Apache SSL Oddity on transfer to Linode
I'm hoping that someone out there will have seen this same problem (and fixed it!):
In the process of moving things from my colo box to my Linode, all going smoothly apart from my https site.
My setup: Gentoo 2006.1, but Apache, MySQL and PHP all hand-build and identical configuration to other machines I have set up.
I have copied my entire Apache config directory from my colo box (including SSL certificates) to my Linode.
If I try to access the SSL host FROM the Linode, using Lynx, it works without complaint. (I set the host up in /etc/hosts as the "real" one is still running on the colo box.)
However, when I try to access it from somewhere else, Firefox give me an error -12263, which documentation suggests that my SSL is stuffed. (en-GB: broken). Lynx just says "unable to make secure connection to remote host".
I have tested this with no firewall running at all, with no different result.
Before I rush off and build a separate version of OpenSSL and re-build Apache against it, I was wondering if anyone had any bright ideas on this?
Cheers
M
12 Replies
$ openssl s_client -connect <host>:443</host>
from a remote site?
You're looking to see if it returns a reasonably valid SSL certificate without some unusual or nasty errors.
Also, what does the Apache accesslog and errorlog say about your Firefox connection attempt?
smith@brutus ~ $ openssl s_client -connect andreas:443
CONNECTED(00000003)
7431:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:
@smiffy:
I guess this counts as a nasty error:
smith@brutus ~ $ openssl s_client -connect andreas:443 CONNECTED(00000003) 7431:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:
Sounds like it's listening to port 443 but not with SSL. Potentially you might have just a plain webserver running on it, so try telnet'ing to it and doing the "GET" by hand. That'd imply a misconfig. If the connection opens and aborts then check the server logs; it might be complaining about permissions or missing files or something.
No errors at all - just a brief mention in access_log.
So, you are right - it appears to be do a non-SSL listen on the SSL port.
Setting up Apache is something I always do myself, using a script that feeds configure. So, build is the same as on two other machines that are running properly. The entire Apache config directory, including the SSL certificates, was taken from the existing, working machine.
The problem is occuring on both my Linodes (configuration the same on both, as one is a backup). I have started doing experimentation on my backup unit, so as not to disturb normal operations. I have re-built OpenSSH and then Apache on that one, with no difference.
This is most puzzling.
(98)Address already in use: make_sock: could not bind to address 67.18.176.140:443
no listening sockets available, shutting down
Unable to open logs
Ignore this! The listen was already being pulled in by an include
The issue is now CLOSED, not because I've fixed the problem, but because I decided to uprade from httpd 2.0.19 to 2.2.4.
I have been putting this off for some time, due to possible difficulties with modauthmysql, on which many of my applications are dependent.
SSL worked straight off, when I did this; it did mean that I have spent most of the day fixing all the other issues - like getting modauthmysql working (there's a patch available) - rebuilding PHP (twice), etc, etc.
Now all working fine on my backup Linode; will install on my production Linode early one morning, before my clients are awake
1)
Works with 2.2.4.
2) You need to fiddle with your directives in your Apache config; fit between your 'AuthType Basic' and the first of the MySQL directives:
AuthType Basic
AuthBasicAuthoritative Off
AuthUserFile /dev/null
AuthMySQLAuthoritative On
Hope this works for you too…
Although working on my backup unit, the production unit, now running httpd 2.2.4 with an identical config, is spitting the same stupid error
EDIT: Whoohoo! Think I've found it. It occurred to me to do apachectl -S - the SSL vhost was trying to lookup the IP address of the host in question (IE: another host) and bind to that IP address:443.
I have now added the vhost name to /etc/hosts against the REAL IP address of the Linode and openssl is now spitting back a certificate at me.
And not an entry in any log anywhere. Good, eh?
(Note: I don't use the ebuild Apache, but build it myself so it's not a distribution-specific issue.)
Shavais
One awesome thing about Apache is that it's incredibly configurable. One really sucky thing about it is that it's so freaking configurable.