Getting SSL to work on Apache
-
- Posts: 18
- Joined: 2020/04/13 17:42:58
Getting SSL to work on Apache
We can't seem to get the SSL cert we've purchased to work on a CentOS 8.3.2011 and Apache (httpd-2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64). The admin of the server set up the virtual sites in the "sites-available" and "sites-enabled" subdirectories and it technically all works. When you go to the server's web sites, both tcp 80 and 443 you get the web site. However when you are looking at the SSL site you get an SSL certificate error. The certificate the server is using is its self assigned certificate. NOT the cert that we've purchased. Note that the server DOES in fact ask for the SSL cert password when httpd is started. Yet it's not using it when a browser is asking for the SSL site.
Re: Getting SSL to work on Apache
you need to
# sudo dns install mod_ssl
then set this at your vhost
SSLEngine on
SSLCertificateFile /pathtofile
SSLCertificateKeyFile /pathtofile
SSLCertificateChainFile /pathtofile
PS: "sites-available" and "sites-enabled" are debian confs, Centos default confs are set at /etc/httpd/conf.d and files SHOULD end with .conf
if you want to change the default behavior you need to set it at /etc/http/conf/httpd.conf
# sudo dns install mod_ssl
then set this at your vhost
SSLEngine on
SSLCertificateFile /pathtofile
SSLCertificateKeyFile /pathtofile
SSLCertificateChainFile /pathtofile
PS: "sites-available" and "sites-enabled" are debian confs, Centos default confs are set at /etc/httpd/conf.d and files SHOULD end with .conf
if you want to change the default behavior you need to set it at /etc/http/conf/httpd.conf
Re: Getting SSL to work on Apache
Also, if it's looking at a self-signed cert then that's probably coming from /etc/httpd/conf.d/ssl.conf and you should change that. Or perhaps better, set up each vhost to use its own.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 18
- Joined: 2020/04/13 17:42:58
Re: Getting SSL to work on Apache
Thanks guys.
mod_ssl-2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64 is already installed. SSL Does work. The site isn't pulling the proper cert.
There is the line:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
in ssl.conf. I am going to comment that out to see what it does.
The vhost in the sites-available dir also has it's own ssl directives:
<VirtualHost *:443>
ServerName site.public.com
ServerAlias site
SSLEngine on
SSLCertificateFile "/etc/ssl/certs/www/sslcert.crt"
SSLCertificateKeyFile "/etc/ssl/certs/www/sslcert.key"
SSLCertificateChainFile "/etc/ssl/certs/www/Authority.crt"
DocumentRoot "/var/www/html/site/"
ErrorLog "/var/www/html/site/error.log"
<Directory "/var/www/html/site/">
DirectoryIndex index.html index.php
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
mod_ssl-2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64 is already installed. SSL Does work. The site isn't pulling the proper cert.
There is the line:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
in ssl.conf. I am going to comment that out to see what it does.
The vhost in the sites-available dir also has it's own ssl directives:
<VirtualHost *:443>
ServerName site.public.com
ServerAlias site
SSLEngine on
SSLCertificateFile "/etc/ssl/certs/www/sslcert.crt"
SSLCertificateKeyFile "/etc/ssl/certs/www/sslcert.key"
SSLCertificateChainFile "/etc/ssl/certs/www/Authority.crt"
DocumentRoot "/var/www/html/site/"
ErrorLog "/var/www/html/site/error.log"
<Directory "/var/www/html/site/">
DirectoryIndex index.html index.php
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
-
- Posts: 18
- Joined: 2020/04/13 17:42:58
Re: Getting SSL to work on Apache
Ok httpd isn't re-starting because of postfix???
postfix/smtpd[3871427]: connect from localhost[127.0.0.1]
postfix/smtpd[3871427]: SSL_accept error from localhost[127.0.0.1]: -1
postfix/smtpd[3871427]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.cSSL alert number>
postfix/smtpd[3871427]: lost connection after STARTTLS from localhost[127.0.0.1]
postfix/smtpd[3871427]: disconnect from localhost[127.0.0.1] ehlo=1 starttls=0/1 commands=1/2
I looked in /etc/postfix/main.cf and can't find any references to the http server, ssl, nor localhost.
postfix/smtpd[3871427]: connect from localhost[127.0.0.1]
postfix/smtpd[3871427]: SSL_accept error from localhost[127.0.0.1]: -1
postfix/smtpd[3871427]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.cSSL alert number>
postfix/smtpd[3871427]: lost connection after STARTTLS from localhost[127.0.0.1]
postfix/smtpd[3871427]: disconnect from localhost[127.0.0.1] ehlo=1 starttls=0/1 commands=1/2
I looked in /etc/postfix/main.cf and can't find any references to the http server, ssl, nor localhost.
Re: Getting SSL to work on Apache
No, that's a different problem entirely. Apache httpd has no dependency on postfix or vice versa.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Getting SSL to work on Apache
i never had to comment anything at ssl.conf...
i guess your conf is not been readen
look at your log file, if it exists
i guess your conf is not been readen
look at your log file, if it exists
Re: Getting SSL to work on Apache
It was already pointed out that there is no "sites-available dir". Even if there is, httpd won't look at it.wolfrR1der wrote: ↑2021/04/29 15:22:56The vhost in the sites-available dir also has it's own ssl directives:
The ssl.conf contains <VirtualHost _default_:443>. After staring at https://httpd.apache.org/docs/2.4/vhosts/examples.html I can't tell what that does imply. I guess your specific virtualhosts supercede that default?
Re: Getting SSL to work on Apache
that´s the point, if you have to comment ssl.conf the vhost conf is not working or it has not been readenjlehtone wrote: ↑2021/04/29 20:44:23It was already pointed out that there is no "sites-available dir". Even if there is, httpd won't look at it.wolfrR1der wrote: ↑2021/04/29 15:22:56The vhost in the sites-available dir also has it's own ssl directives:
The ssl.conf contains <VirtualHost _default_:443>. After staring at https://httpd.apache.org/docs/2.4/vhosts/examples.html I can't tell what that does imply. I guess your specific virtualhosts supercede that default?