Page 2 of 3

Re: Need help with SSL on Apache

Posted: 2020/03/23 19:53:18
by KernelOops
The certificate files should be under /etc/pki/tls/certs and their keys should be under /etc/pki/tls/private. The keys should be u+rw (owner only), no other access needed. Those paths are compatible with SELinux, for both Fedora and CentOS.

Re: Need help with SSL on Apache

Posted: 2020/03/23 21:47:10
by pjsr2
Small typo: the private key should not be readable by anyone but its owner, the user root. That is u+rw , not o+rw.

Re: Need help with SSL on Apache

Posted: 2020/03/23 22:09:37
by KernelOops
absolutely right, sorry about the mistake (a rather important mistake to be honest)... :oops:
pjsr2 wrote:
2020/03/23 21:47:10
Small typo: the private key should not be readable by anyone but its owner, the user root. That is u+rw , not o+rw.

Re: Need help with SSL on Apache

Posted: 2020/03/25 15:39:12
by cheddargeorge
Thanks to all for the replies; appreciated. However ... sorry ... Still having difficulties, and can't get it working.

So, I've put the crt and key files into the dirs as suggested, amended httpd.conf, checked permissions, and restarted httpd, but it still just defaults to the default domain as soon as I try to do anything with the 443 stuff.

Code: Select all

SSLStrictSNIVHostCheck on

<VirtualHost 10.0.0.5:443>
ServerName xxx.com
ServerAlias www.xxx.com

DocumentRoot "/var/www/sites/lac/"

SSLCertificateFile      /etc/pki/tls/certs/lac.crt
SSLCertificateKeyFile   /etc/pki/tls/private/lac.key
...
...
</VirtualHost>

Code: Select all

$ ls -l /etc/pki/tls/certs/lac.crt
-rw-------. 1 root root 891 Mar 25 15:17 /etc/pki/tls/certs/lac.crt

$ ls -l /etc/pki/tls/private/lac.key
-rw-------. 1 root root 1705 Mar 25 15:19 /etc/pki/tls/private/lac.key

$ sudo cat /etc/pki/tls/certs/lac.crt
-----BEGIN CERTIFICATE REQUEST-----
blah ....
.....
.....
.....
blah ....
-----END CERTIFICATE REQUEST-----

$ sudo cat /etc/pki/tls/private/lac.key
-----BEGIN PRIVATE KEY-----
longer...blah ...
...
...
...
...
-----END PRIVATE KEY-----
I must be missing/doing something kinda stupid.

As noted in my previous post, I needed to add port 443 to the network interface for incoming traffic, and presumably it should be working. Is there some way I can check to see that the VM is actually listening on 443?

Any further help/suggestions/comments/etc gratefully received!

Re: Need help with SSL on Apache

Posted: 2020/03/25 21:40:33
by KernelOops
well, without looking at your full config, its hard to say, we can only guess at the problem.

have you checked the logs? maybe there is something there: /var/log/httpd

also, do you have SELinux in enforcing mode? (you should!) then check the /var/log/audit for any AVC errors, you may temporarily set enforcing to permissive mode and see if that fixes your problem, then you'll know there is an SELinux problem. Use the 'ausearch' command to list AVC errors or read the audit logs directly.

I sent you a PM with my apache config so you can get some ideas.

Re: Need help with SSL on Apache

Posted: 2020/03/25 22:05:10
by TrevorH
What do you get if you run ping xxx.com on the server itself? Does it resolve that to 10.0.0.5? It needs to.

Re: Need help with SSL on Apache

Posted: 2020/03/25 22:59:50
by cheddargeorge
Okay, thanks for the comments.

So, yes, I always have SELinux on, but I did temporarily put it into permissive mode, but it made no difference, so presumably it's not an SELinux problem.

Yeah, I can ping it on the host, etc. (don't forget, I have no problem with this domain just using port 80, it's only 443 I have issues with)

Code: Select all

$ host xxx.com
xxx.com has address 51.???.???.100
Note that the Azure config uses the internal address, since it's not the primary IP, but it resolves to the external public IP.

So, checking the config which KernelOops sent, I saw that I did not have the "SSLEngine on" directive in my config, so I added it. However, httpd wouldn't even start when I did that, so I took it out again.

Also, while it wasn't what I would prefer as a solution, I figured I could try wild-carding the 443 VirtualHost, per below:

Code: Select all

<VirtualHost *:443>
instead of

Code: Select all

<VirtualHost 10.0.0.5:443>
... but httpd also failed to start after doing that too. That seems like it may be a relevant piece of info' for someone who knows what they're doing.

Log entries ... Not sure these display very much useful info', but I'll put them here anyway.

Code: Select all

$ sudo journalctl -xe
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
Mar 25 22:37:37 dgbvm.internal.cloudapp.net systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Mar 25 22:37:37 dgbvm.internal.cloudapp.net kill[40014]: kill: cannot find process ""
Mar 25 22:37:37 dgbvm.internal.cloudapp.net systemd[1]: httpd.service: control process exited, code=exited status=1
Mar 25 22:37:37 dgbvm.internal.cloudapp.net systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed


$ sudo systemctl status httpd.service
? httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-03-25 22:38:00 UTC; 3min 35s ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 40014 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
So, from what I can see thus far, I really can't do a single thing with SSL on the machine with this Apache config. I really don't know what I'm missing, but please feel free to throw even the most basic info at me, since I've never done a thing with SSL before.

Re: Need help with SSL on Apache

Posted: 2020/03/25 23:16:58
by TrevorH
$ host xxx.com
xxx.com has address 51.???.???.100
No, that's wrong, it needs to resolve to the ip address that you use in your VirtualHost line. Try adding it to /etc/hosts as 10.0.0.5.

Re: Need help with SSL on Apache

Posted: 2020/03/25 23:56:42
by cheddargeorge
Okay, added to /etc/hosts. However, although ping resolves to the local IP (10.0.0.5) host still resolves to the public IP.

Code: Select all

$ ping xxx.com
PING xxx.com (10.0.0.5) 56(84) bytes of data.
64 bytes from xxx.com (10.0.0.5): icmp_seq=1 ttl=64 time=0.023 ms
64 bytes from xxx.com (10.0.0.5): icmp_seq=2 ttl=64 time=0.077 ms
64 bytes from xxx.com (10.0.0.5): icmp_seq=3 ttl=64 time=0.043 ms
64 bytes from xxx.com (10.0.0.5): icmp_seq=4 ttl=64 time=0.039 ms
64 bytes from xxx.com (10.0.0.5): icmp_seq=5 ttl=64 time=0.040 ms
...
Okay, additional new info. So, in search of the holy grail (i.e. resolving this issue), I found some other bits and pieces and decided to test this out:

Code: Select all

$ sudo netstat -tulpn | grep :443
tcp6       0      0 :::443                  :::*                    LISTEN      44623/httpd

$ sudo netstat -tulpn | grep :80
tcp6       0      0 :::80                   :::*                    LISTEN      44623/httpd

Code: Select all

$ sudo lsof -i -P -n | grep LISTEN
rpcbind    525      rpc    8u  IPv4    16846      0t0  TCP *:111 (LISTEN)
rpcbind    525      rpc   11u  IPv6    16849      0t0  TCP *:111 (LISTEN)
sshd       862     root    3u  IPv4    20164      0t0  TCP *:22 (LISTEN)
sshd       862     root    4u  IPv6    20249      0t0  TCP *:22 (LISTEN)
mysqld     889    mysql   17u  IPv6    21462      0t0  TCP *:3306 (LISTEN)
master     986     root   13u  IPv4    21159      0t0  TCP 127.0.0.1:25 (LISTEN)
master     986     root   14u  IPv6    21160      0t0  TCP [::1]:25 (LISTEN)
httpd    44623     root    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    44623     root    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    44637   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    44637   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    44713   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    44713   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    44957   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    44957   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    44982   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    44982   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    45708   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    45708   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    45760   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    45760   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    45763   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    45763   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    45778   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    45778   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    45784   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    45784   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    45785   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    45785   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
Not sure if that info is useful to anyone ... but I'm guessing it looks like it should do, in which case I suppose the problem is my Apache config, rather than a machine/networky issue?

Re: Need help with SSL on Apache

Posted: 2020/03/26 00:17:48
by KernelOops
The directive "SSLEngine on" is REQUIRED, so if your apache config can't run with that, then that there is implies a serious problem.

Interestingly, it should be there by default when you install the mod_ssl package. That confirms the above... check all your /etc/httpd/conf and /etc/httpd/conf.d files all over again and see what causes apache to die, there should be a detailed error in /var/log/httpd