Apache 2.2.11 - SSLEngine on - ERROR :Oops, no RSA or DSA server certificate found for sgt.hemominas.mg.gov.br

heoliveira · February 10, 2023, 11:19pm

Hello, I tried to apply digital certificate on Apache 2.2.11 with php 4.4.9 on Windows Server 2012 R2 and I got the error on start Apache "E:\bin\Apache\bin\httpd.exe" -k runservice :

> [Fri 10 Feb 19:48:14 2023] [error] Oops, no RSA or DSA server certificate found for 'sgt.hemominas.mg.gov.br:0'?!

Domain is sgt.hemominas.mg.gov.br , is a pubic DNS entry

Follows my httpd.conf and httpd-ssl.conf . This time, I didn't configure httpd-vhosts.conf, but before that I tried to configure it, but it was the same error.

Obs: SSLEngine on

#httpd.conf

ServerRoot "E:/bin/Apache"

Listen 80


LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so

LoadModule env_module modules/mod_env.so

LoadModule include_module modules/mod_include.so

LoadModule isapi_module modules/mod_isapi.so

LoadModule log_config_module modules/mod_log_config.so

LoadModule mime_module modules/mod_mime.so

LoadModule negotiation_module modules/mod_negotiation.so

LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so

LoadModule ssl_module modules/mod_ssl.so


<IfModule !mpm_netware_module>
<IfModule !mpm_winnt_module>

User daemon
Group daemon

</IfModule>
</IfModule>

ServerAdmin gtc.sistemas@hemominas.mg.gov.br


ServerName localhost:80


DocumentRoot "E:/bin/Apache/htdocs"


<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
    Options Indexes FollowSymLinks ExecCGI
</Directory>


<Directory "E:/bin/Apache/htdocs">

    Options Indexes FollowSymLinks

  
    AllowOverride None

   
    Order allow,deny
    Allow from all

</Directory>


<IfModule dir_module>
    DirectoryIndex index.html index.php main.php default.php
</IfModule>


<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>


ErrorLog "E:\bin\Apache\logs\error.log"


LogLevel warn

<IfModule log_config_module>
   
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>


    CustomLog "E:\bin\Apache\logs\access.log" common

 
</IfModule>

<IfModule alias_module>


   
    ScriptAlias /cgi-bin/ "E:/bin/Apache/cgi-bin/"

</IfModule>

<IfModule cgid_module>
 
</IfModule>


<Directory "E:/bin/Apache/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

<Directory "E:/bin/Apache/htdocs">
	Options Indexes FollowSymLinks ExecCGI
</Directory>


DefaultType text/plain

<IfModule mime_module>
 
    TypesConfig conf/mime.types

   
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    ScriptAlias /php/ "E:/bin/php-4.4.9"
    AddType application/x-httpd-php .php
    Action application/x-httpd-php "E:/bin/php-4.4.9/php.exe" 

   
</IfModule>




Include conf/extra/httpd-ssl.conf

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>


PHPIniDir "E:/bin/php-4.4.9"
LoadModule php4_module "E:/bin/php-4.4.9/sapi/php4apache2_2.dll"

**httpd-ssl.conf** 

Listen 443


AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl


SSLPassPhraseDialog  builtin


#SSLSessionCache         "dbm:E:/bin/Apache/logs/ssl_scache"
SSLSessionCache        "shmcb:E:/bin/Apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300


SSLMutex default
<VirtualHost _default_:443>
   SSLEngine on   
   ServerName    sgt.hemominas.mg.gov.br
   ServerAlias   www.sgt.hemominas.mg.gov.br
   ServerAdmin   sis.sgt@hemominas.mg.gov.br
   DocumentRoot  "E:/bin/Apache/htdocs/sgt.hemominas.mg.gov.br"

   <Directory  "E:/bin/Apache/htdocs/sgt.hemominas.mg.gov.br">
     Options Indexes FollowSymLinks MultiViews
     AllowOverride All
     Require all granted
   </Directory>
   
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile "E:/bin/Apache/conf/cert/cert.crt"
    SSLCertificateKeyFile "E:/bin/Apache/conf/cert/privkey.pem"
    SSLCertificateChainFile "E:/bin/Apache/conf/cert/chain.crt"
	
	<FilesMatch "\.(cgi|shtml|phtml|php)$">
		SSLOptions +StdEnvVars
	</FilesMatch>

	<Directory "E:/bin/Apache/cgi-bin">
		SSLOptions +StdEnvVars
	</Directory>

	BrowserMatch ".*MSIE.*" \
		 nokeepalive ssl-unclean-shutdown \
		 downgrade-1.0 force-response-1.0	
		
	ErrorLog    "E:/bin/Apache/logs/error.log"
    CustomLog   "E:/bin/Apache/logs/access.log" combined
    TransferLog "E:/bin/Apache/logs/access.log"
</VirtualHost>

_az · February 10, 2023, 11:29pm

It looks like Apache 2.2 doesn't support ECDSA certificates.

You currently have an ECDSA certificate. If you used Certbot to obtain this certificate, you can use --key-type rsa to get it to issue an RSA certificate.

It's not a great idea to use such an outdated version of Apache/PHP/Windows on the internet but that should get you going.

heoliveira · February 11, 2023, 4:28am

Thank you very much! Glad for the help and helpful community let's encrypt. I agree with you about older versions of Apache, they will be migrated soon, thanks for your recommendation.

After migrating the certificate to RSA, the server started, but when loading the https page on port 443, I get a message from the browser This site can’t be reached. In the access log of the apache 2.2.11 server there is the message 127.0.0.1 - - [11/Feb/2023:01:11:59 -0300] "\x16\x03\x01\x02" 200 -
127.0.0.1 - - [11/Feb/2023:01:12:00 -0300] "\x16\x03\x01\x02" 200 -
127.0.0.1 - - [11/Feb/2023:01:12:00 -0300] "\x16\x03\x01\x02" 200 -
127.0.0.1 - - [11/Feb/2023:01:12:00 -0300] "\x16\x03\x01\x02" 200 -...

http pages on port 80 work fine. Follows the configurations of the virtual hosts, follows the content:

Thaks a lot again.

<VirtualHost *:80>
   ServerName sgt.hemominas.mg.gov.br
   ServerAlias www.sgt.hemominas.mg.gov.br
   ServerAdmin sis.sgt@hemominas.mg.gov.br
   LogLevel warn
   
   <Directory  "E:/bin/Apache/htdocs/sgt">
     Options Indexes FollowSymLinks MultiViews
     AllowOverride All
     Require all granted
   </Directory>
</VirtualHost>

##
## SSL Virtual Host Context
##

<VirtualHost *:443>

   ServerName sgt.hemominas.mg.gov.br
   ServerAlias www.sgt.hemominas.mg.gov.br
   ServerAdmin sis.sgt@hemominas.mg.gov.br
   LogLevel warn
   
   <Directory  "E:/bin/Apache/htdocs/sgt">
     Options Indexes FollowSymLinks MultiViews
     AllowOverride All
     Require all granted
   </Directory>
   
   SSLEngine on
   SSLProtocol all -SSLv2 -SSLv3 
   SSLCertificateFile "E:/bin/Apache/conf/cert/cert.crt"
   SSLCertificateKeyFile "E:/bin/Apache/conf/cert/privkey.pem"
   SSLCertificateChainFile "E:/bin/Apache/conf/cert/chain.crt"
	
	<FilesMatch "\.(cgi|shtml|phtml|php)$">
		SSLOptions +StdEnvVars
	</FilesMatch>

	<Directory "E:/bin/Apache/cgi-bin">
		SSLOptions +StdEnvVars
	</Directory>

	BrowserMatch ".*MSIE.*" \
		 nokeepalive ssl-unclean-shutdown \
		 downgrade-1.0 force-response-1.0	
		
	ErrorLog    "E:/bin/Apache/logs/error.log"
    CustomLog   "E:/bin/Apache/logs/access.log" combined
    TransferLog "E:/bin/Apache/logs/access.log"
</VirtualHost>

MikeMcQ · February 11, 2023, 4:44am

Did you upgrade your Apache version from 2.2 already? Because I see this now

curl -i sgt.hemominas.mg.gov.br

HTTP/1.1 200 OK
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.21
X-Powered-By: PHP/7.3.21

And, as for your cert, it looks OK except you are sending the "leaf" twice. The SSLCertificate lines are different between Apache 2.2 and 2.4.46

See the cert your server is using with a site like this SSL Checker (link here)

rg305 · February 11, 2023, 12:00pm

Probably not a valid servername:

Unless all your web sites will be using this same DocumentRoot, this statement should be used within each server block:
[and should be unique for each servername]

Why would you be doing all these extremely insecure ciphers?:

Based on the use of the same DocumentRoot, the expected responses should be very similar - but they are not:

curl http://sgt.hemominas.mg.gov.br/
<script>location.href="http://sgt.hemominas.mg.gov.br:8080/sgt/index.php";</script><script>location.href="http://consultadoador.hemominas.mg.gov.br:8080/doador/views/principal.php";</script>

curl https://sgt.hemominas.mg.gov.br/
<html><body><h1>It works!</h1></body></html>

heoliveira · February 11, 2023, 12:40pm

Oh, so sorry, try now please, I got receive de response about domain and back handshake return or to receive https trafic on port http.

Think have a problem Apache configuration ... maybe ? I not know source of trouble because configutations is ok , see the post for httpd.conf , httpd-ssl.conf and vhost.conf.

curl -i sgt.hemominas.mg.gov.br

HTTP/1.1 200 OK
Date: Sat, 11 Feb 2023 12:26:33 GMT
Server: Apache/2.2.11 (Win32) mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/4.4.4
X-Powered-By: PHP/4.4.9
Content-Length: 0
Content-Type: text/html

Handshake failed, we haven't received any certificates from the requested server.

OpenSSL Handshake

CONNECTED(00000003)
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 334 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Nummer378 · February 11, 2023, 12:49pm

OpenSSL 0.9.8i, apart from having serious vulnerabilities, does not support TLS 1.1 or TLS 1.2 (not sure if it support TLS 1.0) and as such will not work with any recent browser or other modern TLS implementation.

Bruce5051 · February 11, 2023, 5:39pm

Supplemental information, recently there have been others with issues on subdomains of gov.br
See https://community.letsencrypt.org/t/does-gov-br-and-subdomains-have-dns-issues/192347?u=bruce5051 at the bottom is a list of links to some of the other Topics.

heoliveira · February 21, 2023, 12:02pm

Afther a some of hours trying, solution applying in this case was planning for migration version of Apache and PHP a day. Temporary, will be applyed layer protetion by WAF (layer 7 OSI) while not made migrate server. Thanks a lot.

system · March 23, 2023, 12:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.