Cannot get SSL working on an Apache VHOST in Fedora 22


#1

I cannot for the life of me get this to work. I have the server configured to use the certs correctly, and http traffic to the domain works, but https always results in an error_107 being thrown by chrome. No logs anywhere show anything useful. I am running a node.js server for the webapp, and apache is configured as a proxy to the port on localhost, and works correctly for http traffic.


#2

Try running https://www.ssllabs.com/ssltest/ against your domain, usually helps find the underlying issue.


#3

Well, it says no supported secure protocols. Not sure what to do from there.


#4

Could you share your apache config (specifically any vhost with ssl, or any other config file you added ssl directives to), and if possible the site in question?


#5
<VirtualHost *:443>
    ServerAdmin david.j.fogle@gmail.com
        ServerName djbird.tk:443
        ServerAlias djbird.tk
    ProxyPreserveHost on
    ProxyRequests off

    <Proxy *>
            Order deny,allow
            Allow from all
    </Proxy>

    <Location />
            ProxyPass http://localhost:2368/
            ProxyPassReverse http://localhost:2368/
    </Location>
    RequestHeader set X-Forwarded-Proto "https"
#   SSLEngine on

</VirtualHost>

#6

Other than that, the only changes i have made are to the default ssl.conf, which are the 3 lines for the certs and keys.


#7

The line that enables SSL (or TLS), SSLEngine on, is commented out. Remove the # symbol from the start of the line.

As it stands, Apache is simply serving unencrypted HTTP on port 443. See: http://djbird.tk:443/


#8

Yeah, I had that commented out for a reason, it breaks apache badly.


#9

You need that enabled for SSL to work. So you’ll need to find a different way to fix whatever breakage it causes. Perhaps we can help if you describe the breakage in more detail?


#10

Ah, now that I have it on, I can see the real errors.

[Wed Nov 25 22:26:18.195419 2015] [core:notice] [pid 10254] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [Wed Nov 25 22:26:18.199048 2015] [ssl:emerg] [pid 10254] AH02572: Failed to configure at least one certificate and key for djbird.tk:443 [Wed Nov 25 22:26:18.199100 2015] [ssl:emerg] [pid 10254] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile? [Wed Nov 25 22:26:18.199121 2015] [ssl:emerg] [pid 10254] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile? [Wed Nov 25 22:26:18.199192 2015] [ssl:emerg] [pid 10254] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned [Wed Nov 25 22:26:18.199205 2015] [ssl:emerg] [pid 10254] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed


#11

You might need to put the three lines defining the cert/key/chain inside the VirtualHost definition. I don’t know if it’s necessary, but I’ve never seen them anywhere else, and the second line from your log seems to suggest that.


#12

I have done so, and it throws the same error. If I rename the ssl.conf file ito something else, it starts correctly, but ssl functions never start.


#13

Another possibility, if SELinux is in enforcing mode, it could be blocking apache from reading the certificate files. Does it work if you temporarily disable it with setenforce 0?


#14

Got it! I had removed a - from the wrong place :slight_smile:


#15

Great, glad you got it working :slight_smile:


#16

As am I :slight_smile: Thank you very much for your help! This project is freaking amazing.


#17

Hi birdie,

I am having same issue. Could you tell me from which file and place, you removed “-” .

Regards,
ramK