# SSL trouble after Apache update. [SOLVED]

## epig

Had some trouble getting php working again I now turm my head to the SSL part that osmehow refuses to work.

Apache loads without errors having 

```
APACHE2_OPTS="-D DEFAULT_VHOST -D SSL -D PHP4"
```

set in /etc/conf.d/apache2

Any attmept to pull up a https://something request in a browser gives an error message, and error_log says:

```
[Mon Sep 19 22:32:47 2005] [error] [client 111.222.333.444] Invalid method in request \x80g\x01\x03\x01

[Mon Sep 19 22:32:47 2005] [error] [client 111.222.333.444] Invalid method in request \x80g\x01\x03

[Mon Sep 19 22:32:49 2005] [error] [client 111.222.333.444] Invalid method in request \x80g\x01\x03
```

thinking that I will need to recompile mod_ssl I try the following:

```
grond webmail # emerge -p mod_ssl

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild  NS   ] net-www/apache-1.3.33-r12

[ebuild  N    ] net-www/mod_ssl-2.8.24-r1

```

Is there another SSL module to compile? SSL connections worked all fine and dandy before the upgrade.

Any tips on how to enable this properly through httpd.conf, or is there another way to do it? 

I can telnet to the host on 443, but nothing more.

I think I supplied enough info here, if not let me know  :Smile: 

Thanks in advance.[/code]Last edited by epig on Wed Sep 21, 2005 7:10 pm; edited 1 time in total

----------

## plm

 *epig wrote:*   

> Had some trouble getting php working again I now turm my head to the SSL part that osmehow refuses to work.
> 
> Apache loads without errors having 
> 
> ```
> ...

 

Yes I see the same  :Sad: . And the config files have changed, cost me another hour to update my configuration.

I switched to gentoo-stable a while ago due to problems (after having run unstable for 2 years without any problem at all). Now even -stable is starting to have weird problems.

----------

## buzzin

Maybe your problems were caused by the major apache update discussed in the gentoo weekly newsletter on 12/09/05

 *Quote:*   

> Major package updates for Apache
> 
> --------------------------------
> 
> The Gentoo Apache Team is pleased to announce the stabilizing of package 
> ...

 

----------

## plm

Hi, I found the solution:

the 41_mod_ssl.default-vhost.conf, i.e. the SSL config, is put inside an <IfDefine SSL_DEFAULT_VHOST>.

So you must also add -D SSL_DEFAULT_VHOST to conf.d/apache2, or no vhost on port 443 is defined and it looks like the request on port 443 is interpreted by the server as normal http (non SSL/TLS), which sees the https request as garbage.

----------

## epig

 *plm wrote:*   

> Hi, I found the solution:
> 
> the 41_mod_ssl.default-vhost.conf, i.e. the SSL config, is put inside an <IfDefine SSL_DEFAULT_VHOST>.
> 
> So you must also add -D SSL_DEFAULT_VHOST to conf.d/apache2, or no vhost on port 443 is defined and it looks like the request on port 443 is interpreted by the server as normal http (non SSL/TLS), which sees the https request as garbage.

 

Wanna post the exact config lines here? I still have some trouble getting this up and running.

----------

## soth

Yes, please do. I get this when trying to start up apache now:

```

(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443

no listening sockets available, shutting down

Unable to open logs

```

netstat doesn't show anything listening on port 443...

----------

## kar1181

 *epig wrote:*   

>  *plm wrote:*   Hi, I found the solution:
> 
> the 41_mod_ssl.default-vhost.conf, i.e. the SSL config, is put inside an <IfDefine SSL_DEFAULT_VHOST>.
> 
> So you must also add -D SSL_DEFAULT_VHOST to conf.d/apache2, or no vhost on port 443 is defined and it looks like the request on port 443 is interpreted by the server as normal http (non SSL/TLS), which sees the https request as garbage. 
> ...

 

Thankyou so much, I lost about 2 hours trying to get ssl working yesterday. I was about ready to throw my laptop at the wall!

----------

## soth

I'm up and running now. Just some trouble with multiple vhosts over ssl. 

Gonna get back with conf's when I solved that too..

This wasn't bad, didn't help me with all of it, but anyways...

http://www.gentoo.org/doc/en/apache-troubleshooting.xml

----------

## epig

I am still having some trouble with this one:

I put this in my config:

```

<IfDefine SSL_DEFAULT_VHOST>

         <IfModule !mod_ssl>

         LoadModule mod_ssl modules/mod_ssl.so

         </IfModule>

</IfDefine>
```

and restarting apache gives:

```
 * Apache2 has detected a syntax error in your configuration files:

Syntax error on line 1091 of /etc/apache2/httpd.conf:

Can't locate API module structure `mod_ssl' in file /usr/lib/apache2/modules/mod_ssl.so: /usr/lib/apache2/modules/mod_ssl.so: undefined symbol: mod_ssl
```

It is problably my typing or general cluelessness that is the problem here, but can someone please post a correct way of doing it?

----------

## sogood007

Just adding -DSSL_DEFAULT_VHOST doesn't solve my problem.  Later on, I find out either I put an explicit port number after the Servername in my VirtualHost.  It works. 

e.g. 

<VirtualHost :443>

Servername XYZ:443

</VirtualHost>

In the older version, I don't need to put :443 after XYZ.  

The other way is to put those SSLEngine on and Cert stuff into <VirtualHost :443>

----------

## soth

Yup. Got it solved too, and it that other way you referred to. 

Took out the cert stuff and ssl settings from 

/etc/apache2/modules.d/*.conf

and put it in vhosts.conf

I put the listen directive in there too, felt lika a logical way to organise it, all the listen directives in the same file, 

along with all the vhosts. 

To have more than one vhost on 443, I use the redirect permanent on each one from a port 80. 

Also, it's true that apache doesn't like the *:80 notation at all anymore, xxx.xxx.xxx.xxx:80 is the way to go. 

I think that's all.   :Cool: 

----------

## epig

After a lot, and I mean A LOT of trying and failing I have come to the conclusion that my Apache server does not load mod_ssl at startup, hence any configuration of it will fail.

Any attempt to use SSL-commands in httpd.conf will result in an error like:

```
* Apache2 has detected a syntax error in your configuration files:

Syntax error on line 1124 of /etc/apache2/httpd.conf:

Invalid command 'SSLRequireSSL', perhaps mis-spelled or defined by a module not included in the server configuration

 
```

From this i draw the conclusion that Apache does not load the module and cannot process the commands because of this.

my httpd.conf has the following line for loading extra modules:

```
Include /etc/apache2/vhosts.d/*.conf
```

and this directory contains:

```
00_default_vhost.conf  default-ssl.conf 
```

The default-ssl.conf stuff looks like this: (edited out the comments) 

```
<IfModule mod_ssl.c>

  <VirtualHost _default_:80>

    SSLEngine off

  </VirtualHost>

  ##

  ## SSL Virtual Host Context

  ##

  <VirtualHost _default_:443>

    # General setup for the virtual host

    DocumentRoot /var/www/localhost/htdocs

    ServerName foo.bar

    ServerAdmin webmaster@foo.bar

    ErrorLog logs/ssl-error_log

    TransferLog logs/ssl-access_log

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile conf/ssl/server.crt

SSLCertificateKeyFile conf/ssl/server.key

   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

    CustomLog logs/ssl_request_log \

              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    RewriteEngine On

    RewriteOptions inherit

  </VirtualHost>

</IfModule>

```

I am unable to see what is wrong here. Can anyone help?

----------

## soth

What does 

```
/etc/conf.d/apache2
```

look like?

----------

## epig

```
APACHE2_OPTS="-D DEFAULT_VHOST -D SSL_DEFAULT_VHOST -D PHP4"

KEEPENV="PATH"
```

----------

## soth

```
APACHE2_OPTS="-D DEFAULT_VHOST -D SSL_DEFAULT_VHOST -D SSL -D PHP4"
```

Try like that?

----------

## epig

Happines!! It seems to work, now only one thing:

```
[Wed Sep 21 19:39:53 2005] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?

[Wed Sep 21 19:39:53 2005] [error] Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!)
```

Where do I set CN etc? Should be fairly simple to fix, but I can't seem to find the porper file to set it.

MAde new self-signed certs, but nothing about hostname in any of them...

----------

## soth

kewl! =)

```
/usr/sbin/gentestcrt.sh
```

edit that file accordingly and run it and it will generate a better cert...

----------

## epig

Joy, Joy, it works. Sorta. 

I will figure the rest out from here  :Smile: 

----------

## grapesmc

I just spent two hours + trying to get my Apache back in working order after the dreaded 2.0.54 upgrade. What a joke. I am really bent that this has all happened. At least I am not alone.

Question - I got it working and it's using the "test" certs instead of my own. Anyone:

a) know how to point it to the right certs

b) know how to make it work with the proper directory index again. For some reason ssl doesn't know about index.anything except html...

----------

## epig

 *grapesmc wrote:*   

> a) know how to point it to the right certs

 

Edit /usr/sbin/gentestcrt.sh to your taste, delete the test certs, go to the /etc/apache2/ssl/ directory and run the script.

 *grapesmc wrote:*   

> b) know how to make it work with the proper directory index again. For some reason ssl doesn't know about index.anything except html...

 

Edit /etc/apache2/modules.d/41_mod_ssl.default-vhost.conf  to suit your needs, and you should be up and running. 

 put my ordinary vhosts in httpd.conf. Don't know if that is kosher, but at least it works.

----------

## grapesmc

Even after I add DirectoryIndex to 41_mod_ssl_default, it still doesn't work. Any ideas?

----------

## epig

 *grapesmc wrote:*   

> Even after I add DirectoryIndex to 41_mod_ssl_default, it still doesn't work. Any ideas?

 

Not sure what you mean, do you want users to be able to list a directory?

I that case here is what I do:

```

<Directory /home/www/htdocs/listable>

        Options +Indexes

        IndexOptions FancyIndexing IconsAreLinks

        Order allow,deny

        Allow from all

AllowOverride All

</Directory>

```

----------

## grapesmc

Umm. Not exactly... any https sites on my server won't go to their index (index.html) unless I put the actual path in the browser.

So for example, https://localhost/mail - returns a browser error

but

https://localhost/mail/index.php works fine.

same with

index.html , etc.

thanks in advance

----------

## epig

I put 

```
DirectoryIndex  index.php index.html index.html.var default.html index.htm default.htm
```

in /etc/apache2/httpd.conf and https works fine on my web servers.

----------

## grapesmc

Thanks, Ray.

Do you know it turned out to be?

it was that I had this in /etc/conf.d/apache2

APACHE2_OPTS="-D SSL -D SSL_DEFAULT_VHOST -D DOC -D PHP4"

instead of this:

APACHE2_OPTS="-D SSL_DEFAULT_VHOST -D SSL -D DOC -D PHP4"

So the order was the cause of that problem. Go figure.

----------

## epig

Hey, any time  :Smile: 

Glad you got the thing up and running again.

----------

## p4m

Thank you all  :Smile: 

I've solved my problem here with some copy and paste from the old config files to

/etc/apache2/httpd.conf and to /etc/apache2/vhosts.d/00_default_vhost.conf

Putting mod_jk.conf in the new modules dir 

/etc/apache/modules.d/ (I used it to redirect some requests to tomcat, it works).

Next, starting apache2 with 

APACHE2_OPTS="-D SSL -D SSL_DEFAULT_VHOST -D PHP4 -D JK"

 in /etc/conf.d/apache2

going  in /etc/apache2/ssl

deleting the old server.crt and server.key

and regenerated my certs with:

/usr/sbin/gentestcrt.sh

/etc/init.d/apache2 restart and finally I'm up again  :Smile: 

Only one issue:

The update overwrite your index.html in DocumentRoot with the "apache is working" page 

What a bug!? or only for me?

----------

