# How to make Apache2 run in SSL mode? [SOLVED]

## NotExcessive

I've just gotten squirrelmail to work in plain mode and have now enabled secure login. When I connect to it from my browser the connection fails because the web server isn't running in secure mode. I've modified httpd.conf and added the line Listen 443 and restarted but it still isn't running. The apache install is 2.0.58-r2, fresh out of the box. 

I already have my .pem files generated and working with dovecot.

What do I have to do in order to get an https connection going?Last edited by NotExcessive on Tue Aug 15, 2006 12:34 pm; edited 1 time in total

----------

## Janne Pikkarainen

Just undo your changes to httpd.conf and put -D SSL to /etc/conf.d/apache2 file. Then restart Apache and marvel your fresh, properly-functioning SSL-encrypted website.  :Very Happy: 

(Please also make sure you've compiled Apache with ssl USE flag)

----------

## NotExcessive

OK I've added the -D SSL parameter (duh) but it's being stubborn. When I go to the Squirelmail URL, the browser greets me with

```
The connection was interrupted

The connection to 192.168.2.2 was interrupted while the page was loading.
```

And there are no log entries.

----------

## Janne Pikkarainen

And your Apache really, really is compiled with ssl USE flag? What is the output of emerge -pv apache?

----------

## Janne Pikkarainen

Oh, sometimes re-emerging Apache might be needed if you have upgraded openssl.

----------

## NotExcessive

```
These are the packages that would be merged, in order:

Calculating dependencies   ... done!

[ebuild   R   ] net-www/apache-2.0.58-r2  USE="apache2 ldap ssl -debug -doc -mpm-itk -mpm-leader -mpm-peruser -mpm-prefork -mpm-threadpool -mpm-worker -no-suexec -static-modules -threads" 0 kB 

Total size of downloads: 0 kB
```

This was after I reemerged Apache after making sure that I had "ssl" in /etc/make.conf.

----------

## Janne Pikkarainen

And you restarted Apache after that -D SSL addition?  :Smile:  (sorry for asking the obvious)

Does netstat -tlnp state that Apache is listening on port 443? 

If it does, what if you create a simple static html page and try to load that over SSL connection?

----------

## NotExcessive

Yep I sure did make a restart. It seems to be listening:

```
> netstat -tlnp 

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   

tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      6458/dovecot        

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      5834/mysqld         

tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      6458/dovecot        

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      22572/apache2       

tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN      5933/perl           

tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      6040/master         

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      22572/apache2  
```

If I type https://192.168.2.2/ then I get the same error. That page should come up as the default Apache installation page. If I do http://192.168.2.2/  then it comes up as normal.Last edited by NotExcessive on Mon Aug 14, 2006 1:04 pm; edited 1 time in total

----------

## Janne Pikkarainen

PHP also has an ssl USE flag. Has your PHP been compiled with it?

----------

## Janne Pikkarainen

Oh, you edited your last post.  :Smile:  Are you 100% positive that there are no any SSL related error messages in /var/log/apache2/error_log?

----------

## NotExcessive

This is what I see for php (it's a mouthful):

```
> emerge -pv php

These are the packages that would be merged, in order:

Calculating dependencies   ... done!

[ebuild   R   ] dev-lang/php-5.1.4-r4  USE="apache2 berkdb cli crypt gdbm imap ipv6 ldap mysql ncurses nls pcre readline reflection sasl session spell spl ssl truetype unicode xml zlib -adabas -apache -bcmath -birdstep -bzip2 -calendar -cdb -cgi -cjk -concurrentmodphp -ctype -curl -curlwrappers -db2 -dbase -dbmaker -debug -discard-path -doc -empress -empress-bcs -esoob -exif -fastbuild -fdftk -filepro -firebird -flatfile -force-cgi-redirect -frontbase -ftp -gd -gd-external -gmp -hardenedphp -hash -hyperwave-api -iconv -informix -inifile -interbase -iodbc -java-external -kerberos -libedit -mcve -memlimit -mhash -ming -msql -mssql -mysqli -oci8 -oci8-instant-client -odbc -pcntl -pdo -pdo-external -pic -posix -postgres -qdbm -recode -sapdb -sharedext -sharedmem -simplexml -snmp -soap -sockets -solid -sqlite -sybase -sybase-ct -sysvipc -threads -tidy -tokenizer -vm-goto -vm-switch -wddx -xmlreader -xmlrpc -xmlwriter -xpm -xsl -yaz -zip" 0 kB 

Total size of downloads: 0 kB
```

I'll just go and check the log.

Hmmm every time I hit the page in secure mode I see:

```
[Mon Aug 14 23:02:35 2006] [error] [client 192.168.2.3] Invalid method in request \x80g\x01\x03
```

----------

## Janne Pikkarainen

One more shot in the dark. Do you need ldap support in Apache? In some versions of Apache ldap + ssl could cause some odd segmentation faults and stuff like that. If you don't need Apache ldap support, then just emerge Apache with -ldap and see what happens.

----------

## Janne Pikkarainen

The message you get is very odd. If my memory serves me right, it's actually your www browser's fault. Try another browser? Some odd CFLAGS in /etc/make.conf might also cause problems.

----------

## NotExcessive

Well, no. I originally installed LDAP because I was working on getting a Postfix/Dovecot/Squirrelmail server going, which I've done, but it was too hard to get LDAP going so I gave up, left it there, and did the db in MYSQL. I could remove it and recompile Apache, but then I'd have to also recompile Postfix, Dovecot, and Squirrelmail I suppose, so that might be a bit of hassle, making sure I don't nuke my hard-earned config files.

I'd like to keep LDAP if I can, though, because what I'd like to do later on is build an email address book in LDAP that Thunderbird can read.

----------

## NotExcessive

Whoa... that's weird. If I put https://192.168.2.2 into Internet Exploder, there's nada. Nuttin'.

It comes back with 

```
 The page cannot be displayed 

The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. 

```

Whereas Firefox correctly, at least, changes the URL to https://192.168.2.2/mail/src/login.php?secure_login=yes if I start off with http://192.168.2.2/mail, so at least it does something and detects the shift to https. Exploder doesn't even do that much.

I'll try recompiling Apache without the ldap flag and see what happens. It should be finished in around 15 min.

----------

## NotExcessive

Well, recompiling Apache with -ldap didn't make any difference.

I noticed that it generated a certificate and key and put them in /etc/apache2/ssl. I copied my own there and renamed them the same server.crt and server.key files, but that didn't do anything. 

These were the original .pem certificate and key files I generated and am currently using with Dovecot in secure mode.

Doesn't hurt to try. Should I put the original server.crt and server.key back in /etc/apache2/ssl?

----------

## Janne Pikkarainen

Yeah. Or even better: backup your current SSL keys and try to generate fresh ones.

----------

## NotExcessive

Still at square one   :Sad: 

----------

## NotExcessive

Finally got it. From what I've been able to gather, setting -D SSL is not enough.  After some digging I found this on the net, though it was posted four years ago it had the same basic error report:

 *Quote:*   

> 
> 
> Your (virtual) host is expecting to talk clear HTTP to the client, and you need to tell it to talk HTTPS instead. Ie. on the server, you're seeing it try to interpret the SSL/TLS handshake data from the client as though it was a clear-text HTTP request, ie;
> 
> > The message showing up the the error_log is:
> ...

 

That sounds good enough for me, so I created a virtual client listening on 443. I included my certificate and key files generated earlier and successfully being used with Dovecot. Just to be safe I added some lines I found for SSLEngine, SSLCipherSuite and <Files>...</Files> because hey, I'm still not sure how this ssl stuff works, I'm just following the cookbook.

```
<VirtualHost _default_:443>

    DocumentRoot "/var/www/localhost/htdocs/mail/"

    SSLEngine on

    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

    SSLCertificateFile /etc/ssl/certs/mydomain.pem

    SSLCertificateKeyFile /etc/ssl/private/mydomain.pem

    <Files ~ "\.(cgi|shtml|phtml|php3?)$">

        SSLOptions +StdEnvVars

    </Files>

</VirtualHost>

```

Restart everything and presto! I can now log into Squirrelmail via https and conduct all my mail transactions over a secure connection.

I still have a couple of issues to sort out with mail - even  though Squirrelmail can send via my mail server's SMTP service, Thunderbird via Dovecot can't, so I guess I still have to sort out the Postfix/MYSQL/authenticated user issue - but at least now my Apache server is secure. Squirrelmail's the only thing this Apache installation is going to be running to the outside world.

----------

## csioutis

if anyone else gets this problem, there is no need to create a separate vhost

i had the same problem described here

i was getting the error "Invalid method in request \x80\x80\x01\x03\x01 "

i was getting this because i hac misspelled the /etc/conf.d/apache2 directives

i had "... -D SSL -D SSL_DEFAULT_HOST"   this correct spelling is "-D SSL -D SSL_DEFAULT_VHOST"

notice the "_VHOST" has a V in it.

you may also have a similar typo

----------

## newtonian

 *csioutis wrote:*   

> if anyone else gets this problem, there is no need to create a separate vhost
> 
> i had the same problem described here
> 
> i was getting the error "Invalid method in request \x80\x80\x01\x03\x01 "
> ...

 

I didn't want to run a default host, so I fixed the problem by 

adding a single line to my vhost record:

```
SSLEngine on 
```

That fixed the  *Quote:*   

> Invalid method request error

  I was getting.

```
<VirtualHost 123.123.123.123:443>

         DocumentRoot /var/www/mydomain.com/htdocs/ssl

        ServerName www.mydomain.com

        ServerAlias mydomain.com

        SSLEngine on

        SSLCertificateKeyFile /etc/apache2/ssl/mydomain.com/certs/mydomain.com.key

        SSLCertificateFile    /etc/apache2/ssl/mydomain.com/certs/www.mydomain.com.crt

        SSLCertificateChainFile    /etc/apache2/ssl/mydomain.com/certs/sf_issuing.crt

        DocumentRoot /var/www/mydomain.com/htdocs

        DirectoryIndex index.cgi index.html index.php index.htm index.jsp index.vm

        <directory "/var/www/mydomain.com/htdocs">

        Order allow,deny

        Allow from all

        </directory>

        <directory "/var/www/mydomain.com/htdocs/ssl">

        AuthType Basic

        AuthName franchise

        AuthUserFile /etc/apache2/ssl/mydomain.com/FGPasswd

        Require user franchise

        </directory>

</VirtualHost>

```

And my /etc/conf.d/apache2

```
APACHE2_OPTS="-D DEFAULT_VHOST -D PHP5 -D SSL"
```

Cheers,

----------

