Page 3 of 3

Re: Need help with SSL on Apache

Posted: 2020/03/26 00:35:19
by TrevorH
The host command only looks at dns which is why I subsequently edited my original post and changed it to ping.

Re: Need help with SSL on Apache

Posted: 2020/03/26 02:55:58
by cheddargeorge
Okay, the most relevant log entry I could find was:

Code: Select all

$ sudo cat httpd/ssl_error_log
[Wed Mar 25 23:52:31.445983 2020] [ssl:warn] [pid 44623] AH01909: RSA certificate configured for dgbvm.internal.cloudapp.net:443 does NOT include an ID which matches the server name
So, hunted around some more for anything which might help, and came across this:
https://www.godaddy.com/help/manually-i ... entos-5238
(I purchased the certificate from GoDaddy, so I figured this might be useful).

Still, I'm kinda confused with those directions. So, starting from scratch, I re-downloaded the certificate bits from GoDaddy, for Apache, which is a zip file comprising of three files: bb6d0c0348ed0020.crt, bb6d0c0348ed0020.pem, and gd_bundle-g2-g1.crt.

Uploaded the files, and, as per the instructions, put the two crt files into /etc/pki/tls/certs/. Amended the permissions accordingly. Modified the VirtualHost, per below:

Code: Select all

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/bb6d0c0348ed0020.crt
SSLCertificateKeyFile /etc/pki/tls/private/lac.key       <------  ????
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle-g2-g1.crt
However, the instructions don't mention anything about SSLCertificateKeyFile, or the .pem file. The "lac.key" which I have there is from when I was trying to get it working previously, having followed other directions.

So, bottom line; I'm guessing most of my issues with this are relating to the certificate; however, the GoDaddy instructions seem a bit incomplete to me, and I'm not sure what I'm meant to do with the .pem file, or what is supposed to go in the SSLCertificateKeyFile entry of the VirtualHost.

Anyway, figured it wouldn't work as-is, but tried it anyway. If anyone is able to provide additional clarification it would be appreciated. Thank you very much.

Re: Need help with SSL on Apache

Posted: 2020/07/17 13:26:45
by cheddargeorge
Weeks/months later, I'm still struggling trying to get SSL working with Apache. However, I'm desperate to get it done now as the site is meant to go live in a couple of weeks.
So, this morning I tried again, and realized that I hadn't been using a "Listen 443" directive in httpd.conf, which seems a pretty basic requirement. However, as soon as I put in the directive and try to restart Apache, then it fails, per below:

Code: Select all

-- Unit httpd.service has begun starting up.
Jul 17 13:06:04 dgbvm.internal.cloudapp.net httpd[50481]: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
Jul 17 13:06:04 dgbvm.internal.cloudapp.net systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Jul 17 13:06:04 dgbvm.internal.cloudapp.net systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
There may well be other things wrong with the config, but I'm assuming that getting this bit working is the baseline for getting everything else with SSL working, and without it SSL won't work anyway.
If anyone can help me get all this figured out I will be eternally grateful. Many thanks!

Re: Need help with SSL on Apache

Posted: 2020/07/17 14:07:45
by TrevorH
There is already a Listen 443 line in the mod_ssl supplied ssl.conf.

Re: Need help with SSL on Apache

Posted: 2020/07/17 14:17:43
by cheddargeorge
Yeah, okay, I see it. Thanks.

I know I've bugged you already a million times previously on this problem, but any other helpful tips/clues/insights? I'm really desperate to get this working, and I just don't know how to make progress.

Re: Need help with SSL on Apache

Posted: 2020/07/17 14:58:13
by TrevorH
Is httpd listening on port 443 on an interface other than localhost? Run ss -antupl | grep 443 as root and check that.

Does the server you are running on know that it is the right place for the domain you're trying to use? So if you're trying to connect to say https://www.abc.local/ does a ping of www.abc.local on the server itself resolve to the correct internal ip address of the server?

You will definitely need the correct key file that was used to generate the CSR file that you sent to your SSL provider. Permissions and selinux contexts on all those files will need to be correct to allow the server to read them at startup. I suspect it will whinge and not work if the permissions are too lax and allow too many people to read them. Likewise it will fail if they are too tight and it cannot read them at all.

Clear your logs, check all that lot, try again then check the logs again.

Re: Need help with SSL on Apache

Posted: 2020/07/17 15:13:19
by cheddargeorge
Yes, it seems long ago now but I had already checked to see if it was listening on 443. Some previous 443 testing and ping results on page 2.

However, I've retested now and it seems okay:

Code: Select all

$ ss -antupl | grep 443
tcp    LISTEN     0      128    [::]:443                [::]:*

Code: Select all

$ ping www.xyz.com
PING xyz.com (10.0.0.5) 56(84) bytes of data.
64 bytes from xyz.com (10.0.0.5): icmp_seq=1 ttl=64 time=0.025 ms
64 bytes from xyz.com (10.0.0.5): icmp_seq=2 ttl=64 time=0.036 ms
64 bytes from xyz.com (10.0.0.5): icmp_seq=3 ttl=64 time=0.039 ms
64 bytes from xyz.com (10.0.0.5): icmp_seq=4 ttl=64 time=0.021 ms
10.0.0.5 is the correct internal address.

I had previously tested with putting Selinux in permissive mode, but it made no difference.

"You will definitely need the correct key file that was used to generate the CSR file that you sent to your SSL provider." Not quite sure what you mean here. The crt and key files are what were provided from GoDaddy when I purchased the SSL certificate. Is there something else I'm meant to do with them? Currently they're residing in:

Code: Select all

SSLCertificateFile /etc/pki/tls/certs/bb6d0c0398ed0020.crt
SSLCertificateKeyFile /etc/pki/tls/private/xyz.key
Thanks for your patience!

Re: Need help with SSL on Apache

Posted: 2020/07/17 17:55:31
by TrevorH
When you bought the cert they will have asked you to generate and upload a CSR (Certificate Signing Request) and that process will have needed a key file to generate the CSR. You need to get httpd to use that same keyfile and it may not be password protected (without doing special stuff(TM)).

Re: Need help with SSL on Apache

Posted: 2020/07/17 18:07:44
by cheddargeorge
Hmm, this is news to me. I didn't realize there was any other steps involved other than downloading the certificate and key.
Definitely didn't get asked to upload anything, but I'm now looking at https://www.ssls.com/knowledgebase/how- ... dy-cpanel/ which seems like it may be useful. I'll try and pursue that over the next day or so and see how I make out. Thank you!

Re: Need help with SSL on Apache

Posted: 2020/07/17 23:00:28
by cheddargeorge
Okay, finally managed to get it all working. Found some info about the CSR and some other bits on GoDaddy, and created the CSR file and private key:

This generates two files, one for the CSR, and the other is the private key file:

Code: Select all

$ sudo openssl req -new -newkey rsa:2048 -nodes -keyout xyz.com.key -out xyz.com.csr
Then, back to GoDaddy, provided the CSR, and reissued the certificate. Downloaded/uploaded the new certificate files to the server.

I also have Apache configured with the 443 virtual host section for the relevant domain, and at least it's now serving both the xyz.com domain along with all the other virtual hosts working properly still. Previously I'd been unable to get Apache to serve all the vhosts correctly while attempting to serve xyz.com securely.

The final thing I needed to do was to default http traffic to https for that one vhost. Anyway, just needed to add a line to the port 80 vhost:

Code: Select all

Redirect permanent / https://xyz.com/
... and http traffic for that vhost now defaults to the https vhost section.

Thank you so much for your help and assistance, especially TrevorH and KernelOops. I really appreciate you helping me finally get this working.