[Solved] SSL install Issue. Empty httpd.conf the problem?
* Got SSL for domain name.
Install failed.
On phone for over an hour with SSL supplier, using "view my screen" so we could see the same thing.
According to him, our system was never configured to run SSL to begin with.
- * httpd.conf is empty
no ssl.conf exists
ports.conf referenced in
help page
> NameVirtualHost *:80
Listen 80
# If you add NameVirtualHost *:443 here, you will also have to change the VirtualHost statement in /etc/apache2/sites-available/default-ssl
to
# Server Name Indication for SSL named virtual hosts is currently not supported by MSIE on Windows XP.
Listen 443
Listen 443
The certs all in place, and tried referencing them as per the above help page, as well as using the httpd.conf that the SSL provider recommended. All efforts lead simply to a crashed site.
Lil' help?
–-----EDIT-------
ADDED FROM POST BELOW SO IT"S NOT MISSED
Tried adding this to ports.conf already
SSLEngine On
SSLCertificateFile /etc/ssl/private/public.crt
SSLCertificateKeyFile /etc/ssl/private/our.key
SSLCACertificateFile /etc/ssl/private/intermediate.crt
Site died a quick death.
-------/EDIT-------
21 Replies
> 13:00:55
13:02:45
^ that guy needs to add NameVirtualHost *:443 to ports.conf, add a block to his sites-blah/foo.conf, and then define the CertFile stuff in there.
@Obsidian:
via IRC:
> 13:00:55New news from forum: SSL install Issue. Empty httpd.conf the problem? in Linux Networking < > http://forum.linode.com/viewtopic.php?t … 769#p51769">http://forum.linode.com/viewtopic.php?t=9008&p=51769#p51769 13:02:45
^ that guy needs to add NameVirtualHost *:443 to ports.conf, add a block to his sites-blah/foo.conf, and then define the CertFile stuff in there.
Tried adding this to ports.conf already
SSLEngine On
SSLCertificateFile /etc/ssl/private/public.crt
SSLCertificateKeyFile /etc/ssl/private/our.key
SSLCACertificateFile /etc/ssl/private/intermediate.crt
Site died a quick death.
Also, you probably want "ServerName
@hoopycat:
Any particular errors in the logs?
The error logs don't seem to provide any help, other then PHP hits a fatal error (basically try/catch header("HTTP/1.0 404 Not Found");) just when going to the site on regular http. (This occurs after I add the VirtualHost argument. Otherwise, the site's up and running just fine.)
@hoopycat:
Also, you probably want "ServerName
http://www.example.com " there. And you probably don't want that in ports.conf, either.
Already did the ServerName part if you see what I wrote above. Also tried listing it on the ports.conf and httpd.conf just in case.
Site still dies.
@Obsidian:
Don't redact your logs, your conf, or anything like that. You're making it an absolute pain to troubleshoot effectively.
Sorry, I'll try to give better info. Here's the error from the site.error.log:
[Mon Jun 18 01:44:53 2012] [error] [client ...] PHP Fatal error: Uncaught exception 'ZendControllerRouter_Exception' with message 'No route, document, custom route or redirect is matching the request: /favicon.ico' in /var/www/pimcore/lib/Pimcore.php:241\nStack trace:\n#0 /var/www/site.com/index.php(19): Pimcore::run()\n#1 {main}\n thrown in /var/www/pimcore/lib/Pimcore.php on line 241
Here's my ports.conf:
NameVirtualHost *:80
Listen 80
the VirtualHost statement in /etc/apache2/sites-available/default-ssl
to # Server Name Indication for SSL named virtual hosts is currently not
supported by MSIE on Windows XP.
Listen 443
And my httpd.conf is completely empty. Nothing in it.
@Obsidian:
httpd.conf, under ubuntu, is used for custom stuff. apache.conf (or is it apache2.conf?) contains the normal apache directives.
All I know is that the SSL company's install directions said to add the info to the http.conf, and Linodes docs
@josh-chs:
@Obsidian:httpd.conf, under ubuntu, is used for custom stuff. apache.conf (or is it apache2.conf?) contains the normal apache directives.
All I know is that the SSL company's install directions said to add the info to the http.conf, and
says to use ports.conf. Tried both. Doesn't work. Are you saying I need to try to add it to apache2.conf instead? Linodes docs
Check to see if anything conflicts within apache.conf.
That error message though is interesting - it leads me to think that something is odd within your site's configuration, which may or may not be related. Try adding a favicon file for your site, at least, even if it's an empty icon file.
@Obsidian:
Check to see if anything conflicts within apache.conf.
Doubt there's any real conflicts, as the site's been up for over a year. Only dies when trying to connect this SSL issue.
@Obsidian:
That error message though is interesting - it leads me to think that something is odd within your site's configuration, which may or may not be related. Try adding a favicon file for your site, at least, even if it's an empty icon file.
Tried adding favicon. Same thing. Death.
The bizarre thing is that the error logs say the same thing.
I'll be back in an hour.
Here's a hint: Provide REAL DETAILS instead of all this stealth crap.
@vonskippy:
Here's a hint: Provide REAL DETAILS instead of all this stealth crap.
My apologies, however I don't see what good knowing the IP or domain name would do in solving the issue. (Perhaps I'm just being too paranoid about getting hacked. Yes I keep things updated/upgraded, and have strong passwords, but…) If I'm not giving the correct information needed to help narrow down the problem let me know. I've been asked for the errors, conf files etc. and I gave those. Well, not the apache2.conf. However, that was never mentioned in any of the SSL install docs I've seen.
Yes, I'm inexperienced in Apache2 and inherited this funky site. So… What logs/conf/etc files have I not given yet that you folks will find useful in helping me?
Here's my entire ports.conf
If you just change the port or add more ports here, you will likely also
have to change the VirtualHost statement in
/etc/apache2/sites-enabled/000-default
This is also true if you have upgraded from before 2.2.9-3 (i.e. from
Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
README.Debian.gz
NameVirtualHost *:80
Listen 80
the VirtualHost statement in /etc/apache2/sites-available/default-ssl
to # Server Name Indication for SSL named virtual hosts is currently not
supported by MSIE on Windows XP.
Listen 443
And my entire httpd.conf
Like I said. Empty.
From /var/log/apache2/error.log
[Mon Jun 18 04:02:25 2012] [notice] caught SIGTERM, shutting down
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/imagick.ini on line 1 in Unknown on line 0
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/mcrypt.ini on line 1 in Unknown on line 0
[Mon Jun 18 04:03:56 2012] [notice] Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.15 with Suhosin-Patch configured – resuming normal operations
Which I believe is just the normal blah blah when I reboot.
What else can I show you that may help?
SSL Tech Support: Welcome to support, how can I help?
Me: Hello, I need SSL installation support from someone with good Apache2 knowledge.
Me: I've been dealing w/ support via chat and phone a few times, but there's obviously some issue buried deep that's preventing properinstaltion.
SSL Tech Support: what seems to be the issue your having?
Me: Added the *.crt files & *.key to the proper /etc/ssl/ folders, but when I add the
Me: tried using both SSLCACertificateFile & SSLCertificateChainFile arguments. No good.
Me:
SSLEngine On
SSLCertificateFile /etc/ssl/certs/public.crt
SSLCertificateKeyFile /etc/ssl/private/this.key
SSLCACertificateFile /etc/ssl/certs/intermediate.crt
SSL Tech Support: can you paste the contents of public.crt 5 lines at a time in this window
Me: 1 sec.
[edited]
Me: done
SSL Tech Support: thanks
SSL Tech Support: checking the contents now
Me: ty
SSL Tech Support: can you check the apache log for any errors ?
Me: /var/log/apache2/error.log just shows this, which I beleive is from when I reboot the system.
Me: [Mon Jun 18 06:27:47 2012] [notice] caught SIGTERM, shutting down
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/imagick.ini on line 1 in Unknown on line 0
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/mcrypt.ini on line 1 in Unknown on line 0
[Mon Jun 18 06:31:35 2012] [notice] Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.15 with Suhosin-Patch configured – resuming no
Me: resuming normal operations
SSL Tech Support: this is not related to SSL though..
Me: nope
SSL Tech Support: can you enable the virtualhost then restart apache
SSL Tech Support: then check the error
Me: 1 sec.
Me: [Mon Jun 18 06:49:10 2012] [notice] caught SIGTERM, shutting down
Me: when I removed the virtualhost and reboot, I get the other 3 lines I already pasted.
Me: and the site is running fine in http mode.
SSL Tech Support: I think this is more of an apache system issue than an SSL issue
SSL Tech Support: your config is fine and this is not normal behavior for apache to shutdown unexpectedly without meaningful errors in the log
SSL Tech Support: even if the keys are invalid, apache should normally report it.. your not even getting that far.
SSL Tech Support: I would try re-installing the apache package
Me: Bit of a huge response. The site has been running for over a year and I don't like the idea of destroying it.
SSL Tech Support: well its been working fine in http mode, doesnt looking https is working though.
SSL Tech Support: we cant really troubleshoot this issue, only make recommendations.
Me: Besides, not sure if reinstalling apache is an option. It's kind of a pacage deal wit our hoster.
SSL Tech Support: but normally speaking even if the key files are corrupt, apache should say something.. it almost sounds like there are missing modules which is crashing apache..
SSL Tech Support: i understand.. you will definetly need to report this to the host.
SSL Tech Support: at least its in good hands for them to check for you.
Me: That was what another tech mentioned. He said it was like the htpS mod doesn't even exist. If not, how can I install that part?
Me: Sorry, Apache n00b that inherited a crazy system. Not the best situation, i understand, but have to do what I can here.
SSL Tech Support: yeah, understand that but leave that to your host to sort out.. we cant even advise on that, bit out of our scope too.
Me: K if you can't help, not sure what I can do. I knew it is an Apache issue. Just having trouble finding help.
SSL Tech Support: your host should be responsible
SSL Tech Support: not sure how you can reach them though
Me: However I understand you can't help. Thaks for your time.
SSL Tech Support: sorry I couldnt help any further
SSL Tech Support: good luck
SSL Tech Support: good day
Me: ty u2
What does your site's configuration normally look like? You should have a file, /etc/apache2/sites-available/*.com, which contains its configuration. Also, what does 'apache2ctl -S' say?
@hoopycat:
Well, the good news is that you ARE your host, so you know how to reach them.
Yeah, didn't bother trying to explain that to them. "We run the site, but we don't".:?
@Obsidian, I owe you an apology. That favicon error came from the wrong error.log. I completely messed up there. I'm sorry. (Insert typical useless "tired/frustrated" excuse here)
OK, back to the issue.
@hoopycat:
What does your site's configuration normally look like? You should have a file, /etc/apache2/sites-available/*.com, which contains its configuration. Also, what does 'apache2ctl -S' say?
/etc/apache2/sites-available/.com*
ServerName web.site.com
ServerAlias site.com
DocumentRoot /var/www/site.com
AllowOverride None
AllowOverride All
Order allow,deny
allow from all
ErrorLog /var/log/apache2/site.com.error.log
Possible values include: debug, info, notice, warn, error, crit,
alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/site.com.access.log combined
And…
root:~# /usr/sbin/apache2ctl -S
VirtualHost configuration:
wildcard NameVirtualHosts and default servers:
*:80 is a NameVirtualHost
default server this.site.com (/etc/apache2/sites-enabled/000-default:1)
port 80 namevhost this.site.com (/etc/apache2/sites-enabled/000-default:1)
port 80 namevhost web.site2.com (/etc/apache2/sites-enabled/site2.com:1)
port 80 namevhost web.site.com (/etc/apache2/sites-enabled/site.com:1)
Syntax OK
No, that site2.com isn't a mistake. We're running two domains with almost identical sites from the same IP.
And yeah, port 80 seems the only port setup here according to this.
If, to your ports.conf, you ONLY add the following, does everything that works now still work OK after restarting Apache? If so, what does apache2ctl -S say?
<ifmodule mod_ssl.c=""># You can also just include this within the existing IfModule for mod_ssl
NameVirtualHost *:443</ifmodule>
If nothing changes, then you probably need to 'a2enmod ssl'.
@hoopycat:
OK, which site is going to get the SSL magic: this.site.com (in /etc/apache2/sites-available/default) or web.site.com (in /etc/apache2/sites-available/site.com)?
web.site.com
@hoopycat:
If, to your ports.conf, you ONLY add the following, does everything that works now still work OK after restarting Apache? If so, what does apache2ctl -S say?
<ifmodule mod_ssl.c=""># You can also just include this within the existing IfModule for mod_ssl NameVirtualHost *:443</ifmodule>
Since I already have a "IfModule mod_ssl.c" declaration in the ports.conf, I just added the NameVirtualHost. So it reads as:
<ifmodule mod_ssl.c="">NameVirtualHost *:443
Listen 443</ifmodule>
After restarting, my site died again.
With the NameVirtualHost and Listen in there, but with things in the broken state, what does apache2ctl -S say? Also, what does netstat -ntlp say?
OK, after some personal research, I've pretty much fixed the original issue. Long story short:
a2enmod ssl
a2ensite ssl
However, now when I setup the
So, how do I use my CRTs when I forgot the passwords? I suppose I'll have to remake the certificates, huh?