Re: [users@httpd] Correction & Question: SSLCertificateFile: RedHat (RHEL4) apache startup failure: ebxml-registry-repository on tomcat on port 6480, with Mambo LAMP Portal on port 8080: Despite Self-Signed Cert: [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]

Sat, 13 May 2006 13:31:39 -0700 

Thanks again, Richard,
I missed this message due to a series of 12-hour days during last week's OASIS Symposium. 


I apologize. I'm still working my way out of the backup. I appreciate 
your follow-through very much,


Answers inline.


At 11:46 AM -0700 5/9/06, Richard de Vries wrote:

Are you using a seperate configuration file for your
SSL instance?

Let's start with a couple of basic things.

1) Do you have the SSL configuration between <IfModule
XXXX> tags?. If so, what is your XXXX set to in this
case?



There is no SSL configuration between<IfModule XXXX>  tags.  I have 
Apache2.0 in RHEL 4, so I have an ssl.conf file in directory 
/etc/httpd/conf.d.



2) SSLCertificateFile and SSLCertificateKeyFile point
to valid files right? Can you do a ls -al on that file
location?


Yes.


3) Sometimes, some programs refuse to enable SSL if
the certificates are publicly readable. How are your
permissions on these files?


[EMAIL PROTECTED] ssl.crt]# ls -al
total 40
drwx------  2 root root 4096 May 13 08:06 .
drwxr-xr-x  7 root root 4096 May 13 08:23 ..
-rw-r--r--  1 root root 1773 May  8 17:22 cacert.pem
-rw-r--r--  1 root root 1522 Feb 28  2005 Makefile.crt
-rw-------  1 root root 1497 May  8 21:27 server.crt
[EMAIL PROTECTED] ssl.crt]# cd ..
[root@@XXX conf]# cd ssl.key
[EMAIL PROTECTED] ssl.key]# ls -al
total 48
drwx------  2 root root 4096 Feb 28  2005 .
drwxr-xr-x  7 root root 4096 May 13 08:23 ..
-rw-r--r--  1 root root 1751 May  8 17:18 privkey.pem
-rw-------  1 root root  963 May  8 21:23 server.key
[EMAIL PROTECTED] ssl.key]#



Let's start with these steps, then work ourselves thru
your configuration. I don't think re-installing apache
would necesarrily fix anything.



There are the permissions. You're right, re-installing wouldn't 
change this. ????


Thanks again,
Rex


  Richard
--- Rex Brooks <[EMAIL PROTECTED]> wrote:


 Thanks Richard,

 I appreciate that you took the time to answer. So
 far you are the
 only one. This installation is on RedHat Enterprise
 Linux4 and
 Apache2.0 and I have tried the Key-Certificate
 generation
 instructions detailed in the System Administration
 Guide Ch.
 26.6-26.8,

 I tried the freebsd instructions at the url you
 advised, and what
 happened was that the certificate signing request
 could not open the
 key. I have also downloaded and tried with
 openssl-0.9.8b. I was able
 to generate the server.key and server.crt but httpd
 still does not
 start.

 The Admin Guide instructions also result in what
 ought to be a valid
 server key in the ssl.key directory and a server.crt
 in the ssl.crt
 directory as specified in the ssl.conf file in the
 /etc/httpd/conf
 directory, but httpd still does not start

 Here is the terminal output when attempting to start
 httpd:

 [EMAIL PROTECTED] ~]# service httpd start
 Starting httpd: [Mon May 08 06:20:21 2006] [warn]
 The Alias directive
 in /etc/httpd/conf/httpd.conf at line 557 will
 probably never match
 because it overlaps an earlier AliasMatch.
 Warning: DocumentRoot
 [/home/xxx/jakarta-tomcat-5.0.28] does not exist

                                                   
        [FAILED]

 [EMAIL PROTECTED] ~]#

 Here is the httpd error_log for that sequence:

 [Mon May 08 06:20:21 2006] [notice] core dump file
 size limit raised
 to 4294967295 bytes
 [Mon May 08 06:20:22 2006] [notice] suEXEC mechanism
 enabled
 (wrapper: /usr/sbin/suexec)
 [Mon May 08 06:20:22 2006] [error] Server should be
 SSL-aware but has
 no certificate configured [Hint: SSLCertificateFile]

 It's beginning to look like I will have to reinstall
 apache.

 Regards,
 Rex

 >what error are you getting?
 >
 >Try following the instructions at this URL. They've

 > >always worked for me:

 >

http://www.corserv.com/freebsd/apache-ssl-howto.html
 >
 >--- Rex Brooks <[EMAIL PROTECTED]> wrote:
 >
 >>  Please see my previous post for details.
 >>
 >>  I said that mod_ssl was not installed, but a
 double
 >>  check showed that it is.
 >>
 >>  My question is only about filenames for
 >>  SSLCertificateFile and/or
 >>  SSLCertificateKeyFile.
 >>
 >>  ApacheSSL Documentation says at
 >>

http://www.apache-ssl.org/docs.html#SSLCertificateFile:
 >>
 >>  This is your PEM-encoded server certificate
 >>  (strictly, it is what
 >>  SSLeay calls PEM, which isn't really).
 >>
 >>  Example:
 >>
 >>  SSLCertificateFile
 >>  /usr/local/apache/certs/my.server.pem
 >>
 >>  What the process described in RedHat Sys. Admin.
 >>  Guide Ch. 26.6-26.8
 >>  produces in the file ssl.conf located in
 >>  /etc/httpd/conf.d/ used to
 >>  configure SSL support is:
 >>
 >>  SSLCertificateFile
 >>  /etc/httpd/conf/ssl.crt/server.crt
 >>
 >>  and
 >>
 >>  SSLCertificateKeyFile
 >>  /etc/httpd/conf/ssl.key/server.key
 >>
 >>  There is a file named server.crt in the
 specified
 >>  location, and an
 >>  server.key file in its corresponding location.
 Could
 >>  this lack of a
 >>  PEM-encoded server certificate, however it is
 >>  produced, the root
 >>  cause of httpd start failure?
 >>
 >>  I have downloaded and installed openssl-0.9.8b
 and I
 >>  have also now
 >>  generated a privkey.pem and a cacert.pem and I
 have
 >>  put them in the
 >>  same directories as the ssl.conf file specified,
 and
 >>  edited that file
 >>  to reflect that, rebooted and httpd still fails
 to
 >>  start.
 >>
 >>
 >>  Regards,
 >>  Rex Brooks
 >>
 >>
 >>  --
 >>  Rex Brooks
 >>  President, CEO
 >>  Starbourne Communications Design
 >>  GeoAddress: 1361-A Addison
 >>  Berkeley, CA 94702
 >>  Tel: 510-849-2309
 >>
 >>

---------------------------------------------------------------------
 >>  The official User-To-User support forum of the
 >>  Apache HTTP Server Project.
 >>  See <URL:http://httpd.apache.org/userslist.html>
 for
 >>  more info.
 >>  To unsubscribe, e-mail:
 >  > [EMAIL PROTECTED]
 >>     "   from the digest:
 >>  [EMAIL PROTECTED]
 >>  For additional commands, e-mail:
 >>  [EMAIL PROTECTED]
 >>
 >>
 >
 >
 >__________________________________________________
 >Do You Yahoo!?
 >Tired of spam?  Yahoo! Mail has the best spam
 protection around
 >http://mail.yahoo.com


 --
 Rex Brooks
 President, CEO
 Starbourne Communications Design
 GeoAddress: 1361-A Addison
 Berkeley, CA 94702
 Tel: 510-849-2309



---------------------------------------------------------------------

 The official User-To-User support forum of the
 Apache HTTP Server Project.
 See <URL:http://httpd.apache.org/userslist.html> for
 more info.
 To unsubscribe, e-mail:
 [EMAIL PROTECTED]
    "   from the digest:
 [EMAIL PROTECTED]
 For additional commands, e-mail:
 [EMAIL PROTECTED]





__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



--
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-849-2309

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to