Apache SSL Oddity on transfer to Linode

Hi Folks

I'm hoping that someone out there will have seen this same problem (and fixed it!):

In the process of moving things from my colo box to my Linode, all going smoothly apart from my https site.

My setup: Gentoo 2006.1, but Apache, MySQL and PHP all hand-build and identical configuration to other machines I have set up.

I have copied my entire Apache config directory from my colo box (including SSL certificates) to my Linode.

If I try to access the SSL host FROM the Linode, using Lynx, it works without complaint. (I set the host up in /etc/hosts as the "real" one is still running on the colo box.)

However, when I try to access it from somewhere else, Firefox give me an error -12263, which documentation suggests that my SSL is stuffed. (en-GB: broken). Lynx just says "unable to make secure connection to remote host".

I have tested this with no firewall running at all, with no different result.

Before I rush off and build a separate version of OpenSSL and re-build Apache against it, I was wondering if anyone had any bright ideas on this?

Cheers

M

12 Replies

Perhaps check out with:

$ openssl s_client -connect <host>:443</host>

from a remote site?

You're looking to see if it returns a reasonably valid SSL certificate without some unusual or nasty errors.

Also, what does the Apache accesslog and errorlog say about your Firefox connection attempt?

I guess this counts as a nasty error:

smith@brutus ~ $ openssl s_client -connect andreas:443
CONNECTED(00000003)
7431:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:

@smiffy:

I guess this counts as a nasty error:

smith@brutus ~ $ openssl s_client -connect andreas:443
CONNECTED(00000003)
7431:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:


Sounds like it's listening to port 443 but not with SSL. Potentially you might have just a plain webserver running on it, so try telnet'ing to it and doing the "GET" by hand. That'd imply a misconfig. If the connection opens and aborts then check the server logs; it might be complaining about permissions or missing files or something.

If I telnet and do a GET, I am given the error page that I set up for when you call the machine by its IP, rather than a legitimate virtual host.

No errors at all - just a brief mention in access_log.

So, you are right - it appears to be do a non-SSL listen on the SSL port.

Setting up Apache is something I always do myself, using a script that feeds configure. So, build is the same as on two other machines that are running properly. The entire Apache config directory, including the SSL certificates, was taken from the existing, working machine.

The problem is occuring on both my Linodes (configuration the same on both, as one is a backup). I have started doing experimentation on my backup unit, so as not to disturb normal operations. I have re-built OpenSSH and then Apache on that one, with no difference.

This is most puzzling.

Just tried adding "Listen 67.18.176.140:443" to my httpd.conf; when I tried to restart using apachectl sslstart, I got this:

(98)Address already in use: make_sock: could not bind to address 67.18.176.140:443
no listening sockets available, shutting down
Unable to open logs

Ignore this! The listen was already being pulled in by an include ;-)

Many thanks to those who offered advice on this.

The issue is now CLOSED, not because I've fixed the problem, but because I decided to uprade from httpd 2.0.19 to 2.2.4.

I have been putting this off for some time, due to possible difficulties with modauthmysql, on which many of my applications are dependent.

SSL worked straight off, when I did this; it did mean that I have spent most of the day fixing all the other issues - like getting modauthmysql working (there's a patch available) - rebuilding PHP (twice), etc, etc.

Now all working fine on my backup Linode; will install on my production Linode early one morning, before my clients are awake ;-)

on the note of modauthmysql how did u get it working"? cause buggered if i have been able to with the new setup they have

OK, two things you need to get the current version (3.0.0) working:

1) http://www.bleb.org/software/mod_auth_m … .2.3.patch">http://www.bleb.org/software/modauthmysql-3.0.0-apache-2.2.3.patch

Works with 2.2.4.

2) You need to fiddle with your directives in your Apache config; fit between your 'AuthType Basic' and the first of the MySQL directives:

AuthType                Basic
AuthBasicAuthoritative Off
AuthUserFile /dev/null
AuthMySQLAuthoritative On

Hope this works for you too…

I spoke too soon on the SSL problem :-(

Although working on my backup unit, the production unit, now running httpd 2.2.4 with an identical config, is spitting the same stupid error :-(

EDIT: Whoohoo! Think I've found it. It occurred to me to do apachectl -S - the SSL vhost was trying to lookup the IP address of the host in question (IE: another host) and bind to that IP address:443.

I have now added the vhost name to /etc/hosts against the REAL IP address of the Linode and openssl is now spitting back a certificate at me.

And not an entry in any log anywhere. Good, eh?

For some reason I was getting a similar message when my SSL vhost conf files were in vhosts.d, but not when they were in modules.d.

Although I got around it, I still can't pinpoint the cause. It is a bit of an oddity as your experience shows.

(Note: I don't use the ebuild Apache, but build it myself so it's not a distribution-specific issue.)

I got that same result (unknown protocol) recently (in fact I found this forum thread by pasting the error message into Google), and eventually found that apache was being started without the defines which are checked in the config files. (ie. in IFDEF statements.) I had to add "-D SSL" and such into the APACHEOPTS variable in the apache2 file in /etc/init.d/conf.d. (This may be somewhat different for you, I'm running under Gentoo.) So apache was actually being started without the SSLEngine on directive, etc., because an IFDEF in 40mod_ssl.conf was excluding that section, in my case.

Shavais

One awesome thing about Apache is that it's incredibly configurable. One really sucky thing about it is that it's so freaking configurable.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct