# apache + mod_ssl - no response from https://localhost

## cca93014

Hi,

I've built apache + mod_php + mod_ssl. PHP is working fine. libssl.so is built, and living in /etc/apache/extramodules - file size is 161284 bytes. 

I added the following into the apache.conf file:

LoadModule php4_module          extramodules/libphp4.so

LoadModule ssl_module           extramodules/libssl.so

...

AddModule mod_php4.c

AddModule mod_ssl.c

I have edited the /etc/conf.d/apache file to uncomment the line:

APACHE_OPTS="-D SSL -D PHP4"

The server keys have been created and are living in /etc/apache/conf/ssl. 

I can start apache, and standard port 80 works fine. ps -ef shows 6 instances of:

/usr/sbin/apache -D SSL -D PHP4

BUT when I try browsing to https://localhost/

I get nothing - nada. There's nothing entered in the apache log files. 

lynx https://localhost

returns:

Looking up localhost

Making HTTPS connection to localhost

Alert!: Unable to connect to remote host.

lynx: Can't access startfile https://localhost/

Anyone got any ideas?

----------

## nitro322

First of all the obvious:  can you connect to http://localhost?  If so, then how did you start apache?  I haven't tested it yet with Gentoo, but when compiling Apache w/ mod_ssl from source, you need to start it with 'apachectl startssl' in order for it to work.  Maybe a similar problem?

----------

## cca93014

Hmmm. It does work on standard unencrypyed port 80 yeah. Interestingly, when I run:

/usr/sbin/apachectl --help

it doesn't have startssl as one of the options. 

I installed the apps in the following order:

1: apache

2: mod_php

3: mod_ssl

Does this matter? I'm 99% sure that "ssl" was in the USE variable at the time...Is there a way of checking what the current USE variable is set to?

----------

## Sykus

i also have this problem.  i emerged apache mod_ssl mod_php mysql at the same time.  everything works perfectly except ssl.  i've also done everything cca93014 has done regarding post compilation

----------

## rac

Do you have the following lines at the end of /etc/apache/conf/apache.conf? 

```
Include  conf/addon-modules/mod_ssl.conf

Include  conf/vhosts/ssl.default-vhost.conf
```

----------

## Sykus

no i did not, will try out now.

edit:  rac is now my god  :Very Happy:   thanks!

----------

## mathew

I've raised bug 6075, to have this fixed in the Desktop Documentation Guide.

----------

## Sykus

looks like your bug was prematurely closed, and gives instructions that did not work on my system for mod_php or mod_ssl.  bugzilla is taking forever to send my password so i can reply though.

edit: correction, bugzilla is just plain not sending my password.  oh well, i was gonna reopen the bug and post post this:

it did not add the lines when i did the ebuild config as instructed.  it also did not add the lines for mod_php when i did the ebuild config for it.

i had to add the lines manually, after rac's advice.

----------

## zentek

Now here is a good one !!

I was reading tru the posts and found that i have about the same problem

PHP is working for me do ( just had to put the proper line in apache.conf )

But mod_ssl wont work. The ssl server startup properly ( netstat -ln show a listening socket on 443 ) but the Fr**king page wont be displaid when i check the logs for problem i have this:

------

[error]mod_ssl: Unable to create a new SSL connection from the SSL context (OpenSSL library error follows)

[error] OpenSSL: error:140BA0C3:SSL routines:SSL_new:null ssl ctx

------

Its probably a stoopid newbie error, i mostly missed something. So O linux guru i begg your pardon  :Smile: 

Please point me out the solution if you know it.

----------

## cerb

look here: https://bugs.gentoo.org/show_bug.cgi?id=6075

----------

## squanto

I did what I was supposed to to get apache and mod_ssl installed.

If I run apache without the -D SSL part, it runs fine, but when using the -D SSL part apache doesn't even show up with the command ps -ef.

Sometimes I get this output:

```

/etc/init.d/apache start

 * Starting apache...

[Mon Oct 14 16:24:28 2002] [warn] module ssl_module is already loaded, skipping

[Mon Oct 14 16:24:28 2002] [warn] module mod_ssl.c is already added, skipping

[Mon Oct 14 16:24:28 2002] [warn] _default_ VirtualHost overlap on port 443, the first has precedence                                                     [ ok ]

```

I have been folowing the desktop config guide, and I have tried to unmerge and then remerge apache, mod_ssl, mod_php and php, but php is not causing these problems, cause right now it is not installed.

When trying to connect to https://localhost or http://localhost when using -D SSL I get a host not found error, but without SSL support I can connect to http://localhost no problem.

Any help?

Thanks,

Andrew

----------

## rac

Always fun to post in threads where people have previously confused you with various deities.  squanto, it sounds like somehow your mod_ssl has entered two sets of configuration info for itself, and eliminating that would probably be a good first step.  Can you try looking in /etc/apache/conf for ssl-related things that look like they're duplicated?

----------

## squanto

OK, since I have looked everywhere I can think of, I am just going to nuke anything to do with mod_ssl.

A question though, would openssl interfere with mod_ssl, or are they a part of eachother?

-Andrew

ps, where is Japanifornia?  :Laughing: 

----------

## rac

 *squanto wrote:*   

> A question though, would openssl interfere with mod_ssl, or are they a part of eachother?

 

mod_ssl depends on openssl.  The answer to the other question I'll send you privately so as not to bore everybody else.

----------

## squanto

OK, I unmerged and then remerged apache and mod_ssl, and then uncommented the APACHE_OPS line so that mod ssl and mod php would be started.

When I start apache, I don't get any errors now, but I can't connect to my webserver and ps -ef doesn't show anything related to apapche running.

I am following the desktop setup guide, on a PPC Gentoo 1.4 stage 3 install.

Any help?

this is what I get when I do cat /var/log/apache/ssl_engine_log

```
[14/Oct/2002 18:13:00 31076] [info]  Server: Apache/1.3.27, Interface: mod_ssl/2.8.11, Library: OpenSSL/0.9.6g

[14/Oct/2002 18:13:00 31076] [info]  Init: 1st startup round (still not detached)

[14/Oct/2002 18:13:00 31076] [info]  Init: Initializing OpenSSL library

[14/Oct/2002 18:13:00 31076] [info]  Init: Loading certificate & private key of SSL-aware myserver.edu:443  ##i replaced this with fake value

[14/Oct/2002 18:13:01 31076] [info]  Init: Seeding PRNG with 136 bytes of entropy

[14/Oct/2002 18:13:01 31076] [info]  Init: Generating temporary RSA private keys (512/1024 bits)

[14/Oct/2002 18:13:03 31076] [info]  Init: Configuring temporary DH parameters (512/1024 bits)

```

----------

## rac

Anything in /var/log/apache/error.log?

----------

## squanto

 *rac wrote:*   

> Anything in /var/log/apache/error.log?

 

from /var/log/apache/error_log: 

```

[Mon Oct 14 16:58:27 2002] [notice] Apache/1.3.27 (Unix)  (Gentoo/Linux) configured -- resuming normal operations

[Mon Oct 14 16:58:27 2002] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

[Mon Oct 14 16:58:27 2002] [notice] Accept mutex: sysvsem (Default: sysvsem)

[Mon Oct 14 16:59:44 2002] [notice] caught SIGTERM, shutting down

```

all the other lines say the same thing as this. last part being me killing apache i believe.

----------

## rac

mod_ssl is not getting loaded.  The banner line in error.log should read something like 

```
Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g configured -- resuming normal operations
```

...if mod_ssl is loading correctly.  Did you run the "ebuild config" command like the mod_ssl ebuild told you to when it finished emerging?

----------

## squanto

 *rac wrote:*   

> mod_ssl is not getting loaded.  The banner line in error.log should read something like 
> 
> ```
> Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g configured -- resuming normal operations
> ```
> ...

 

yes.

and I did it for the mod_php one as well.

It seems when it attempts to start mod_ssl with apache that apache isn't really started, but says that it is, but if I don't try to use mod_ssl, apache starts fine and works.

edit: I have gotten mod_php to work fine now, but mod_ssl doesn't work still.

----------

## synnix

hey i was just reading on how to fix this and noticed a config file in /etc/apache/conf/vhost/ssl.default-vhost.conf was included in the apache.conf.  

Inside /etc/apache/conf/vhost/ssl.default-vhost.conf there is a line that is commented out that defines what hostname mod_ssl should respond to.  Set this to all the hostnames that you want mod_ssl to be on and uncomment it and it should work fine. 

This works because mod_ssl just sets up a virtual host that uses the mod_ssl module.

Hope this helps some people out.

----------

## squanto

Well, something got fixed in an ebuild somehow, cause I just emerged new apache mod_php php mod_ssl and it works now.

Not sure why, but thanks for the help  :Mr. Green: 

Now to learn how to use php ssl and mysql all together  :Wink: 

----------

## ixion

 *rac wrote:*   

> Do you have the following lines at the end of /etc/apache/conf/apache.conf? 
> 
> ```
> Include  conf/addon-modules/mod_ssl.conf
> 
> ...

 

I'm having the same problem as the original poster of this thread. I am dealing with apache 1.3 in a chrooted environment with php and ssl. I can easily get results on the regular HTTP, but through HTTPS I get no response. I did as you (rac) suggested (with the lines in the config file), and apachectl startssl comes back with no errors, but it isn't starting up at all. The /apache/logs/error_log reports:

[Thu May  1 12:52:07 2003] [notice] Apache/1.3.27 (Unix) PHP/4.3.1 mod_ssl/2.8.14 OpenSSL/0.9.7b configured -- resuming normal operations

[Thu May  1 12:52:07 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)

[Thu May  1 12:57:51 2003] [notice] caught SIGTERM, shutting down

[Thu May  1 12:58:42 2003] [crit] (98)Address already in use: make_sock: could not bind to port 443

[Thu May  1 13:00:31 2003] [crit] (98)Address already in use: make_sock: could not bind to port 443

[Thu May  1 13:00:41 2003] [crit] (98)Address already in use: make_sock: could not bind to port 443

I looked in the ssl config file, but didn't see anything that related to paths, meaning it shouldn't be a result of the chroot, correct? Are there some recommendations for running this configuration in a chroot?

EDIT:

Did a reboot, now I get this in apache/logs/error_log:

[Thu May  1 13:14:43 2003] [crit] (98)Address already in use: make_sock: could not bind to port 443

I can connect normally (through HTTP), but not through HTTPS. Something is bound to 443, apparently. How can I find out what's hogging that port? Or am I totally off here?  :Rolling Eyes:   :Crying or Very sad: 

EDIT2:

I unmerged apache and apache2 (they were conflicting with my chroot setup), and with those Include lines commented out of my config file, I get this in the error_log:

[Thu May  1 13:33:55 2003] [notice] Apache/1.3.27 (Unix) PHP/4.3.1 mod_ssl/2.8.14 OpenSSL/0.9.7b configured -- resuming normal operations

[Thu May  1 13:33:55 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)

----------

## ixion

chroot /www /apache/bin/httpd -l reports this:

Compiled-in modules:

  http_core.c

  mod_vhost_alias.c

  mod_env.c

  mod_define.c

  mod_log_config.c

  mod_mime_magic.c

  mod_mime.c

  mod_negotiation.c

  mod_status.c

  mod_info.c

  mod_include.c

  mod_autoindex.c

  mod_dir.c

  mod_cgi.c

  mod_asis.c

  mod_imap.c

  mod_actions.c

  mod_speling.c

  mod_userdir.c

  mod_alias.c

  mod_rewrite.c

  mod_access.c

  mod_auth.c

  mod_auth_anon.c

  mod_auth_dbm.c

  mod_digest.c

  mod_proxy.c

  mod_cern_meta.c

  mod_expires.c

  mod_headers.c

  mod_usertrack.c

  mod_unique_id.c

  mod_so.c

  mod_setenvif.c

  mod_ssl.c

  mod_php4.c

  mod_ssl.c

suexec: disabled; invalid wrapper /apache/bin/suexec

First of all, what's the suexec error mean? And secondly, notice that mod_ssl is loaded twice? Could this be a problem?

----------

## Hideki

You may not like it if you don't want to put applications not through emerge, but if you download the source of apache, download source of php and read installation manual with apache2 on php.net to get them both working first, then emerge openssl and read instruction on creating certificates(somewhere below the middle of the page) at Apache-SSL using openssl, it works just fine.

Also it seems easier to configure apache in this way, and you can get to run Apache2  :Smile: 

----------

## ixion

does that all work in a chroot by following their directions? I have not been doing any of this through emerge. I've been doing everything from source. I don't mind compiling from source one bit, and I also don't mind using the older apache.

----------

## ixion

Ok, I'm getting closer. I've read alot of './configure --help' on all the sources involved. Thank you very much, Hideki. Your links have actually helped me understand a great deal! :Very Happy: 

Well as of now, Internet Explorer will connect via https, but Phoenix doesn't like it. Phoenix reports:Error establishing an encypted connection to 192.168.x.x. Error Code: -8054

How should I generate the server.crt and server.key files? What I have done so far is grab them from previous apache merges. Is this incorrect? Should I generate new ones? If so, how do I do that?

----------

## ixion

I am currently getting this in my logs/error_log:

[Fri May  2 16:44:24 2003] [error] [client 127.0.0.1] Invalid method in request \x80p\x01\x03\x01

[Fri May  2 16:44:24 2003] [error] [client 127.0.0.1] Invalid method in request \x80p\x01\x03

I am using apache 1.3.27 with mod_ssl 2.8.14. The problem exists with or without php-4.3.1. No mysql. I think I may be missing a crucial library or something. I've done an ldd /apache/bin/httpd and everything appears to be statically linked correctly. I get no errors to the console, but only that one in the log. Does ANYONE have any ideas on what's going on? Why is setting up Apache in a chroot such a task? It's mentioned so casually everywhere. I don't mind working for something, hence my success so far, but I have no clue where to go with this.

----------

## Hideki

I do not run 1.3.27, so can't help well, but as for creating certificates, look in the www.apache-ssl.org and scroll down a bit and you'll find a way to do it using openssl command.

Also openssl command can make a connection to https port like what telnet can do to http port, maybe you can use that and see if it makes a good connection.

(Eg: openssl s_client -connect localhost:443)

----------

## ixion

whoot!! Hideki, thank you!! I can be very stubborn at times, and I (at first) thought what you were suggesting didn't have anything to do with what I'm doing, but after taking a long weekend, and coming back to work today with a fresh head, I just still couldn't get it working... so I gave up and decided to make new certificates like you suggested, and after finding out that 'Listen 443' was listed twice (between httpd.conf and mod_ssl.conf), doing these two things (along with inserting the lines rac suggested) fixed it! I am now running a Squirrelmail Webmail server in a chroot with SSL support!! yes!! Life is good!!

----------

## daelight

Ok... I went through a lot trouble that could've been avoided.

```
/usr/sbin/apachectl
```

is missing the following code to start ssl

```
    startssl|sslstart|start-SSL)

   if [ $RUNNING -eq 1 ]; then

       echo "$0 $ARG: httpd (pid $PID) already running"

       continue

   fi

   if $HTTPD -DSSL; then

       echo "$0 $ARG: httpd started"

   else

       echo "$0 $ARG: httpd could not be started"

       ERROR=3

   fi

   ;;
```

And then, edit 

```
/etc/apache/conf/vhosts/ssl.default-vhost.conf 
```

to change the root directory to whatever u speficied.

After that, you should be able to run apachectl startssl with no problems

----------

