[Solved] SSL install Issue. Empty httpd.conf the problem?

On Ubuntu 10.04

* Got SSL for domain name.

  • Install failed.

  • On phone for over an hour with SSL supplier, using "view my screen" so we could see the same thing.

  • According to him, our system was never configured to run SSL to begin with.

    * httpd.conf is empty

  • no ssl.conf exists

  • ports.conf referenced in help page Only has this:
    > NameVirtualHost *:80

Listen 80

# If you add NameVirtualHost *:443 here, you will also have to change

the VirtualHost statement in /etc/apache2/sites-available/default-ssl

to # Server Name Indication for SSL named virtual hosts is currently not

supported by MSIE on Windows XP.

Listen 443

Listen 443

The certs all in place, and tried referencing them as per the above help page, as well as using the httpd.conf that the SSL provider recommended. All efforts lead simply to a crashed site.

Lil' help?

–-----EDIT-------

ADDED FROM POST BELOW SO IT"S NOT MISSED

Tried adding this to ports.conf already

ServerName http://www.*.com

SSLEngine On

SSLCertificateFile /etc/ssl/private/public.crt

SSLCertificateKeyFile /etc/ssl/private/our.key

SSLCACertificateFile /etc/ssl/private/intermediate.crt

Site died a quick death.

-------/EDIT-------

21 Replies

via IRC:

> 13:00:55 New news from forum: SSL install Issue. Empty httpd.conf the problem? in Linux Networking <http://forum.linode.com/viewtopic.php?t … 769#p51769">http://forum.linode.com/viewtopic.php?t=9008&p=51769#p51769>

13:02:45 ^ that guy needs to add NameVirtualHost *:443 to ports.conf, add a block to his sites-blah/foo.conf, and then define the CertFile stuff in there.

@Obsidian:

via IRC:

> 13:00:55 New news from forum: SSL install Issue. Empty httpd.conf the problem? in Linux Networking <http://forum.linode.com/viewtopic.php?t … 769#p51769">http://forum.linode.com/viewtopic.php?t=9008&p=51769#p51769>

13:02:45 ^ that guy needs to add NameVirtualHost *:443 to ports.conf, add a block to his sites-blah/foo.conf, and then define the CertFile stuff in there.

Tried adding this to ports.conf already

ServerName http://www.*.com

SSLEngine On

SSLCertificateFile /etc/ssl/private/public.crt

SSLCertificateKeyFile /etc/ssl/private/our.key

SSLCACertificateFile /etc/ssl/private/intermediate.crt

Site died a quick death.

Any particular errors in the logs?

Also, you probably want "ServerName www.example.com" there. And you probably don't want that in ports.conf, either.

@hoopycat:

Any particular errors in the logs?

The error logs don't seem to provide any help, other then PHP hits a fatal error (basically try/catch header("HTTP/1.0 404 Not Found");) just when going to the site on regular http. (This occurs after I add the VirtualHost argument. Otherwise, the site's up and running just fine.)

@hoopycat:

Also, you probably want "ServerName http://www.example.com" there. And you probably don't want that in ports.conf, either.
Already did the ServerName part if you see what I wrote above. Also tried listing it on the ports.conf and httpd.conf just in case.

Site still dies.

Don't redact your logs, your conf, or anything like that. You're making it an absolute pain to troubleshoot effectively.

@Obsidian:

Don't redact your logs, your conf, or anything like that. You're making it an absolute pain to troubleshoot effectively.
Sorry, I'll try to give better info. Here's the error from the site.error.log:

[Mon Jun 18 01:44:53 2012] [error] [client ...] PHP Fatal error: Uncaught exception 'ZendControllerRouter_Exception' with message 'No route, document, custom route or redirect is matching the request: /favicon.ico' in /var/www/pimcore/lib/Pimcore.php:241\nStack trace:\n#0 /var/www/site.com/index.php(19): Pimcore::run()\n#1 {main}\n thrown in /var/www/pimcore/lib/Pimcore.php on line 241

Here's my ports.conf:

NameVirtualHost *:80

Listen 80

# If you add NameVirtualHost *:443 here, you will also have to change

the VirtualHost statement in /etc/apache2/sites-available/default-ssl

to # Server Name Indication for SSL named virtual hosts is currently not

supported by MSIE on Windows XP.

Listen 443

Listen 443

And my httpd.conf is completely empty. Nothing in it.

httpd.conf, under ubuntu, is used for custom stuff. apache.conf (or is it apache2.conf?) contains the normal apache directives.

@Obsidian:

httpd.conf, under ubuntu, is used for custom stuff. apache.conf (or is it apache2.conf?) contains the normal apache directives.

All I know is that the SSL company's install directions said to add the info to the http.conf, and Linodes docs says to use ports.conf. Tried both. Doesn't work. Are you saying I need to try to add it to apache2.conf instead?

@josh-chs:

@Obsidian:

httpd.conf, under ubuntu, is used for custom stuff. apache.conf (or is it apache2.conf?) contains the normal apache directives.

All I know is that the SSL company's install directions said to add the info to the http.conf, and Linodes docs says to use ports.conf. Tried both. Doesn't work. Are you saying I need to try to add it to apache2.conf instead?
Check to see if anything conflicts within apache.conf.

That error message though is interesting - it leads me to think that something is odd within your site's configuration, which may or may not be related. Try adding a favicon file for your site, at least, even if it's an empty icon file.

@Obsidian:

Check to see if anything conflicts within apache.conf.

Doubt there's any real conflicts, as the site's been up for over a year. Only dies when trying to connect this SSL issue.

@Obsidian:

That error message though is interesting - it leads me to think that something is odd within your site's configuration, which may or may not be related. Try adding a favicon file for your site, at least, even if it's an empty icon file.
Tried adding favicon. Same thing. Death.

The bizarre thing is that the error logs say the same thing.

I'll be back in an hour.

Unfortunately my Ouija board is at the dry cleaners, and there's an injunction preventing me from playing 20 questions (long story), so good luck with getting people to guess at solving YOUR problem.

Here's a hint: Provide REAL DETAILS instead of all this stealth crap.

@vonskippy:

Here's a hint: Provide REAL DETAILS instead of all this stealth crap.

My apologies, however I don't see what good knowing the IP or domain name would do in solving the issue. (Perhaps I'm just being too paranoid about getting hacked. Yes I keep things updated/upgraded, and have strong passwords, but…) If I'm not giving the correct information needed to help narrow down the problem let me know. I've been asked for the errors, conf files etc. and I gave those. Well, not the apache2.conf. However, that was never mentioned in any of the SSL install docs I've seen.

Yes, I'm inexperienced in Apache2 and inherited this funky site. So… What logs/conf/etc files have I not given yet that you folks will find useful in helping me?

Here's my entire ports.conf


If you just change the port or add more ports here, you will likely also

have to change the VirtualHost statement in

/etc/apache2/sites-enabled/000-default

This is also true if you have upgraded from before 2.2.9-3 (i.e. from

Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and

README.Debian.gz

NameVirtualHost *:80

Listen 80

# If you add NameVirtualHost *:443 here, you will also have to change

the VirtualHost statement in /etc/apache2/sites-available/default-ssl

to # Server Name Indication for SSL named virtual hosts is currently not

supported by MSIE on Windows XP.

Listen 443

Listen 443


And my entire httpd.conf



Like I said. Empty.

From /var/log/apache2/error.log


[Mon Jun 18 04:02:25 2012] [notice] caught SIGTERM, shutting down

PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/imagick.ini on line 1 in Unknown on line 0

PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/mcrypt.ini on line 1 in Unknown on line 0

[Mon Jun 18 04:03:56 2012] [notice] Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.15 with Suhosin-Patch configured – resuming normal operations


Which I believe is just the normal blah blah when I reboot.

What else can I show you that may help?

OK, so I don't think it's me. Been on tech support again w/ SSL provider and here's what occurred.

SSL Tech Support: Welcome to support, how can I help?

Me: Hello, I need SSL installation support from someone with good Apache2 knowledge.

Me: I've been dealing w/ support via chat and phone a few times, but there's obviously some issue buried deep that's preventing properinstaltion.

SSL Tech Support: what seems to be the issue your having?

Me: Added the *.crt files & *.key to the proper /etc/ssl/ folders, but when I add the Me: removing the SSL Tech Support: can you paste the virtualhost here please

Me: tried using both SSLCACertificateFile & SSLCertificateChainFile arguments. No good.

Me: ServerName site.com

SSLEngine On

SSLCertificateFile /etc/ssl/certs/public.crt

SSLCertificateKeyFile /etc/ssl/private/this.key

SSLCACertificateFile /etc/ssl/certs/intermediate.crt

SSL Tech Support: can you paste the contents of public.crt 5 lines at a time in this window

Me: 1 sec.

[edited]

Me: done

SSL Tech Support: thanks

SSL Tech Support: checking the contents now

Me: ty

SSL Tech Support: can you check the apache log for any errors ?

Me: /var/log/apache2/error.log just shows this, which I beleive is from when I reboot the system.

Me: [Mon Jun 18 06:27:47 2012] [notice] caught SIGTERM, shutting down

PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/imagick.ini on line 1 in Unknown on line 0

PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/mcrypt.ini on line 1 in Unknown on line 0

[Mon Jun 18 06:31:35 2012] [notice] Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.15 with Suhosin-Patch configured – resuming no

Me: resuming normal operations

SSL Tech Support: this is not related to SSL though..

Me: nope

SSL Tech Support: can you enable the virtualhost then restart apache

SSL Tech Support: then check the error

Me: 1 sec.

Me: [Mon Jun 18 06:49:10 2012] [notice] caught SIGTERM, shutting down

Me: when I removed the virtualhost and reboot, I get the other 3 lines I already pasted.

Me: and the site is running fine in http mode.

SSL Tech Support: I think this is more of an apache system issue than an SSL issue

SSL Tech Support: your config is fine and this is not normal behavior for apache to shutdown unexpectedly without meaningful errors in the log

SSL Tech Support: even if the keys are invalid, apache should normally report it.. your not even getting that far.

SSL Tech Support: I would try re-installing the apache package

Me: Bit of a huge response. The site has been running for over a year and I don't like the idea of destroying it.

SSL Tech Support: well its been working fine in http mode, doesnt looking https is working though.

SSL Tech Support: we cant really troubleshoot this issue, only make recommendations.

Me: Besides, not sure if reinstalling apache is an option. It's kind of a pacage deal wit our hoster.

SSL Tech Support: but normally speaking even if the key files are corrupt, apache should say something.. it almost sounds like there are missing modules which is crashing apache..

SSL Tech Support: i understand.. you will definetly need to report this to the host.

SSL Tech Support: at least its in good hands for them to check for you.

Me: That was what another tech mentioned. He said it was like the htpS mod doesn't even exist. If not, how can I install that part?

Me: Sorry, Apache n00b that inherited a crazy system. Not the best situation, i understand, but have to do what I can here.

SSL Tech Support: yeah, understand that but leave that to your host to sort out.. we cant even advise on that, bit out of our scope too.

Me: K if you can't help, not sure what I can do. I knew it is an Apache issue. Just having trouble finding help.

SSL Tech Support: your host should be responsible

SSL Tech Support: not sure how you can reach them though

Me: However I understand you can't help. Thaks for your time.

SSL Tech Support: sorry I couldnt help any further

SSL Tech Support: good luck

SSL Tech Support: good day

Me: ty u2

Well, the good news is that you ARE your host, so you know how to reach them.

What does your site's configuration normally look like? You should have a file, /etc/apache2/sites-available/*.com, which contains its configuration. Also, what does 'apache2ctl -S' say?

@hoopycat:

Well, the good news is that you ARE your host, so you know how to reach them.
Yeah, didn't bother trying to explain that to them. "We run the site, but we don't". :?

@Obsidian, I owe you an apology. That favicon error came from the wrong error.log. I completely messed up there. I'm sorry. (Insert typical useless "tired/frustrated" excuse here)

OK, back to the issue.

@hoopycat:

What does your site's configuration normally look like? You should have a file, /etc/apache2/sites-available/*.com, which contains its configuration. Also, what does 'apache2ctl -S' say?

/etc/apache2/sites-available/.com*

ServerAdmin webmaster@site.com

ServerName web.site.com

ServerAlias site.com

DocumentRoot /var/www/site.com

Options FollowSymLinks

AllowOverride None

Options -indexes FollowSymLinks MultiViews

AllowOverride All

Order allow,deny

allow from all

ErrorLog /var/log/apache2/site.com.error.log

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog /var/log/apache2/site.com.access.log combined

And…

root:~# /usr/sbin/apache2ctl -S

VirtualHost configuration:

wildcard NameVirtualHosts and default servers:

*:80 is a NameVirtualHost

default server this.site.com (/etc/apache2/sites-enabled/000-default:1)

port 80 namevhost this.site.com (/etc/apache2/sites-enabled/000-default:1)

port 80 namevhost web.site2.com (/etc/apache2/sites-enabled/site2.com:1)

port 80 namevhost web.site.com (/etc/apache2/sites-enabled/site.com:1)

Syntax OK

No, that site2.com isn't a mistake. We're running two domains with almost identical sites from the same IP.

And yeah, port 80 seems the only port setup here according to this.

OK, which site is going to get the SSL magic: this.site.com (in /etc/apache2/sites-available/default) or web.site.com (in /etc/apache2/sites-available/site.com)?

If, to your ports.conf, you ONLY add the following, does everything that works now still work OK after restarting Apache? If so, what does apache2ctl -S say?

 <ifmodule mod_ssl.c=""># You can also just include this within the existing IfModule for mod_ssl
    NameVirtualHost *:443</ifmodule> 

If nothing changes, then you probably need to 'a2enmod ssl'.

OK, sorry for the long delay in replying. Last few weeks have been crazy busy.

@hoopycat:

OK, which site is going to get the SSL magic: this.site.com (in /etc/apache2/sites-available/default) or web.site.com (in /etc/apache2/sites-available/site.com)?
web.site.com

@hoopycat:

If, to your ports.conf, you ONLY add the following, does everything that works now still work OK after restarting Apache? If so, what does apache2ctl -S say?

 <ifmodule mod_ssl.c=""># You can also just include this within the existing IfModule for mod_ssl
    NameVirtualHost *:443</ifmodule> 

Since I already have a "IfModule mod_ssl.c" declaration in the ports.conf, I just added the NameVirtualHost. So it reads as:

 <ifmodule mod_ssl.c="">NameVirtualHost *:443
     Listen 443</ifmodule> 

After restarting, my site died again. :(

OK, it has been awhile so I might just be not-remembering stuff, but: define "died". Apache fails to start?

With the NameVirtualHost and Listen in there, but with things in the broken state, what does apache2ctl -S say? Also, what does netstat -ntlp say?

Again, had to take some time off, but now have to get back to this problem.

OK, after some personal research, I've pretty much fixed the original issue. Long story short:

a2enmod ssl
a2ensite ssl

However, now when I setup the argument on ports.conf and restart Apache, it asks for the CRT password. Problem is, my password records don't have any password on file for this.

So, how do I use my CRTs when I forgot the passwords? I suppose I'll have to remake the certificates, huh?

Update. Got the OpenSSL working and the virtualhost working. Now just trying to track down a timeout issue. Perhaps it's a firewall issue or something. I dunno.

I'm marking this as solved, since the issue was SSL seemingly not even running on my box. Now that is dealt with, I'm going to open a new thread to deal with this timeout issue.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct