DomyIT
28 October 2023 13:48
1
I’m trying to enable SSL on a virtual host…Apache HTTP Server - ArchWiki
I generate cert:
cd /etc/httpd/conf
sudo openssl genpkey -algorithm RSA -out server.key 1 ✘
sudo openssl req -new -sha256 -key server.key -out server.crt
Uncomment in ‘/etc/httpd/conf/httpd.conf’:
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Include conf/extra/httpd-ssl.conf <- this cause apache error
Apache (httpd) no longer starts…
As soon as I use:SSLEngine on
My virtual host:
<VirtualHost *:80>
ServerAdmin mail@gmail.com
DocumentRoot "/home/user/www/saniday"
ServerName saniday.test
ServerAlias saniday.test
ErrorLog "/var/log/httpd/saniday.test-error_log"
CustomLog "/var/log/httpd/saniday.test-access_log" common
<Directory "/home/user/www/saniday">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
Require all granted
</Directory>
DirectoryIndex index.php index.html
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/"
</FilesMatch>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin mail@gmail.com
DocumentRoot "/home/user/www/saniday"
ServerName saniday.test:443
ServerAlias saniday.test:443
ErrorLog "/var/log/httpd/saniday.test-error_log"
CustomLog "/var/log/httpd/saniday.test-access_log" common
SSLEngine on # <- this cause apache error
SSLCertificateFile "/etc/httpd/conf/server.crt"
SSLCertificateKeyFile "/etc/httpd/conf/server.key"
<Directory "/home/user/www/saniday">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
Require all granted
</Directory>
DirectoryIndex index.php index.html
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/"
</FilesMatch>
</VirtualHost>
My controls…
$ apachectl configtest
> Syntax OK
UPDATE
sudo openssl req -new -newkey rsa:2048 -nodes -keyout /etc/httpd/conf/ssl/server.key -out /etc/httpd/conf/ssl/server.csr
It seems that as soon as I write “SSLEngine on” in the configuration file, Apache doesn’t start.
Error:
× httpd.service - Apache Web Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
Active: failed (Result: exit-code) since Sat 2023-10-28 16:41:26 CEST; 2s ago
Duration: 30ms
Process: 21651 ExecStart=/usr/bin/httpd -k start -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 21651 (code=exited, status=1/FAILURE)
CPU: 21ms
ott 28 16:41:26 Domenico-PC systemd[1]: Started Apache Web Server.
ott 28 16:41:26 Domenico-PC systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
ott 28 16:41:26 Domenico-PC systemd[1]: httpd.service: Failed with result 'exit-code'.
DomyIT:
<VirtualHost *:443>
This won’t do - you need a specific hostname and a certificate matching the host name otherwise the service will fail.
DomyIT
28 October 2023 14:48
3
<VirtualHost saniday.test:443>
Same error…
You should use a search engine - all your questions has been asked before …
https://sx.nix.dk/search?q=apache using self signed ssl
DomyIT
28 October 2023 14:56
5
cd /etc/httpd/conf
Error even if I create that virtual host 443…
I simply followed the instructions on the arch WIKI…
I read and tried many tutorials on the web before asking, but it still doesn’t work.
The Arch wiki is a puzzle - you need to get all the pieces right - obviously you are not.
I don’t use Apache as webserver but Nginx - and I had to do a lot of reading and experimenting to get it right.
I guess the same is valid for Apache and I have no intention of doing the same for Apache - too little
You should most certainly look at the properties provided for certificate - most prominently the lack of hostname for the system.
DomyIT
28 October 2023 15:16
7
Let’s hope someone can help me, but not how to get out of this…
xabbu
28 October 2023 17:41
8
Post the error why apache fails, you only posted what you did but not the error form apache.
Unfortunately, apache uses it own logs. The journal output is in this case not really useful.
DomyIT
28 October 2023 17:43
9
After do:
sudo systemctl restart httpd
/var/log/httpd/error_log
AH00016: Configuration Failed
EDIT
...
#Include conf/extra/httpd-ssl.conf
...
And comment in ’ /etc/httpd/conf/vhosts/saniday.test’:
...
# SSLEngine on
...
DomyIT
28 October 2023 18:20
11
[Sat Oct 28 20:22:11.597319 2023] [ssl:warn] [pid 42914:tid 140577131022208] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Sat Oct 28 20:22:11.598010 2023] [mpm_event:notice] [pid 42914:tid 140577131022208] AH00489: Apache/2.4.57 (Unix) OpenSSL/3.1.3 configured -- resuming normal operations
[Sat Oct 28 20:22:11.598017 2023] [core:notice] [pid 42914:tid 140577131022208] AH00094: Command line: '/usr/bin/httpd -D FOREGROUND'
[Sat Oct 28 20:22:31.898738 2023] [mpm_event:notice] [pid 42914:tid 140577131022208] AH00492: caught SIGWINCH, shutting down gracefully
DomyIT
29 October 2023 06:16
12
Start with apache AH01873…
How configure this (SSLSessionCache)?
Actually, in ‘/etc/httpd/conf/extra/httpd-ssl.conf’:
SSLSessionCache "shmcb:/run/httpd/ssl_scache(512000)"
EDIT
GNU nano 7.2 /var/log/httpd/saniday.test-error_log
[Sun Oct 29 07:38:53.081407 2023] [ssl:info] [pid 48225:tid 140393948448640] AH01914: Configuring server saniday.test:443 for SSL protocol
[Sun Oct 29 07:38:53.081703 2023] [ssl:debug] [pid 48225:tid 140393948448640] ssl_engine_init.c(526): AH01893: Configuring TLS extension handling
[Sun Oct 29 07:38:53.081728 2023] [ssl:emerg] [pid 48225:tid 140393948448640] AH02562: Failed to configure certificate saniday.test:443:0 (with chain), check /etc/httpd/conf/server>
[Sun Oct 29 07:38:53.081734 2023] [ssl:emerg] [pid 48225:tid 140393948448640] SSL Library Error: error:0480006C:PEM routines::no start line (Expecting: TRUSTED CERTIFICATE) -- Bad >
[Sun Oct 29 07:38:53.081737 2023] [ssl:emerg] [pid 48225:tid 140393948448640] SSL Library Error: error:0A080009:SSL routines::PEM lib
If i run:
cd /etc/httpd/conf
sudo openssl req -x509 -newkey rsa:4096 -days 365 -keyout server.key -out server.crt
[enter the passkey]
openssl req -noout -text -in server.crt
Result:
4087D8D9077F0000:error:0480006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:763:Expecting: CERTIFICATE REQUEST
Unable to load X509 request
In ‘/var/log/httpd/saniday.test-error_log’:
[Sun Oct 29 07:57:11.010113 2023] [ssl:info] [pid 49634:tid 140039683155840] AH01914: Configuring server saniday.test:443 for SSL protocol
[Sun Oct 29 07:57:11.010389 2023] [ssl:debug] [pid 49634:tid 140039683155840] ssl_engine_init.c(526): AH01893: Configuring TLS extension handling
[Sun Oct 29 07:57:11.011459 2023] [ssl:info] [pid 49634:tid 140039683155840] AH02576: Attempting to load encrypted (?) private key saniday.test:443:0
[Sun Oct 29 07:57:11.011513 2023] [ssl:info] [pid 49634:tid 140039683155840] AH01968: Init: Requesting pass phrase via builtin terminal dialog
[Sun Oct 29 07:57:11.011570 2023] [ssl:info] [pid 49634:tid 140039683155840] AH01968: Init: Requesting pass phrase via builtin terminal dialog
[Sun Oct 29 07:57:11.011715 2023] [ssl:error] [pid 49634:tid 140039683155840] AH02578: Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]
[Sun Oct 29 07:57:11.011719 2023] [ssl:error] [pid 49634:tid 140039683155840] SSL Library Error: error:04800068:PEM routines::bad password read -- You entered an incorrect pass phrase!?
[Sun Oct 29 07:57:11.011722 2023] [ssl:error] [pid 49634:tid 140039683155840] SSL Library Error: error:1E08010C:DECODER routines::unsupported (No supported data to decode. Input type: DER, Input structure: typ>
[Sun Oct 29 07:57:11.011725 2023] [ssl:error] [pid 49634:tid 140039683155840] SSL Library Error: error:068000A8:asn1 encoding routines::wrong tag
[Sun Oct 29 07:57:11.011727 2023] [ssl:error] [pid 49634:tid 140039683155840] SSL Library Error: error:0688010A:asn1 encoding routines::nested asn1 error
[Sun Oct 29 07:57:11.011730 2023] [ssl:error] [pid 49634:tid 140039683155840] SSL Library Error: error:0688010A:asn1 encoding routines::nested asn1 error (Field=version, Type=RSAPrivateKey)
[Sun Oct 29 07:57:11.011732 2023] [ssl:error] [pid 49634:tid 140039683155840] SSL Library Error: error:068000A8:asn1 encoding routines::wrong tag
[Sun Oct 29 07:57:11.011734 2023] [ssl:error] [pid 49634:tid 140039683155840] SSL Library Error: error:0688010A:asn1 encoding routines::nested asn1 error
[Sun Oct 29 07:57:11.011736 2023] [ssl:error] [pid 49634:tid 140039683155840] SSL Library Error: error:0688010A:asn1 encoding routines::nested asn1 error (Field=version, Type=PKCS8_PRIV_KEY_INFO)
[Sun Oct 29 07:57:11.011738 2023] [ssl:error] [pid 49634:tid 140039683155840] SSL Library Error: error:1E08010C:DECODER routines::unsupported (No supported data to decode. Input type: DER, Input structure: typ>
[Sun Oct 29 07:57:11.011740 2023] [ssl:error] [pid 49634:tid 140039683155840] SSL Library Error: error:068000A8:asn1 encoding routines::wrong tag
[Sun Oct 29 07:57:11.011742 2023] [ssl:error] [pid 49634:tid 140039683155840] SSL Library Error: error:0688010A:asn1 encoding routines::nested asn1 error
[Sun Oct 29 07:57:11.011744 2023] [ssl:error] [pid 49634:tid 140039683155840] SSL Library Error: error:068000A8:asn1 encoding routines::wrong tag
[Sun Oct 29 07:57:11.011746 2023] [ssl:error] [pid 49634:tid 140039683155840] SSL Library Error: error:0688010A:asn1 encoding routines::nested asn1 error (Type=RSAPrivateKey)
[Sun Oct 29 07:57:11.011748 2023] [ssl:error] [pid 49634:tid 140039683155840] SSL Library Error: error:068000A8:asn1 encoding routines::wrong tag
[Sun Oct 29 07:57:11.011751 2023] [ssl:error] [pid 49634:tid 140039683155840] SSL Library Error: error:0688010A:asn1 encoding routines::nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Sun Oct 29 07:57:11.011757 2023] [ssl:emerg] [pid 49634:tid 140039683155840] AH02564: Failed to configure encrypted (?) private key saniday.test:443:0, check /etc/httpd/conf/server.key
xabbu
29 October 2023 07:02
13
Don’t use a password with your private key. If you want a password, don’t rely on the interactive input, it will fail.
DomyIT
29 October 2023 07:06
14
If i add blank password:
sudo openssl req -x509 -newkey rsa:4096 -days 365 -keyout server.key -out server.crt
Enter PEM pass phrase:
404751B1DC7F0000:error:14000065:UI routines:UI_set_result_ex:result too small:crypto/ui/ui_lib.c:888:You must type in 4 to 1024 characters
404751B1DC7F0000:error:1400006B:UI routines:UI_process:processing error:crypto/ui/ui_lib.c:548:while reading strings
404751B1DC7F0000:error:0480006D:PEM routines:PEM_def_callback:problems getting password:crypto/pem/pem_lib.c:62:
404751B1DC7F0000:error:07880109:common libcrypto routines:do_ui_passphrase:interrupted or cancelled:crypto/passphrase.c:184:
404751B1DC7F0000:error:1C80009F:Provider routines:p8info_to_encp8:unable to get passphrase:providers/implementations/encode_decode/encode_key2any.c:116:
I think the problem is the SSL certificate I generate which is wrong, can you confirm?
DomyIT
29 October 2023 07:45
15
I’m trying with:
cd /etc/httpd/conf/ssl
sudo certtool --generate-privkey --outfile server.key
sudo certtool --generate-self-signed --load-privkey server.key --outfile server.crt
Apache starts with this certificate, but chrome alert that the certificate is invalid…
xabbu
29 October 2023 08:02
16
Of course is this certificate is not trusted, since it is not from a Certificate Authority that your Browser/OS trusts.
This is always the case with self-signed certificate. There are ways to trust such certificate, depending on your Browser and OS.
Once you accepted the certificate and continue to visiting your site, chrome should remember that choice and be fine.
DomyIT
29 October 2023 10:45
19
I’m testing a PWA (Progressive Web App), and I need a valid certificate to install it.
DomyIT:
Advice for chrome?
Settings → Privacy and Security → Security → Manage Device Certificates
LetsEncrypt might be a better choice for you if you only need a certificate for a limited time. All the information needed can be found on their site.
Try to import your certificate in the cert-manager of chrome and then mark it as trusted. After a restart it should be accepted without any complaints
involved.