# [Solved] New Apache2 2.0.54: How to get SSL back to life?

## tkhobbes

Hi there

I have some troubles with Apache2 (the new 2.0.54 version) and SSL - well, it's not working anymore.   :Embarassed:   Since I am not really into Apache, when I first configured it (some pre-2.0.54-version), I used the superb how-to on gentoo-wiki.com - however this still seems to refer to the old version, so can someone tell me what I need to do in order to get SSL back running?

thanks a lot

thomas

----------

## totopo

Just try adding beside -D SSL in /etc/conf.d/apache2

-D SSL_DEFAULT_VHOST

and check it works.

----------

## totopo

Go to: http://www.gentoo.org/doc/en/apache-troubleshooting.xml

for more info.

----------

## tkhobbes

Thanks for the tip, but it did not help - neither the (otherwise good) URL you provided...  :Sad: 

Here's part of my /etc/conf.d/apache2:

```

APACHE2_OPTS="-D DEFAULT_VHOST -D SSL -D PHP4 -D DEFAULT_VHOST -D SSL_DEFAULT_VHOST"

```

I've got "Listen 80" in my /etc/apache2/httpd.conf and "Listen 443" in my /etc/apache2/modules.d/40_mod_ssl.conf

Here's my /etc/apache2/vhosts.d/00_default_vhost.conf

```

### Section 3: Virtual Hosts

NameVirtualHost 10.10.10.10

<IfDefine DEFAULT_VHOST>

<VirtualHost 10.10.10.10>

    DocumentRoot "/var/www/localhost/htdocs"

    ServerName linux.zuhause.own

    <Directory "/var/www/localhost/htdocs">

        Options Indexes FollowSymLinks

        AllowOverride None

        Order allow,deny

        Allow from all

    </Directory>

    <IfModule peruser.c>

        ServerEnvironment apache apache

        MinSpareProcessors 4

        MaxProcessors 20

    </IfModule>

</VirtualHost>

</IfDefine>

```

Here's my other vhost - an external one (/etc/apache2/vhosts.d/external.conf):

```

### Section 3: Virtual Hosts

NameVirtualHost some.external.ip.addr

<VirtualHost some.external.ip.addr>

    DocumentRoot "/var/www/localhost/htdocs"

    ServerName somehost.dyndns.org

    <Directory "/var/www/localhost/htdocs">

        Options Indexes FollowSymLinks

        AllowOverride All

        Order allow,deny

        Allow from all

    </Directory>

    <IfModule peruser.c>

        ServerEnvironment apache apache

        MinSpareProcessors 4

        MaxProcessors 20

    </IfModule>

</VirtualHost>

```

Now, how do I configure the /etc/apache2/modules.d/41_mod_ssl.default-vhost.conf? Do I need to create a copy of that file for my external vhost?

Thanks for any help...  :Smile: 

thomas

----------

## hampton275

I am also having this issue, did you get a resolution for this?

Thanks

----------

## ripperd

```

SSLEngine On

SSLCertificateFile conf/ssl/server.crt

SSLCertificateKeyFile conf/ssl/server.key

```

You need to have that in the virtualhost or host directive that the site is served under.  I found this out the hard way.

----------

## totopo

Here is my 41_mod_ssl.default-vhost.conf (it is the default used when installed Apache), I hope it helps.

What do you see in the messages in /var/log/apache2 ?

```

<IfDefine SSL>

  # We now wrap the entire default vhost in a seperate IfDefine to fix bug

  # 100624. If you are using this default vhost, add it to /etc/conf.d/apache2

  <IfDefine SSL_DEFAULT_VHOST>

<IfModule mod_ssl.c>

##

## SSL Virtual Host Context

##

<VirtualHost _default_:443>

#   General setup for the virtual host

DocumentRoot "/var/www/localhost/htdocs"

ServerName localhost:443

ServerAdmin root@localhost

ErrorLog logs/ssl_error_log

<IfModule mod_log_config.c>

   TransferLog logs/ssl_access_log

</IfModule>

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on

#   SSL Cipher Suite:

#   List the ciphers that the client is permitted to negotiate.

#   See the mod_ssl documentation for a complete list.

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#   Server Certificate:

#   Point SSLCertificateFile at a PEM encoded certificate.  If

#   the certificate is encrypted, then you will be prompted for a

#   pass phrase.  Note that a kill -HUP will prompt again. A test

#   certificate can be generated with `make certificate' under

#   built time. Keep in mind that if you've both a RSA and a DSA

#   certificate you can configure both in parallel (to also allow

#   the use of DSA ciphers, etc.)

SSLCertificateFile conf/ssl/server.crt

#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.  Keep in mind that if

#   you've both a RSA and a DSA private key you can configure

#   both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile conf/ssl/server.key

#   Server Certificate Chain:

#   Point SSLCertificateChainFile at a file containing the

#   concatenation of PEM encoded CA certificates which form the

#   certificate chain for the server certificate. Alternatively

#   the referenced file can be the same as SSLCertificateFile

#   when the CA certificates are directly appended to the server

#   certificate for convinience.

#SSLCertificateChainFile conf/ssl/ca.crt

#   Certificate Authority (CA):

#   Set the CA certificate verification path where to find CA

#   certificates for client authentication or alternatively one

#   huge file containing all of them (file must be PEM encoded)

#   Note: Inside SSLCACertificatePath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCACertificatePath conf/ssl/ssl.crt

#SSLCACertificateFile conf/ssl/ca-bundle.crt

#   Certificate Revocation Lists (CRL):

#   Set the CA revocation path where to find CA CRLs for client

#   authentication or alternatively one huge file containing all

#   of them (file must be PEM encoded)

#   Note: Inside SSLCARevocationPath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCARevocationPath conf/ssl/ssl.crl

#SSLCARevocationFile conf/ssl/ca-bundle.crl

#   Client Authentication (Type):

#   Client certificate verification type and depth.  Types are

#   none, optional, require and optional_no_ca.  Depth is a

#   number which specifies how deeply to verify the certificate

#   issuer chain before deciding the certificate is not valid.

#SSLVerifyClient require

#SSLVerifyDepth  10

#   Access Control:

#   With SSLRequire you can do per-directory access control based

#   on arbitrary complex boolean expressions containing server

#   variable checks and other lookup directives.  The syntax is a

#   mixture between C and Perl.  See the mod_ssl documentation

#   for more details.

#<Location />

#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \

#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \

#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \

#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \

#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

#</Location>

#   SSL Engine Options:

#   Set various options for the SSL engine.

#   o FakeBasicAuth:

#     Translate the client X.509 into a Basic Authorisation.  This means that

#     the standard Auth/DBMAuth methods can be used for access control.  The

#     user name is the `one line' version of the client's X.509 certificate.

#     Note that no password is obtained from the user. Every entry in the user

#     file needs this password: `xxj31ZMTZzkVA'.

#   o ExportCertData:

#     This exports two additional environment variables: SSL_CLIENT_CERT and

#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

#     server (always existing) and the client (only existing when client

#     authentication is used). This can be used to import the certificates

#     into CGI scripts.

#   o StdEnvVars:

#     This exports the standard SSL/TLS related `SSL_*' environment variables.

#     Per default this exportation is switched off for performance reasons,

#     because the extraction step is an expensive operation and is usually

#     useless for serving static content. So one usually enables the

#     exportation for CGI and SSI requests only.

#   o CompatEnvVars:

#     This exports obsolete environment variables for backward compatibility

#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this

#     to provide compatibility to existing CGI scripts.

#   o StrictRequire:

#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even

#     under a "Satisfy any" situation, i.e. when it applies access is denied

#     and no other module can change it.

#   o OptRenegotiate:

#     This enables optimized SSL connection renegotiation handling when SSL

#     directives are used in per-directory context. 

#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire

<Files ~ "\.(cgi|shtml|phtml|php?)$">

    SSLOptions +StdEnvVars

</Files>

<Directory "/var/www/localhost/cgi-bin">

    SSLOptions +StdEnvVars

</Directory>

#   SSL Protocol Adjustments:

#   The safe and default but still SSL/TLS standard compliant shutdown

#   approach is that mod_ssl sends the close notify alert but doesn't wait for

#   the close notify alert from client. When you need a different shutdown

#   approach you can use one of the following variables:

#   o ssl-unclean-shutdown:

#     This forces an unclean shutdown when the connection is closed, i.e. no

#     SSL close notify alert is send or allowed to received.  This violates

#     the SSL/TLS standard but is needed for some brain-dead browsers. Use

#     this when you receive I/O errors because of the standard approach where

#     mod_ssl sends the close notify alert.

#   o ssl-accurate-shutdown:

#     This forces an accurate shutdown when the connection is closed, i.e. a

#     SSL close notify alert is send and mod_ssl waits for the close notify

#     alert of the client. This is 100% SSL/TLS standard compliant, but in

#     practice often causes hanging connections with brain-dead browsers. Use

#     this only for browsers where you know that their SSL implementation

#     works correctly. 

#   Notice: Most problems of broken clients are also related to the HTTP

#   keep-alive facility, so you usually additionally want to disable

#   keep-alive for those clients, too. Use variable "nokeepalive" for this.

#   Similarly, one has to force some clients to use HTTP/1.0 to workaround

#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

#   "force-response-1.0" for this.

<IfModule mod_setenvif.c>

    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \

    downgrade-1.0 force-response-1.0

</IfModule>

#   Per-Server Logging:

#   The home of a custom SSL log file. Use this when you want a

#   compact non-error SSL logfile on a virtual host basis.

<IfModule mod_log_config.c>

CustomLog logs/ssl_request_log \

          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</IfModule>

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteOptions inherit

</IfModule>

</VirtualHost>                                  

</IfModule>

  </IfDefine>

</IfDefine>

```

----------

## assaf

I'm having this problem as well.

The SSL log files don't even get created, which make me think that the content of the 41_mod_ssl.default-vhost.conf is not being processed at all, probably due to the IfModule directive

EDIT> Darned typo. I had -D SSL_DEFAULT_HOST instead of -D SSL_DEFAULT_VHOST in the conf.d file... argghh...

----------

## tkhobbes

I really don't get it.

This is in my log files when I use something like https://servername.com (on a windows client with newest Firefox 1.0.7):

```

thomas@linux /var/log/apache2 $ cat error_log

[Tue Oct 04 19:44:38 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Tue Oct 04 19:44:39 2005] [notice] Digest: generating secret for digest authentication ...

[Tue Oct 04 19:44:39 2005] [notice] Digest: done

[Tue Oct 04 19:44:39 2005] [notice] Apache configured -- resuming normal operations

[Tue Oct 04 19:44:48 2005] [error] [client 10.10.10.101] Invalid method in request \x80g\x01\x03

```

```

thomas@linux /var/log/apache2 $ cat access_log

10.10.10.101 - - [04/Oct/2005:19:44:48 +0200] "\x80g\x01\x03" 501 283

```

No idea what this should be...  :Sad: 

I checked the 41_mod_ssl.default-vhost.conf file - it's ok...

thomas

----------

## assaf

 *tkhobbes wrote:*   

> I really don't get it.
> 
> ...
> 
> thomas

 

All this just means that SSL is not active. The HTTPS request is being processed as a regular HTTP request. If SSL was working properly it would create its log files in the apache log dir (ssl_error_log, ssl_access_log). You could try uncommenting the <IfModule> and <IfDefine> directives (and their closing counterparts) in the 40 and 41 conf files to see if that's your problem. Also make sure that the mod_ssl.so exists (i think in /usr/lib/apache2/modules/), it should be if you had set the ssl USE flag when installing apache.

----------

## tkhobbes

I commented out the directives - still the same problem. Also, mod_ssl.so is there (SSL is in my USE flags).

thomas

----------

## totopo

is it listening at least in port 443 (default SSL):

what appears if you type:

```

netstat -npl

```

if you see the PID, type

```

lsof -p [PID found with netstat] | egrep 'ssl'

```

in my machine something like this appears:

```

apache2 8126 root  mem    REG    3,3  144352 2935558 /usr/lib/apache2/modules/mod_ssl.so

apache2 8126 root  mem    REG    3,3  165672  774599 /usr/lib/libssl.so.0.9.7

apache2 8126 root    8w   REG    3,3    1485 2855262 /var/log/apache2/ssl_error_log

apache2 8126 root   10w   REG    3,3   97380 2855700 /var/log/apache2/ssl_access_log

apache2 8126 root   11w   REG    3,3  108918 2855701 /var/log/apache2/ssl_request_log

apache2 8126 root   12w   REG    3,3       0 2856442 /var/cache/apache2/ssl_mutex.8125 (deleted)

```

What appears in yours?

----------

## totopo

Note:If you don't have the lsof command

```

emerge sys-process/lsof

```

----------

## tkhobbes

Here's my lsof output (it's similar to yours):

```
linux ~ # lsof -p 4205 | egrep 'ssl'

apache2 4205 root  mem    REG      3,1  167428  1142841 /usr/lib/apache2/modules/mod_ssl.so

apache2 4205 root  mem    REG      3,1  194372   835456 /usr/lib/libssl.so.0.9.7

apache2 4205 root    8w   REG      3,1       0   522478 /var/log/apache2/ssl_error_log

apache2 4205 root   10w   REG      3,1       0   522980 /var/log/apache2/ssl_access_log

apache2 4205 root   11w   REG      3,1       0   523128 /var/log/apache2/ssl_request_log

apache2 4205 root   12w   REG      3,1       0   539392 /var/cache/apache2/ssl_mutex.4201 (deleted)

linux ~ #

```

The corresponding lines on my netstat-output were:

```

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4205/apache2

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4205/apache2

```

thomas

----------

## totopo

So you have the ssl logs, what are the errors in those files?

----------

## tkhobbes

Hi there

They are all... empty! (size: 0 bytes...)    :Question:   :Shocked: 

----------

## RageX^NZ

I have the exact same problem here!

----------

## totopo

I suggest to back up your config files, re emerge apache, check that SSL works with the default settings and then merge your config files

----------

## RageX^NZ

Doing that now and progress so far is good.

Had to re emerge PHP and mod_php of course!

----------

## tkhobbes

OK, I re-emerged apache2. However, being a little too cautious, I deleted my /var/www/htdocs/* directories. The emerge of apache2 only created a www-dir in /var - how do I get back a blank, new, fresh htdocs-dir - with all the necessary subdirectories (like icons, cgi-bin, etc)?`

thomas

----------

## tkhobbes

OK, got it - this thread https://forums.gentoo.org/viewtopic-t-386344-highlight-htdocs.html helped out...

----------

## tkhobbes

OK, now something like https://my.servername works - from the internal network.

Thanks for the tipps, guys - I now will try again to set up some vhost for my external access to this server - it will be ip-based and should support ssl also... wish me luck.  :Smile: 

----------

## winston_nolan

i have seen this only when requesting https://localhost

when i request https://ip.add.dre.ss it works, and also, https://hostname or https://fqdn

winston

----------

## koshnarek

Thanks!

 :Wink: 

----------

