Need help with SSL on Apache
- KernelOops
- Posts: 428
- Joined: 2013/12/18 15:04:03
- Location: xfs file system
Re: Need help with SSL on Apache
The certificate files should be under /etc/pki/tls/certs and their keys should be under /etc/pki/tls/private. The keys should be u+rw (owner only), no other access needed. Those paths are compatible with SELinux, for both Fedora and CentOS.
Last edited by KernelOops on 2020/03/23 22:08:46, edited 1 time in total.
--
R.I.P. CentOS
--
R.I.P. CentOS
--
Re: Need help with SSL on Apache
Small typo: the private key should not be readable by anyone but its owner, the user root. That is u+rw , not o+rw.
- KernelOops
- Posts: 428
- Joined: 2013/12/18 15:04:03
- Location: xfs file system
Re: Need help with SSL on Apache
absolutely right, sorry about the mistake (a rather important mistake to be honest)...
--
R.I.P. CentOS
--
R.I.P. CentOS
--
-
- Posts: 24
- Joined: 2019/05/18 01:23:19
Re: Need help with SSL on Apache
Thanks to all for the replies; appreciated. However ... sorry ... Still having difficulties, and can't get it working.
So, I've put the crt and key files into the dirs as suggested, amended httpd.conf, checked permissions, and restarted httpd, but it still just defaults to the default domain as soon as I try to do anything with the 443 stuff.
I must be missing/doing something kinda stupid.
As noted in my previous post, I needed to add port 443 to the network interface for incoming traffic, and presumably it should be working. Is there some way I can check to see that the VM is actually listening on 443?
Any further help/suggestions/comments/etc gratefully received!
So, I've put the crt and key files into the dirs as suggested, amended httpd.conf, checked permissions, and restarted httpd, but it still just defaults to the default domain as soon as I try to do anything with the 443 stuff.
Code: Select all
SSLStrictSNIVHostCheck on
<VirtualHost 10.0.0.5:443>
ServerName xxx.com
ServerAlias www.xxx.com
DocumentRoot "/var/www/sites/lac/"
SSLCertificateFile /etc/pki/tls/certs/lac.crt
SSLCertificateKeyFile /etc/pki/tls/private/lac.key
...
...
</VirtualHost>
Code: Select all
$ ls -l /etc/pki/tls/certs/lac.crt
-rw-------. 1 root root 891 Mar 25 15:17 /etc/pki/tls/certs/lac.crt
$ ls -l /etc/pki/tls/private/lac.key
-rw-------. 1 root root 1705 Mar 25 15:19 /etc/pki/tls/private/lac.key
$ sudo cat /etc/pki/tls/certs/lac.crt
-----BEGIN CERTIFICATE REQUEST-----
blah ....
.....
.....
.....
blah ....
-----END CERTIFICATE REQUEST-----
$ sudo cat /etc/pki/tls/private/lac.key
-----BEGIN PRIVATE KEY-----
longer...blah ...
...
...
...
...
-----END PRIVATE KEY-----
As noted in my previous post, I needed to add port 443 to the network interface for incoming traffic, and presumably it should be working. Is there some way I can check to see that the VM is actually listening on 443?
Any further help/suggestions/comments/etc gratefully received!
- KernelOops
- Posts: 428
- Joined: 2013/12/18 15:04:03
- Location: xfs file system
Re: Need help with SSL on Apache
well, without looking at your full config, its hard to say, we can only guess at the problem.
have you checked the logs? maybe there is something there: /var/log/httpd
also, do you have SELinux in enforcing mode? (you should!) then check the /var/log/audit for any AVC errors, you may temporarily set enforcing to permissive mode and see if that fixes your problem, then you'll know there is an SELinux problem. Use the 'ausearch' command to list AVC errors or read the audit logs directly.
I sent you a PM with my apache config so you can get some ideas.
have you checked the logs? maybe there is something there: /var/log/httpd
also, do you have SELinux in enforcing mode? (you should!) then check the /var/log/audit for any AVC errors, you may temporarily set enforcing to permissive mode and see if that fixes your problem, then you'll know there is an SELinux problem. Use the 'ausearch' command to list AVC errors or read the audit logs directly.
I sent you a PM with my apache config so you can get some ideas.
--
R.I.P. CentOS
--
R.I.P. CentOS
--
Re: Need help with SSL on Apache
What do you get if you run ping xxx.com on the server itself? Does it resolve that to 10.0.0.5? It needs to.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 24
- Joined: 2019/05/18 01:23:19
Re: Need help with SSL on Apache
Okay, thanks for the comments.
So, yes, I always have SELinux on, but I did temporarily put it into permissive mode, but it made no difference, so presumably it's not an SELinux problem.
Yeah, I can ping it on the host, etc. (don't forget, I have no problem with this domain just using port 80, it's only 443 I have issues with)
Note that the Azure config uses the internal address, since it's not the primary IP, but it resolves to the external public IP.
So, checking the config which KernelOops sent, I saw that I did not have the "SSLEngine on" directive in my config, so I added it. However, httpd wouldn't even start when I did that, so I took it out again.
Also, while it wasn't what I would prefer as a solution, I figured I could try wild-carding the 443 VirtualHost, per below:
instead of
... but httpd also failed to start after doing that too. That seems like it may be a relevant piece of info' for someone who knows what they're doing.
Log entries ... Not sure these display very much useful info', but I'll put them here anyway.
So, from what I can see thus far, I really can't do a single thing with SSL on the machine with this Apache config. I really don't know what I'm missing, but please feel free to throw even the most basic info at me, since I've never done a thing with SSL before.
So, yes, I always have SELinux on, but I did temporarily put it into permissive mode, but it made no difference, so presumably it's not an SELinux problem.
Yeah, I can ping it on the host, etc. (don't forget, I have no problem with this domain just using port 80, it's only 443 I have issues with)
Code: Select all
$ host xxx.com
xxx.com has address 51.???.???.100
So, checking the config which KernelOops sent, I saw that I did not have the "SSLEngine on" directive in my config, so I added it. However, httpd wouldn't even start when I did that, so I took it out again.
Also, while it wasn't what I would prefer as a solution, I figured I could try wild-carding the 443 VirtualHost, per below:
Code: Select all
<VirtualHost *:443>
Code: Select all
<VirtualHost 10.0.0.5:443>
Log entries ... Not sure these display very much useful info', but I'll put them here anyway.
Code: Select all
$ sudo journalctl -xe
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
Mar 25 22:37:37 dgbvm.internal.cloudapp.net systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Mar 25 22:37:37 dgbvm.internal.cloudapp.net kill[40014]: kill: cannot find process ""
Mar 25 22:37:37 dgbvm.internal.cloudapp.net systemd[1]: httpd.service: control process exited, code=exited status=1
Mar 25 22:37:37 dgbvm.internal.cloudapp.net systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
$ sudo systemctl status httpd.service
? httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2020-03-25 22:38:00 UTC; 3min 35s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 40014 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Re: Need help with SSL on Apache
No, that's wrong, it needs to resolve to the ip address that you use in your VirtualHost line. Try adding it to /etc/hosts as 10.0.0.5.$ host xxx.com
xxx.com has address 51.???.???.100
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 24
- Joined: 2019/05/18 01:23:19
Re: Need help with SSL on Apache
Okay, added to /etc/hosts. However, although ping resolves to the local IP (10.0.0.5) host still resolves to the public IP.
Okay, additional new info. So, in search of the holy grail (i.e. resolving this issue), I found some other bits and pieces and decided to test this out:
Not sure if that info is useful to anyone ... but I'm guessing it looks like it should do, in which case I suppose the problem is my Apache config, rather than a machine/networky issue?
Code: Select all
$ ping xxx.com
PING xxx.com (10.0.0.5) 56(84) bytes of data.
64 bytes from xxx.com (10.0.0.5): icmp_seq=1 ttl=64 time=0.023 ms
64 bytes from xxx.com (10.0.0.5): icmp_seq=2 ttl=64 time=0.077 ms
64 bytes from xxx.com (10.0.0.5): icmp_seq=3 ttl=64 time=0.043 ms
64 bytes from xxx.com (10.0.0.5): icmp_seq=4 ttl=64 time=0.039 ms
64 bytes from xxx.com (10.0.0.5): icmp_seq=5 ttl=64 time=0.040 ms
...
Code: Select all
$ sudo netstat -tulpn | grep :443
tcp6 0 0 :::443 :::* LISTEN 44623/httpd
$ sudo netstat -tulpn | grep :80
tcp6 0 0 :::80 :::* LISTEN 44623/httpd
Code: Select all
$ sudo lsof -i -P -n | grep LISTEN
rpcbind 525 rpc 8u IPv4 16846 0t0 TCP *:111 (LISTEN)
rpcbind 525 rpc 11u IPv6 16849 0t0 TCP *:111 (LISTEN)
sshd 862 root 3u IPv4 20164 0t0 TCP *:22 (LISTEN)
sshd 862 root 4u IPv6 20249 0t0 TCP *:22 (LISTEN)
mysqld 889 mysql 17u IPv6 21462 0t0 TCP *:3306 (LISTEN)
master 986 root 13u IPv4 21159 0t0 TCP 127.0.0.1:25 (LISTEN)
master 986 root 14u IPv6 21160 0t0 TCP [::1]:25 (LISTEN)
httpd 44623 root 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 44623 root 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 44637 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 44637 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 44713 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 44713 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 44957 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 44957 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 44982 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 44982 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 45708 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 45708 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 45760 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 45760 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 45763 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 45763 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 45778 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 45778 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 45784 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 45784 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 45785 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 45785 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
- KernelOops
- Posts: 428
- Joined: 2013/12/18 15:04:03
- Location: xfs file system
Re: Need help with SSL on Apache
The directive "SSLEngine on" is REQUIRED, so if your apache config can't run with that, then that there is implies a serious problem.
Interestingly, it should be there by default when you install the mod_ssl package. That confirms the above... check all your /etc/httpd/conf and /etc/httpd/conf.d files all over again and see what causes apache to die, there should be a detailed error in /var/log/httpd
Interestingly, it should be there by default when you install the mod_ssl package. That confirms the above... check all your /etc/httpd/conf and /etc/httpd/conf.d files all over again and see what causes apache to die, there should be a detailed error in /var/log/httpd
--
R.I.P. CentOS
--
R.I.P. CentOS
--