apache over ssl stopped working
Hi,
a while back i had a working setup for webmail(squirrelmail) over SSL.
I basically forced http and https over port 9000 so everthing
was going over SSL.
These are the components:
apache 1.3.31-1
apache-common 1.3.31-1
php4 4.3.4-4
squirrelmail 1.5.0-1
openssl 0.9.7d-3
libssl-dev 0.9.7d-2
libssl0.9.7 0.9.7d-2
Since then i added a config for a webmail.domain virtualhost to apache
and if made a new certificate to test setting up a CA.
After running great for a while, i started having problems in that
https connections didn't work anymore. After a restart, all was fine.
Now, even after a reboot the https. Doesn't work anymore. If have
added my configs below. Note that since those problems started, i've
installed the latest versions of the aformentioned softwares so this
could have something to do with it.
Anyway, here are some results:
http://domain.ddts.net:9000/~benedict/index.html, works
https://domain.ddts.net:9000/~benedict/index.html, doesn't work
http://domain.ddts.net:9000/cgi-bin/man/man2html, only works if i
comment the mod_rewrite.c part.
https://domain.ddts.net:9000/mail doesn't get found (that's what the
error message tells me). This point to squirrelmail
https://webmail.domain.ddts.net:9000 doesn't work either.
I made a simple php file in ~benedict and taht works so it seems that
my php config is correct.
Excerpt from acces.log with <IfModule mod_rewrite.c> enabled
============================================================
192.168.1.10 - - [29/May/2004:00:25:30 +0200] "GET /cgi-bin/man/man2html
HTTP/1.1" 302 242 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"
192.168.1.10 - - [29/May/2004:00:25:30 +0200] "\x80g\x01\x03" 302 - "-"
"-"
-> the last line is when i try via https
Excerpt from acces.log with <IfModule mod_rewrite.c> disabled
=============================================================
192.168.1.10 - - [29/May/2004:00:42:26 +0200] "\x80g\x01\x03" 200 361
"-" "-"
-> the last line is when i try via https and more specifically
https://domain.ddts.net:9000/mail
Matching error message from error.log
[Sat May 29 00:41:25 2004] [error] [client 81.xxx.xxx.xxx] File does not
exist: /var/www/mail
Check with openssl
==================
root@arthur:/var/log/apache[00:56:35]# openssl s_client -connect
localhost:9000 -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 080B06E8 [080B0D78] (142 bytes => 142 (0x8E))
0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00 ......c...
..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0
8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00
..3..2../.....f.
0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00
.............c..
0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40
b..a...........@
0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00
..e..d..`.......
0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 78 11
..............x.
0070 - 01 4a be 89 a6 c1 31 04-2e a6 78 c1 79 cc 06 92
.J....1...x.y...
0080 - f1 e7 ab 5e 66 0c 4d 67-60 d6 54 d5 94 dd ...^f.Mg`.T...
SSL_connect:SSLv2/v3 write client hello A
read from 080B06E8 [080B62D8] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59 <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
7155:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:475:
root@arthur:/var/log/apache[00:57:09]#
This seems rather weird! It seems to have problems with my certificate?
My httpd.conf
=============
ServerType standalone
ServerRoot /etc/apache
LockFile /var/lock/apache.lock
PidFile /var/run/apache.pid
ScoreBoardFile /var/run/apache.scoreboard
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 100
Include /etc/apache/modules.conf
<IfModule mod_status.c>
ExtendedStatus On
</IfModule>
Port 9000
User www-data
Group www-data
ServerAdmin webmaster@domain.ddts.net
ServerName localhost
DocumentRoot /var/www
<Directory />
Options SymLinksIfOwnerMatch
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfModule mod_userdir.c>
UserDir public_html
</IfModule>
<Directory /home/*/public_html>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
Order deny,allow
Deny from all
</Limit>
</Directory>
<IfModule mod_dir.c>
DirectoryIndex index.html index.php3 index.php index.htm index.shtml
index.cgi
</IfModule>
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
UseCanonicalName On
TypesConfig /etc/mime.types
DefaultType text/plain
<IfModule mod_mime_magic.c>
MIMEMagicFile /usr/share/misc/file/magic.mime
</IfModule>
HostnameLookups Off
ErrorLog /var/log/apache/error.log
LogLevel debug
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
%T %v" full
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
%P %T" debug
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog /var/log/apache/access.log combined
ServerSignature Off
Alias /icons/ /usr/share/apache/icons/
<Directory /usr/share/apache/icons>
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory /usr/lib/cgi-bin/>
AllowOverride None
Options ExecCGI -MultiViews
Order allow,deny
Allow from all
</Directory>
<IfModule mod_autoindex.c>
IndexOptions FancyIndexing NameWidth=*
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/deb.gif .deb
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
DefaultIcon /icons/unknown.gif
ReadmeName README
HeaderName HEADER
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
</IfModule>
<IfModule mod_mime.c>
AddEncoding x-compress Z
AddEncoding x-gzip gz tgz
AddLanguage da .dk
AddLanguage nl .nl
AddLanguage en .en
AddLanguage et .ee
AddLanguage fr .fr
AddLanguage de .de
AddLanguage el .el
AddLanguage it .it
AddLanguage ja .ja
AddCharset ISO-2022-JP .jis
AddLanguage pl .po
AddCharset ISO-8859-2 .iso-pl
AddLanguage pt .pt
AddLanguage pt-br .pt-br
AddLanguage lb .lu
AddLanguage ca .ca
AddLanguage es .es
AddLanguage sv .se
AddLanguage cs .cz
<IfModule mod_negotiation.c>
LanguagePriority en da nl et fr de el it ja pl pt pt-br lb ca es
sv
</IfModule>
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
AddType application/x-tar .tgz
AddType image/bmp .bmp
AddType text/x-hdml .hdml
</IfModule>
AddDefaultCharset on
<IfModule mod_setenvif.c>
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0
force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
</IfModule>
<IfModule mod_perl.c>
Alias /perl/ /var/www/perl/
<Location /perl>
SetHandler perl-script
PerlHandler Apache::Registry
Options +ExecCGI
</Location>
</IfModule>
Alias /doc/ /usr/share/doc/
<Location /doc>
order deny,allow
deny from all
allow from 127.0.0.0/255.0.0.0
Options Indexes FollowSymLinks MultiViews
</Location>
Alias /www /var/www
<Directory /var/www>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
Order deny,allow
Deny from all
</Limit>
</Directory>
<IfModule mod_proxy.c>
</IfModule>
<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]
</IfModule>
</IfModule>
NameVirtualHost domain.ddts.net:9000
<VirtualHost domain.ddts.net:9000>
SSLEngine On
SSLCertificateFile /etc/apache/apache.crt
SSLCertificateKeyFile /etc/apache/apache.key
DocumentRoot /var/www
DirectoryIndex index.php index.php3 index.html
ServerName domain.ddts.net
Alias /www /var/www
Alias /mail /usr/share/squirrelmail
ErrorLog /var/log/apache/domain.ddts.net-error.log
CustomLog /var/log/apache/host.domain.ddts.net.log debug
</VirtualHost>
<VirtualHost webmail.domain.ddts.net:9000>
SSLEngine On
SSLCertificateFile /etc/apache/apache.crt
SSLCertificateKeyFile /etc/apache/apache.key
DocumentRoot /usr/share/squirrelmail
DirectoryIndex index.php index.php3 index.html
ServerName webmail.domain.ddts.net
</VirtualHost>
Include /etc/apache/conf.d
My modules.conf from apache
===========================
# Autogenerated file - do not edit!
# This file is maintained by the apache package.
# To update it, run the command:
# /usr/sbin/apache-modconf apache
ClearModuleList
AddModule mod_so.c
AddModule mod_macro.c
LoadModule config_log_module /usr/lib/apache/1.3/mod_log_config.so
LoadModule mime_magic_module /usr/lib/apache/1.3/mod_mime_magic.so
LoadModule mime_module /usr/lib/apache/1.3/mod_mime.so
LoadModule negotiation_module /usr/lib/apache/1.3/mod_negotiation.so
LoadModule status_module /usr/lib/apache/1.3/mod_status.so
LoadModule info_module /usr/lib/apache/1.3/mod_info.so
LoadModule autoindex_module /usr/lib/apache/1.3/mod_autoindex.so
LoadModule dir_module /usr/lib/apache/1.3/mod_dir.so
LoadModule cgi_module /usr/lib/apache/1.3/mod_cgi.so
LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so
LoadModule alias_module /usr/lib/apache/1.3/mod_alias.so
LoadModule rewrite_module /usr/lib/apache/1.3/mod_rewrite.so
LoadModule access_module /usr/lib/apache/1.3/mod_access.so
LoadModule auth_module /usr/lib/apache/1.3/mod_auth.so
LoadModule expires_module /usr/lib/apache/1.3/mod_expires.so
LoadModule unique_id_module /usr/lib/apache/1.3/mod_unique_id.so
LoadModule setenvif_module /usr/lib/apache/1.3/mod_setenvif.so
LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so
LoadModule php4_module /usr/lib/apache/1.3/libphp4.so
Any ideas or better ways to debug are appreciated. If set "LogLevel
debug"
in the httpd.conf but that doesn't seem to help that much.
Regards,
Benedict
Reply to: