Getting SSL to work on Apache

Issues related to applications and software problems and general support
Post Reply
wolfrR1der
Posts: 18
Joined: 2020/04/13 17:42:58

Getting SSL to work on Apache

Post by wolfrR1der » 2021/04/27 18:03:01

We can't seem to get the SSL cert we've purchased to work on a CentOS 8.3.2011 and Apache (httpd-2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64). The admin of the server set up the virtual sites in the "sites-available" and "sites-enabled" subdirectories and it technically all works. When you go to the server's web sites, both tcp 80 and 443 you get the web site. However when you are looking at the SSL site you get an SSL certificate error. The certificate the server is using is its self assigned certificate. NOT the cert that we've purchased. Note that the server DOES in fact ask for the SSL cert password when httpd is started. Yet it's not using it when a browser is asking for the SSL site.

BShT
Posts: 583
Joined: 2019/10/09 12:31:40

Re: Getting SSL to work on Apache

Post by BShT » 2021/04/28 13:55:35

you need to
# sudo dns install mod_ssl

then set this at your vhost

SSLEngine on
SSLCertificateFile /pathtofile
SSLCertificateKeyFile /pathtofile
SSLCertificateChainFile /pathtofile

PS: "sites-available" and "sites-enabled" are debian confs, Centos default confs are set at /etc/httpd/conf.d and files SHOULD end with .conf
if you want to change the default behavior you need to set it at /etc/http/conf/httpd.conf

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Getting SSL to work on Apache

Post by TrevorH » 2021/04/28 14:04:16

Also, if it's looking at a self-signed cert then that's probably coming from /etc/httpd/conf.d/ssl.conf and you should change that. Or perhaps better, set up each vhost to use its own.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

wolfrR1der
Posts: 18
Joined: 2020/04/13 17:42:58

Re: Getting SSL to work on Apache

Post by wolfrR1der » 2021/04/29 15:22:56

Thanks guys.
mod_ssl-2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64 is already installed. SSL Does work. The site isn't pulling the proper cert.

There is the line:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
in ssl.conf. I am going to comment that out to see what it does.

The vhost in the sites-available dir also has it's own ssl directives:
<VirtualHost *:443>
ServerName site.public.com
ServerAlias site
SSLEngine on
SSLCertificateFile "/etc/ssl/certs/www/sslcert.crt"
SSLCertificateKeyFile "/etc/ssl/certs/www/sslcert.key"
SSLCertificateChainFile "/etc/ssl/certs/www/Authority.crt"
DocumentRoot "/var/www/html/site/"
ErrorLog "/var/www/html/site/error.log"

<Directory "/var/www/html/site/">
DirectoryIndex index.html index.php
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>

wolfrR1der
Posts: 18
Joined: 2020/04/13 17:42:58

Re: Getting SSL to work on Apache

Post by wolfrR1der » 2021/04/29 15:35:04

Ok httpd isn't re-starting because of postfix???

postfix/smtpd[3871427]: connect from localhost[127.0.0.1]
postfix/smtpd[3871427]: SSL_accept error from localhost[127.0.0.1]: -1
postfix/smtpd[3871427]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:1544:SSL alert number>
postfix/smtpd[3871427]: lost connection after STARTTLS from localhost[127.0.0.1]
postfix/smtpd[3871427]: disconnect from localhost[127.0.0.1] ehlo=1 starttls=0/1 commands=1/2

I looked in /etc/postfix/main.cf and can't find any references to the http server, ssl, nor localhost.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Getting SSL to work on Apache

Post by TrevorH » 2021/04/29 17:37:10

No, that's a different problem entirely. Apache httpd has no dependency on postfix or vice versa.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

BShT
Posts: 583
Joined: 2019/10/09 12:31:40

Re: Getting SSL to work on Apache

Post by BShT » 2021/04/29 19:43:31

i never had to comment anything at ssl.conf...

i guess your conf is not been readen

look at your log file, if it exists

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Getting SSL to work on Apache

Post by jlehtone » 2021/04/29 20:44:23

wolfrR1der wrote:
2021/04/29 15:22:56
The vhost in the sites-available dir also has it's own ssl directives:
It was already pointed out that there is no "sites-available dir". Even if there is, httpd won't look at it.
BShT wrote:
2021/04/29 19:43:31
i never had to comment anything at ssl.conf...
The ssl.conf contains <VirtualHost _default_:443>. After staring at https://httpd.apache.org/docs/2.4/vhosts/examples.html I can't tell what that does imply. I guess your specific virtualhosts supercede that default?

BShT
Posts: 583
Joined: 2019/10/09 12:31:40

Re: Getting SSL to work on Apache

Post by BShT » 2021/04/30 12:18:59

jlehtone wrote:
2021/04/29 20:44:23
wolfrR1der wrote:
2021/04/29 15:22:56
The vhost in the sites-available dir also has it's own ssl directives:
It was already pointed out that there is no "sites-available dir". Even if there is, httpd won't look at it.
BShT wrote:
2021/04/29 19:43:31
i never had to comment anything at ssl.conf...
The ssl.conf contains <VirtualHost _default_:443>. After staring at https://httpd.apache.org/docs/2.4/vhosts/examples.html I can't tell what that does imply. I guess your specific virtualhosts supercede that default?
that´s the point, if you have to comment ssl.conf the vhost conf is not working or it has not been readen

Post Reply