SSL Certificate Problem

[FenrisWolf]

Hi All,

I am having a great deal of trouble activitating SSL on an Apache 2.0 installation with FC4. I have created and self-signed a certificate and private key as this is only for a small academic group, but I cannot get the httpd daemon to start up. The ssl.conf file is pointing to the correct path /etc/pki/... and so forth for both the key and the cert files and the httpd.conf file is loading the ssl.conf file as well. The error I get is:

"Server should be SSL-aware but has no certificate configured"

in the httpd error log. I can't figure out what I may have missed. Any suggestions?

[gavinw6662]

how about providing us with your apache configuration file so that we can have a look at it.

[FenrisWolf]

Hi All,

Sorry. Forgot to post the conf files. Some changes were made for security. If you see <me> that is replaced by my user name on the system and <server> is replaced by the server name. Some more background:

We need Apache running as a specific user to instigate a python script which runs a command-line argument as a given user. Each user on the system is assigned a port to log into and authenticate, mine is port 8001. There may be better ways to do this, but this is what I got working with my Apache books.

Thanks again for any help.

[felixs]

Did you verify that your private key is not password protected?

fs

Btw: I recommend using certificates from CAcert if you don't buy one from a commercial entity as they have several advantages over self-signed certs.

[FenrisWolf]

I think so. I did not provide a password when I created the certificate. I used the CA scripts in Apache to create the certificate and key. The permissions all check as well.

[gavinw6662]

it might be that you created the certificate, but the original 'dummy' one is still on your system. I ran into some conflicts using the "redhat" cert method for sendmail. Basically there was a generic ssl cert already there that was conflicting with the one i made.

[raoul]

Has the user that starts the apache daemon (not the one specified in httpd.conf) read-access on the certificate and key? If root starts apache, then ignore my question.

[FenrisWolf]

I moved the "dummy key" and the localhost key and cert to a different directory. Still have the same error. And the user running apache has read permissions on both the key and cert file.

[tw56]

I think I remember that when I made mine I renamed the dummy keys to whatever.therenamewas.original before making the new ones. Or to be more plain added .origanal on the end.

[Bone]

look at the line that states...
# LoadModule ssl_module modules/mod_ssl.so

I believe you need to uncomment it, your server is not ssl enabled. If that does not work you may want to rebuild Apache in such a way that loads the ssl module during the build.

example:

./configure --prefix=/etc/httpd/ --enable-speling=shared
make
make install
/etc/httpd/apachectl start

[brunson]

Maybe this will help. here's a working SSL virt host config. You still need a to uncomment the ssl module.

Code:

<VirtualHost _default_:443>
    DocumentRoot "/usr/apache/htdocs"
    ServerName web1.brunson.com:443
    ServerAdmin support@brunson.com
    ErrorLog logs/error_log
    TransferLog logs/access_log

    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /usr/apache/conf/ssl.crt/labs.brunsont.com.crt
    SSLCertificateKeyFile /usr/apache/conf/ssl.key/labs.brunson.com.key

</VirtualHost>

And this is in the main config file:

Code:

<IfDefine SSL>
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         dbm:logs/ssl_scache
SSLSessionCacheTimeout  300
SSLMutex  file:logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfDefine>