict connections by virtualhost, then you need to use strict SNI, so when the client adds a Host header, your apache will redirect the client to the correct virtualhost, to enable strict SNI you need to add the following line to your ssl.conf:

Code: Select all

SSLStrictSNIVHostCheck                  on
The part where you define your https virtualhost is correct "<VirtualHost 10.0.0.5:443>" and does not need to change. But you should add ":80" to the other non-ssl virtualhosts to restrict them to port 80 only. But remember, the virtualhost directive DOES NOT define what ports apache listens on, that has already been defined by the Listen directive.

More details about how apache matches virtualhosts, here:
http://httpd.apache.org/docs/2.4/mod/co ... irtualhost


PS:
SSL/TLS certificates are free, there is no real need to buy a certificate like before. There are several places that offer free certificates like Let's Encrypt, you may use one of these awesome clients to get free and valid certificates for all your services:
acme.sh
dehydrated
--
R.I.P. CentOS :cry:
--

cheddargeorge
Posts: 24
Joined: 2019/05/18 01:23:19

Re: Need help with SSL on Apache

Post by cheddargeorge » 2020/03/22 00:08:19

Thanks for the additional info, and the freebie SSL bits. I will do that next time. GoDaddy are kinda pricey for SSL certs. Thx!
"But remember, the virtualhost directive DOES NOT define what ports apache listens on, that has already been defined by the Listen directive.
Yeah, I guess I kinda get that/knew that really; I didn't really express myself well. Sorry!

Okay, so I added back the :443 to the IP in the relevant virtual host tag, and also added the directive as you provided, above the virtual host section:

Code: Select all

SSLStrictSNIVHostCheck                  on
All the other virtual hosts are defined as

Code: Select all

<VirtualHost *:80>
ServerName whatever.com
...
</VirtualHost>
... and work okay, no matter what I do with regards to the ssl bits.

FYI: you can assume I'm restarting Apache every time I make a change to httpd.conf

However, I still end up with the same problem, which is that the domain in question doesn't get served at all; as soon as I add the :443 it just defaults to the next virtual host (which is obviously on port 80). Take the :443 off again, and yeah, it works okay (but obviously not using ssl).

I must be doing something kinda dumb, but not sure what. I'm sure there must be just some little thing that I'm not doing/overlooking.

User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Need help with SSL on Apache

Post by KernelOops » 2020/03/22 08:16:07

The first thing I would check, is that the FQDN is defined in every virtualhost with a proper ServerName directive. If not, that will cause problems by loading the "default" site.

The second thing I would check, is your definition of the virtualhosts, from the link I posted above, the docs write:
When a request is received, the server first maps it to the best matching <VirtualHost> based on the local IP address and port combination only. Non-wildcards have a higher precedence. If no match based on IP and port occurs at all, the "main" server configuration is used.

If multiple virtual hosts contain the best matching IP address and port, the server selects from these virtual hosts the best match based on the requested hostname. If no matching name-based virtual host is found, then the first listed virtual host that matched the IP address will be used. As a consequence, the first listed virtual host for a given IP address and port combination is the default virtual host for that IP and port combination.
The third thing I would check, is to look in the logs for possible errors or warnings, maybe something there will give you a hint.
--
R.I.P. CentOS :cry:
--

cheddargeorge
Posts: 24
Joined: 2019/05/18 01:23:19

Re: Need help with SSL on Apache

Post by cheddargeorge » 2020/03/23 15:36:34

Thanks for the comment.

All the virtual hosts are defined with proper ServerName directives, and have worked fine for months. They all appear to conform to standard conventions as provided in https://httpd.apache.org/docs/2.4/vhosts/examples.html, so I don't think there's any issue there. The only new thing I'm trying to introduce is ssl for the single domain (I'll call it blah.com for purposes of this post) which is on its own unique IP.

The virtual host for blah.com is the first in the configuration, above all of the other virtual hosts, and is, of course, the only one on that IP, so any issue with serving from that host would default through to the main server, directly below it.

I'm not really sure what logs to check for something like this. I mean the Apache access/error logs don't give any clues, and I'm not sure which other logs I would need to be looking at.

Is there any possibility that a problem with the crt/key files, or their paths, or permissions, or whatever, could cause such a problem? I followed instructions carefully, but like I said earlier, I've never done anything with SSL before, so maybe I've gotten something messed up:

Code: Select all

$ ls -l /etc/httpd/conf/
drwxr-xr-x. 2 root root    22 Mar 20 16:24 ssl.crt
drwxr-xr-x. 2 root root    22 Mar 20 16:31 ssl.key

$ ls -l /etc/httpd/conf/ssl.crt
-rw-r--r--. 1 root root 891 Mar 20 16:24 blah.crt

ls -l /etc/httpd/conf/ssl.key
-rw-r--r--. 1 root root 1705 Mar 20 16:31 blah.key
One super-relevant thing I did find earlier, which presumably would have meant nothing SSL would have worked anyway, was that I needed to add port 443 for incoming traffic to my network interface in the Azure portal. I had assumed it was already on there, but apparently not. Anyway, added that with no problem, and not sure if I needed to restart network services or not, but I did anyway, but nothing has made any difference.

So, whenever I add :443 to the virtual host for blah.com (as shown previously), it still just defaults to the main server. Taking it off again and the site works just fine, sans-SSL.

Any assistance appreciated.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Need help with SSL on Apache

Post by TrevorH » 2020/03/23 15:42:02

Your keys need to be under a directory that selinux knows is for SSL keys to be used by apache. By default, at least on CentOS 7 and I suspect it'll be the same on 8, the path used is /etc/pki/tls/certs/localhost.crt and /etc/pki/tls/private/localhost.key. Filenames are not important but the directories in use are.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

cheddargeorge
Posts: 24
Joined: 2019/05/18 01:23:19

Re: Need help with SSL on Apache

Post by cheddargeorge » 2020/03/23 15:56:38

Ah, interesting. Okay, I'll give that a whirl and jump back on here later. Can't test right now. Thanks!

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Need help with SSL on Apache

Post by TrevorH » 2020/03/23 16:08:03

Your key probably shouldn't be world readable either...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply