running CGI with HTTPS

Hi All,

First post here, but have been a Linode member a while now and have been trundling along/learning with my Linode whenever I get the time.

I have a problem which I'm hoping someone can help me fix. I've installed a private proxy program on my Linode. I will be using this to access CPanel on another server as my companies firewall does not allow access to CPanel ports. I have the proxy only allowing access to a few of my own sites so no worries with spammers/hackers using it for any other unwanted access.

Anyhow, I can access the proxy on insecure HTTP just fine. However when I try it with HTTPS, then IE reports "Page cannot be displayed" / "Cannot find server or DNS Error".

I am using Debian and have Webmin working fine with HTTPS (how I don't know I just followed the install instructions!). The cgi script in question is located in /usr/lib/cgi-bin which I think is normal for Debian.

Consequently if I simply visit my default Debian apache home page with HTTP the home page displays fine, but using HTTPS gives the same 'Cannot find server' error.

Has anyone any suggestions as to what I might be missing or doing wrong?

Really appreciating any help you can provide as I now find myself at a dead end with this one (I'm all Googled out!).

19 Replies

By default, Webmin installs its own http server (miniserv.pl). If this is the case on your machine, the fact that Webmin is working does not necessarily indicate that Apache ssl is working.

Post the relevant parts of your apache log files so we can have a look.

Here's the last few lines in /var/log/apache/error.log :

[Thu Jun 10 06:25:03 2004] [error] (2)No such file or directory: mod_mime_magic: can't read magic file /etc/apache/share/magic
[Thu Jun 10 06:25:04 2004] [notice] Apache/1.3.26 (Unix) Debian GNU/Linux configured -- resuming normal operations
[Thu Jun 10 06:25:04 2004] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache/suexec)
[Thu Jun 10 06:25:04 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)

No other errors reported for today. Could that be causing it? If so how do I sort it out? If not anything else?

BTW, thanks for the reply :)

Those log entries are not relvant to the problem at hand. modmimemagic relates to identifying file types by having the web server examine the first few bytes of a file as it serves it.

Obvious question - mod_ssl is installed with the relevant certificate files where it expects to find them?

Try setting apache's loglevel to debug (add/change 'LogLevel debug' [without quotes] in httpd.conf), restarting apache and accessing your site via https. Then post your logs again, starting from the entries where apache is restarting.

It looks like your ssl isn't starting up. Looking at the logs as apache starts should tell us why.

Edited at 13:25 UT after I had another think..

@pclissold:

Obvious question - mod_ssl is installed with the relevant certificate files where it expects to find them?

Hmm, I think I need a quick lesson in SSL! Do I need to purchase a cert to use HTTPS? All I have done so far was tick MOD_SSL in Webmin and restart Apache, but apart from that haven't done anything else.

Just in case this info helps, the proxy script I've installed is http://www.jmarshall.com/tools/cgiproxy/

In the SSL FAQ it says you just need to install OpenSSL and Perl module Net::SSLeay. It gives ways to check if these are already installed and it looks like my VPS has both installed.

No, you don't have to purchase a certificate - you can make one yourself or one can be made during mod_ssl install - your browser will just bitch about certificate signing because you didn't give Verisign any money.

> In the SSL FAQ it says you just need to install OpenSSL and Perl module Net::SSLeay. It gives ways to check if these are already installed and it looks like my VPS has both installed. This enables CGIProxy to access secure servers from your Linode. You still need to be able to access CGIProxy on your Linode from your desktop - to do that securely mod_ssl has to be working correctly with apache on your Linode. In your first post, you said that you couldn't access the default web page on your linode using https - so I don't think this is a CGIProxy problem.

If you can tick mod_ssl in Webmin then it is installed but is it working? The inability to access anything https on your Linode makes me think that the ssl enabled http is failing to start.

pclissold, thanks for explaining all of the above. Its what I had thought, but not in as much detail as you have explained. As far as I can remember there is a section in Webmin (somewhere..came across it yesterday) to setup SSL in Webmin. I didn't venture any further as I didn't know what to do.

Anyhow, I'll go with the Apache debug mode/restart and see what it reports back - I'll post back again in a mo.

Cheers again pclissold, you've been very helpful indeed :).

OK, error.log has the following to report when I restarted in debug:

[Thu Jun 10 10:50:33 2004] [notice] caught SIGTERM, shutting down
[Thu Jun 10 10:50:44 2004] [info] mod_unique_id: using ip addr 65.19.178.177
[Thu Jun 10 10:50:44 2004] [error] (2)No such file or directory: mod_mime_magic: can't read magic file /etc/apache/share/magic
[Thu Jun 10 10:50:45 2004] [info] mod_unique_id: using ip addr 65.19.178.177
[Thu Jun 10 10:50:45 2004] [error] (2)No such file or directory: mod_mime_magic: can't read magic file /etc/apache/share/magic
[Thu Jun 10 10:50:45 2004] [info] created shared memory segment #131072
[Thu Jun 10 10:50:46 2004] [notice] Apache/1.3.26 (Unix) Debian GNU/Linux configured -- resuming normal operations
[Thu Jun 10 10:50:46 2004] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache/suexec)
[Thu Jun 10 10:50:46 2004] [info] Server built: Oct 26 2002 09:15:15
[Thu Jun 10 10:50:46 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)

Nothing stands out there to me….are there any other logs I should be looking at?

Also, what other Apache modules might I need to have switched on? Here are the ones I currently have switched on:

core, modautoindex, modcgi , modstatus, modaccess, moddir, modmime, modsetenvif, modauth, modlogconfig, modmimemagic, moduserdir, modalias, mod_negotiation

Just a thought how do I double check that I do in fact have SSL installed in the first place?

I hope that Webmin wouldn't offer mod-ssl as an option if it wasn't installed.

You should have an entry 'AddModule mod_ssl' [no quotes] in your apache configuration file. I'm not sure how you actually tell if it's running - beyond messages in the logs. When my apache starts up with debug logging, I get ten or fifteen ssl related log messages.

Your list of modules will certainly be OK for looking at the default home page - I'm not sure about what you need for CGIProxy.

I think that I first need to get HTTPS working with Apache, so therefore I'm thinking that nothing more has to be done for CGIProxy, just to get SSL/HTTPS working I suppose.

When you say put Apache in debug mode, this is the first time I've ever done it, and not sure if it was the right way. I just searched for 'debug' in apache confiig file and found it in the comments, and so changed the flag to debug. Can't remember the exact flag I changed, will check it again tomorrow morning (European time, so I guess that is good timing when you are being so helpful pclissold :) )

If anyone else comes along in the meantime and has any suggestions then fire ahead anyhow and I can try them all tomorrow - thanks! (and remember, be as detailed as you can cause I'm not too familiar with some of this stuff, although I'm fine with UNIX in general)

You should post contents of errorlog, instead of accesslog

-John

> Also, what other Apache modules might I need to have switched on? Here are the ones I currently have switched on:

core, modautoindex, modcgi , modstatus, modaccess, moddir, modmime, modsetenvif, modauth, modlogconfig, modmimemagic, moduserdir, modalias, mod_negotiation

Just a thought how do I double check that I do in fact have SSL installed in the first place?

Please note guys that mod_ssl does not appear in the list. I think we found our problem :D

@Acid-Duck:

Please note guys that mod_ssl does not appear in the list. I think we found our problem :D

Well, yes its a problem, but not the final solution…well spotted though, thanks! :)

I did tick the mod_ssl box, but when I saved it and go back in, its unticked again! I figured out this was due to the fact the apache OpenSSL modules were not loaded on my Debian install.

So I've tried several things and am now a little further on…

Installed OpenSSL - OK

Setup virtualhost on port 443 - OK

In the Virtualhost, in 'SSL Options' I switch on SSL = NOT OK!

When the last step is done and I 'apply changes', I then receive the following error:

Failed to apply changes :

Syntax error on line 1020 of /etc/apache/httpd.conf:

Invalid command 'SSLEnable', perhaps mis-spelled or defined by a module not included in the server configuration

At the end of the conf file is:

DocumentRoot "/var/www"

ServerName li5-177.members.linode.com

SSLEnable

If I comment out the 'SSLEnable' line Apache reports no errors.

Now I guess that this occurs due to the fact the I haven't generated a cert or something, due to the following errors reported in ERROR.LOG

[Fri Jun 11 06:25:05 2004] [error] mod_ssl: Init: (li5-177.members.linode.com:443) No SSL Certificate set [hint: SSLCertificateFile]

[Fri Jun 11 07:00:24 2004] [error] mod_ssl: Init: Server li5-177.members.linode.com:443 should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]

So I think that I am almost there now. My final hurdle is the missing Cert. Do I set this up in 'SSL Options' under Virtualhost for port 443? If so what values do I give? All key files are set to 'Default', and I thought this would have re-used the Webmin Cert????

Any suggestions?

> DocumentRoot "/var/www"

ServerName li5-177.members.linode.com

SSLEnable
This doesn't look right - I would expect to see 'SSLEngine on' rather than 'SSLEnable'. I have seen this reported elsewhere - old versions of Webmin putting outdated SSL directives in httpd .conf files.

Once the certificate problem is solved, try hand editing /etc/apache/httpd.conf. If this fixes the problem then you need to get a more up to date version of Webmin.

You definitely still have to create a certificate - I don't know how Webmin supports this.

Look here for how to do generate a server certificate without Webmin: http://www.modssl.org/docs/2.8/sslfaq.html#ToC28 and here http://www.modssl.org/docs/2.8/sslfaq.html#ToC29 for how to sign the resulting certificate yourself rather than paying Verisign to do it. Caveat - self-signed server certificates cause browsers to complain that the certificate can't be trusted because it's not signed by a trusted root authority - not a problem if it's only you that's using it, but not much good if you're setting up an on-line store.

@pclissold:

This doesn't look right - I would expect to see 'SSLEngine on' rather than 'SSLEnable'. I have seen this reported elsewhere - old versions of Webmin putting outdated SSL directives in httpd .conf files.

Once the certificate problem is solved, try hand editing /etc/apache/httpd.conf. If this fixes the problem then you need to get a more up to date version of Webmin.

Strange, Webmin plus all modules are at latest version, I update them regularly.

I'll work on the Cert later tonight/weekend if I get a chance. I cannot log in using SSH from my workplace due to firewall restrictions (heh, the reason for the proxy install in the first place!). I can issue online commands using Webmin, but its not an interactive interface and so I cannot enter answers to any of the OpenSSL questions that are prompted during the certification generation. (our does anyone know an online Cert generator that will generate the file for me and then I could upload it?)

I'll let you know how I get on anyhow - thanks again for your suggestions and help. :)

OK, I still haven't got this working yet.

So far I've generated a self signed cert as per the links above. I've installed it and apache works and reports no associated problems. After a system reboot, my apache error log reports the following:

[Thu Jun 17 09:08:12 2004] [info] moduniqueid: using ip addr 65.19.178.177

[Thu Jun 17 09:08:12 2004] errorNo such file or directory: modmimemagic: can't read magic file /etc/apache/share/magic

[Thu Jun 17 09:08:13 2004] [warn] pid file /var/run/apache.pid overwritten – Unclean shutdown of previous Apache run?

[Thu Jun 17 09:08:13 2004] [info] moduniqueid: using ip addr 65.19.178.177

[Thu Jun 17 09:08:13 2004] errorNo such file or directory: modmimemagic: can't read magic file /etc/apache/share/magic

[Thu Jun 17 09:08:13 2004] [info] created shared memory segment #0

[Thu Jun 17 09:08:14 2004] [notice] Apache/1.3.26 (Unix) Debian GNU/Linux mod_ssl/2.8.9 OpenSSL/0.9.6g configured – resuming normal operations

[Thu Jun 17 09:08:14 2004] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache/suexec)

[Thu Jun 17 09:08:14 2004] [info] Server built: Oct 26 2002 09:15:15

[Thu Jun 17 09:08:14 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)

http://li5-177.members.linode.com/ works fine, but

https://li5-177.members.linode.com/ reports "Cannot find server or DNS Error" in IE (perhaps another browser may report different).

Perhaps the problem exists in my httpd.conf and they way I have the SSL configured there? I setup a virtual server running on port 443 like so:

DocumentRoot /var/www

ServerName li5-177.members.linode.com

SSLEnable

SSLCertificateFile /etc/apache/serv.crt

SSLCertificateKeyFile /etc/apache/serv.key

SSLEngine on

SSLOptions +StdEnvVars

ScriptAlias /cgi-bin/ "/usr/lib/cgi-bin/"

SSLOptions +StdEnvVars

AllowOverride None

Options FollowSymLinks

SSLRequireSSL

Order allow,deny

isp.net intranet only. Could easily be extended to certain workstations

(users) or class C's easily

Allow from 192.168.0

LogLevel debug

Any further suggestions please? :)

Check your suexec.log. The information in this log may be more useful than the apache log. I'm not sure where it is located with Debian. You can run the command "suexec -V" and see where it is located at. Here are the results from my execution:

-D APDOCROOT="/home"

-D APGIDMIN=100

-D APHTTPDUSER="apache"

-D APLOGEXEC="/var/log/httpd/suexec.log"

-D APSAFEPATH="/usr/local/bin:/usr/bin:/bin"

-D APUIDMIN=500

-D APUSERDIRSUFFIX="public_html"

Note that I had to rebuild the SRPM for httpd so that suexec would work with my webmin installation.

perhaps you need to:

apt-get install libapache-mod-ssl

Firefox reports:

> The connection to li5-177.members.linode.com has terminated unexpectedly. Some data may have been transferred.

Is the virtual server's DocumentRoot inside the main server's DocumentRoot? If not, you may need to specifically enable access to /var/www in the virtual server config. Usual default setting is for apache to deny everything to everybody and then allow things in the DocumentRoot. Outside the main DocumentRoot you need (for example)

 <directory path="" somedirectory="">Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all</directory> 

Just as a follow up to this, I got it working in the end :)

All that was missing was an entry for port 443 in the 'listen' section of the Apache config file (even though I has specified that in Webmin). For something so small, it really wasted so much of my time! Ah well, I've learned a lot in the process.

Thanks guys for all your assistance :)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct