Re: [users@httpd] Still have messed up TLS

2023-11-26 Thread John 
After a week of chasing this around I have managed to change the problem 
several times but I'm still
unable to get Apache started.  I **think** there is something unrelated to the 
error that I'm seeing
that may have been included in the default config but before I go down that 
rabbit hole I realize
that I am making a number of assumptions because I don't know how to check, so 
if everyone would
please bear with me, and my apologies in advance:

Here are the relevant parts of the full configuration:

/usr/sbin/httpd -M

***89 deleted module lines here**
ssl_module (shared)
systemd_module (shared)

the full config file for the ONLY https virtual server
--
# SSL Support for Coax Publications ONLY!

   ServerName www.coaxpublications.ca
#   ServerAlias t.coaxpublications.ca
   DocumentRoot /usr/httpd/coax
   Options -MultiViews
   H2Direct on
   ProxyPassMatch "^/.*\.php(/.*)?$" fcgi://127.0.0.1:9002/usr/httpd/coax
   SSLEngine on
#   SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !RC4: !PSK: !MD5
   SSLCipherSuite TLSv1.3
   SSLCertificateFile /etc/httpd/conf/sslcert/www.coaxpublications.ca.pem
   SSLCertificateKeyFile /etc/httpd/conf/sslcert/www.coaxpublications.ca.key
   SSLCACertificateFile /etc/httpd/conf/sslcert/intermediate.crt   
   SSLHonorCipherOrder on
   Header always set Strict-Transport-Security 
"max-age-63072000;includeSubDomains"


# Redirect if logon is to coaxpublications without the 'www'

   ServerName coaxpublications.ca
   Redirect permanent / https://www.coaxpublications.ca

--

the systemctl status on attempting to start:
--
# systemctl status httpd
× httpd.service - The Apache HTTP Server
 Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: 
disabled)
Drop-In: /usr/lib/systemd/system/httpd.service.d
 └─php-fpm.conf
 Active: failed (Result: exit-code) since Sun 2023-11-26 15:14:50 EST; 
25min ago
   Duration: 1d 22h 32min 36.626s
   Docs: man:httpd.service(8)
Process: 56733 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND 
(code=exited, status=1/FAILURE)
   Main PID: 56733 (code=exited, status=1/FAILURE)
 Status: "Reading configuration..."
CPU: 25ms

Nov 26 15:14:50 prod02 systemd[1]: Starting The Apache HTTP Server...
Nov 26 15:14:50 prod02 systemd[1]: httpd.service: Main process exited, 
code=exited, status=1/FAILURE
Nov 26 15:14:50 prod02 systemd[1]: httpd.service: Failed with result 
'exit-code'.
Nov 26 15:14:50 prod02 systemd[1]: Failed to start The Apache HTTP Server.
--

our production TLS certificate.  The one on the problem server is a .pem 
version of the same thing
because it will eventually replace this server.  What I don't know is how to 
confirm that the .pem
cert is identical to this one.

--














Certificate for www.coaxpublications.ca
  
  

  
  



  


 


  
  
  
  



  
  


  
  



  
  
  



  
  



  



  
  
  

  


--

the error log for mod_ssl

--
Sun Nov 26 15:14:50.745976 2023] [ssl:warn] [pid 56733:tid 56733] AH01909: 
www.iliffe.ca:443:0
server certificate does NOT include an ID which matches the server name
--
Now here is where I get really confused: there is NO config file for virtual 
server iliffe.ca that
makes it an HTTPS server.  It is simply our test server and runs as http on 
port 80.  The only
possible reason that I can think of why this should have been included in the 
https chain as needing
a certificate is the default Rocky ssl.conf file that gets automatically 
inserted (include *.conf)
at startup and comes with the 'dnf install mod_ssl'.  Here it is in full, 
fortunately it is mostly
comments:
--
#
# When we also provide SSL we have to listen to the 
# standard HTTPS port in addition.
#
Listen 443 https

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism
#   to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names.  NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

##
## SSL Virtual Host Context
##



# General setup for the

Re: [users@httpd] Still have messed up TLS

2023-11-26 Thread Frank Gingras 
On Sun, Nov 26, 2023 at 4:13 PM John  wrote:

> After a week of chasing this around I have managed to change the problem
> several times but I'm still
> unable to get Apache started.  I **think** there is something unrelated to
> the error that I'm seeing
> that may have been included in the default config but before I go down
> that rabbit hole I realize
> that I am making a number of assumptions because I don't know how to
> check, so if everyone would
> please bear with me, and my apologies in advance:
>
> Here are the relevant parts of the full configuration:
>
> /usr/sbin/httpd -M
>
> ***89 deleted module lines here**
> ssl_module (shared)
> systemd_module (shared)
>
> the full config file for the ONLY https virtual server
> --
> # SSL Support for Coax Publications ONLY!
> 
>ServerName www.coaxpublications.ca
> #   ServerAlias t.coaxpublications.ca
>DocumentRoot /usr/httpd/coax
>Options -MultiViews
>H2Direct on
>ProxyPassMatch "^/.*\.php(/.*)?$" fcgi://127.0.0.1:9002/usr/httpd/coax
>SSLEngine on
> #   SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !RC4: !PSK: !MD5
>SSLCipherSuite TLSv1.3
>SSLCertificateFile /etc/httpd/conf/sslcert/www.coaxpublications.ca.pem
>SSLCertificateKeyFile
> /etc/httpd/conf/sslcert/www.coaxpublications.ca.key
>SSLCACertificateFile /etc/httpd/conf/sslcert/intermediate.crt
>SSLHonorCipherOrder on
>Header always set Strict-Transport-Security
> "max-age-63072000;includeSubDomains"
> 
>
> # Redirect if logon is to coaxpublications without the 'www'
> 
>ServerName coaxpublications.ca
>Redirect permanent / https://www.coaxpublications.ca
> 
> --
>
> the systemctl status on attempting to start:
> --
> # systemctl status httpd
> × httpd.service - The Apache HTTP Server
>  Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled;
> preset: disabled)
> Drop-In: /usr/lib/systemd/system/httpd.service.d
>  └─php-fpm.conf
>  Active: failed (Result: exit-code) since Sun 2023-11-26 15:14:50 EST;
> 25min ago
>Duration: 1d 22h 32min 36.626s
>Docs: man:httpd.service(8)
> Process: 56733 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
> (code=exited, status=1/FAILURE)
>Main PID: 56733 (code=exited, status=1/FAILURE)
>  Status: "Reading configuration..."
> CPU: 25ms
>
> Nov 26 15:14:50 prod02 systemd[1]: Starting The Apache HTTP Server...
> Nov 26 15:14:50 prod02 systemd[1]: httpd.service: Main process exited,
> code=exited, status=1/FAILURE
> Nov 26 15:14:50 prod02 systemd[1]: httpd.service: Failed with result
> 'exit-code'.
> Nov 26 15:14:50 prod02 systemd[1]: Failed to start The Apache HTTP Server.
> --
>
> our production TLS certificate.  The one on the problem server is a .pem
> version of the same thing
> because it will eventually replace this server.  What I don't know is how
> to confirm that the .pem
> cert is identical to this one.
>
> --
> 
> 
> 
> 
> 
> 
> 
> 
> 
>  src="chrome://global/content/certviewer/certviewer.mjs">
>  src="chrome://global/content/certviewer/components/certificate-
> section.mjs">
>  src="chrome://global/content/certviewer/components/about-certificate-
> section.mjs">
>  href="chrome://global/skin/in-content/common.css">
>  href="chrome://global/content/certviewer/certviewer.css">
>  args="{"firstCertName":"www.coaxpublications.ca"}"
> data-l10n-id="certificate-
> viewer-tab-title">Certificate for www.coaxpublications.ca
>   
>   
> 
>href="chrome://global/content/certviewer/components/certificate-
> section.css">
>   
> 
>
> 
>   
> 
>
>  
>
> 
>href="chrome://global/skin/in-content/common.css">
>href="chrome://global/content/certviewer/components/info-item.css">
>   
>   
> 
>
> 
>href="chrome://global/content/certviewer/components/info-group.css">
>   
>  data-l10n-
> id="certificate-viewer-critical-extension">
> 
>   
>   
> 
>
> 
>href="chrome://global/content/certviewer/components/error-section.css">
>   
>   
> 
>
> 
>href="chrome://global/content/certviewer/components/certificate-
> section.css">
>   
> 
>
> 
>href="chrome://global/content/certviewer/components/about-certificate-
> section.css">
> 
>
> 
>href="chrome://global/content/certviewer/components/list-item.css">
>   
>   
> 
>
>
> 
> --
>
> the error log for mod_ssl
>
> --
> Sun Nov 26 15:14:50.745976 2023] [ssl:warn] [pid 56733:tid 56733] AH01909:
> www.iliffe.ca:443:0
> server certificate does NOT include an ID which matches the server name
> --
> Now here is where I get really confused: there is NO config file for
> virtual server iliffe.ca that
> makes it an HTTPS server.  It is simply our test server and runs as http
> on port 80.  The only
> possible reason that I can think of why this should have bee

Re: [users@httpd] Still have messed up TLS

2023-11-26 Thread Paul 

On 2023-11-26 16:12, John wrote:

After a week of chasing this around I have managed to change the problem 
several times but I'm still
unable to get Apache started.  I **think** there is something unrelated to the 
error that I'm seeing
that may have been included in the default config but before I go down that 
rabbit hole I realize
that I am making a number of assumptions because I don't know how to check, so 
if everyone would
please bear with me, and my apologies in advance:

Here are the relevant parts of the full configuration:

/usr/sbin/httpd -M


I think you said you were using "Rocky Linux" associated with RHEL which 
may use /usr/sbin/httpd rather than /usr/share/apache2 (debian).  If 
"Rocky" is a spin-off (I have no knowledge of it) perhaps they have a 
"users list" that could help you?


In any case what is the output of 'apachectl -S' (or perhaps 'httpd 
-S')?  Is it only your TLS that is problematic, or are there other 
underlying glitches?  You write "httpd.service: Main process exited, 
code=exited, status=1/FAILURE" and this looks to me that it could 
preceed any TLS certs.


Also, your "SSLCACertificateFile" probably has to be used carefully.  It 
"can be used alternatively and/or additionally to "SSLCACertificatePath" 
and should only be used if "SSLCADNRequestPath or SSLCADNRequestFile" 
are missing. See . 
Yours appear to be missing from what you write (please delete all rem'ed 
out lines, it's rather boring) - are you sure this is what you want?


Good luck -- Paul


***89 deleted module lines here**
ssl_module (shared)
systemd_module (shared)

the full config file for the ONLY https virtual server
--
# SSL Support for Coax Publications ONLY!

ServerName www.coaxpublications.ca
#   ServerAlias t.coaxpublications.ca
DocumentRoot /usr/httpd/coax
Options -MultiViews
H2Direct on
ProxyPassMatch "^/.*\.php(/.*)?$" fcgi://127.0.0.1:9002/usr/httpd/coax
SSLEngine on
#   SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !RC4: !PSK: !MD5
SSLCipherSuite TLSv1.3
SSLCertificateFile /etc/httpd/conf/sslcert/www.coaxpublications.ca.pem
SSLCertificateKeyFile /etc/httpd/conf/sslcert/www.coaxpublications.ca.key
SSLCACertificateFile /etc/httpd/conf/sslcert/intermediate.crt
SSLHonorCipherOrder on
Header always set Strict-Transport-Security 
"max-age-63072000;includeSubDomains"


# Redirect if logon is to coaxpublications without the 'www'

ServerName coaxpublications.ca
Redirect permanent / https://www.coaxpublications.ca

--

the systemctl status on attempting to start:
--
# systemctl status httpd
× httpd.service - The Apache HTTP Server
  Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: 
disabled)
 Drop-In: /usr/lib/systemd/system/httpd.service.d
  └─php-fpm.conf
  Active: failed (Result: exit-code) since Sun 2023-11-26 15:14:50 EST; 
25min ago
Duration: 1d 22h 32min 36.626s
Docs: man:httpd.service(8)
 Process: 56733 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND 
(code=exited, status=1/FAILURE)
Main PID: 56733 (code=exited, status=1/FAILURE)
  Status: "Reading configuration..."
 CPU: 25ms

Nov 26 15:14:50 prod02 systemd[1]: Starting The Apache HTTP Server...
Nov 26 15:14:50 prod02 systemd[1]: httpd.service: Main process exited, 
code=exited, status=1/FAILURE
Nov 26 15:14:50 prod02 systemd[1]: httpd.service: Failed with result 
'exit-code'.
Nov 26 15:14:50 prod02 systemd[1]: Failed to start The Apache HTTP Server.
--

our production TLS certificate.  The one on the problem server is a .pem 
version of the same thing
because it will eventually replace this server.  What I don't know is how to 
confirm that the .pem
cert is identical to this one.

--




 
 
 
 
 
 
 
 
 
 
 Certificate for www.coaxpublications.ca
   
   
 
   
   
 

 
   
 

  

 
   
   
   
   
 

 
   
   
 
 
   
   
 

 
   
   
   
 

 
   
   
 

 
   
 

 
   
   
   
 
   



--

the error log for mod_ssl

--
Sun Nov 26 15:14:50.745976 2023] [ssl:warn] [pid 56733:tid 56733] AH01909: 
www.iliffe.ca:443:0
server certificate does NOT include an ID which matches the server name
--
Now here is where I get really confused: there is NO config file for virtual 
server iliffe.ca that
makes it an HTTPS server.  It is simply our test server and runs as http on 
port 80.  The only
possible reason that I can think of why this should have been included in the 
https chain as needing
a certificate is the default Rocky ssl.conf file that gets automatically 
inserted (include *.conf)
at startup and comes with the 'dnf install mod_ssl'.  Here it is in full, 
fortunately it is mostly
comments:
--
#
# When we also p