Note: Please don't be shy if you have expertise in the effect of
permissions on cacert.pem, server.crt, privkey.pem and server.key on
whether or not apache2.0 in RHEL4 will start.
Just to confirm the error message that the configuration of SSL is
truly at fault, I removed the mod_ssl package and apache did indeed
start, though neither the (mysql-php) portal on port 8080 nor the
ebxmlrr3.0 freebxmlrr-3.0-beta1 registry (Apache Derby-JSP, JSF)
using Tomcat 5.0.28 on port 6480 would accept connections.
Thanks,
Rex
Thanks again, Richard,
I missed this message due to a series of 12-hour days during last
week's OASIS Symposium.
I apologize. I'm still working my way out of the backup. I
appreciate your follow-through very much,
Answers inline.
At 11:46 AM -0700 5/9/06, Richard de Vries wrote:
Are you using a seperate configuration file for your
SSL instance?
Let's start with a couple of basic things.
1) Do you have the SSL configuration between <IfModule
XXXX> tags?. If so, what is your XXXX set to in this
case?
There is no SSL configuration between<IfModule XXXX> tags. I have
Apache2.0 in RHEL 4, so I have an ssl.conf file in directory
/etc/httpd/conf.d.
2) SSLCertificateFile and SSLCertificateKeyFile point
to valid files right? Can you do a ls -al on that file
location?
Yes.
3) Sometimes, some programs refuse to enable SSL if
the certificates are publicly readable. How are your
permissions on these files?
[EMAIL PROTECTED] ssl.crt]# ls -al
total 40
drwx------ 2 root root 4096 May 13 08:06 .
drwxr-xr-x 7 root root 4096 May 13 08:23 ..
-rw-r--r-- 1 root root 1773 May 8 17:22 cacert.pem
-rw-r--r-- 1 root root 1522 Feb 28 2005 Makefile.crt
-rw------- 1 root root 1497 May 8 21:27 server.crt
[EMAIL PROTECTED] ssl.crt]# cd ..
[root@@XXX conf]# cd ssl.key
[EMAIL PROTECTED] ssl.key]# ls -al
total 48
drwx------ 2 root root 4096 Feb 28 2005 .
drwxr-xr-x 7 root root 4096 May 13 08:23 ..
-rw-r--r-- 1 root root 1751 May 8 17:18 privkey.pem
-rw------- 1 root root 963 May 8 21:23 server.key
[EMAIL PROTECTED] ssl.key]#
Let's start with these steps, then work ourselves thru
your configuration. I don't think re-installing apache
would necesarrily fix anything.
There are the permissions. You're right, re-installing wouldn't
change this. ????
Thanks again,
Rex
Richard
--- Rex Brooks <[EMAIL PROTECTED]> wrote:
Thanks Richard,
I appreciate that you took the time to answer. So
far you are the
only one. This installation is on RedHat Enterprise
Linux4 and
Apache2.0 and I have tried the Key-Certificate
generation
instructions detailed in the System Administration
Guide Ch.
26.6-26.8,
I tried the freebsd instructions at the url you
advised, and what
happened was that the certificate signing request
could not open the
key. I have also downloaded and tried with
openssl-0.9.8b. I was able
to generate the server.key and server.crt but httpd
still does not
start.
The Admin Guide instructions also result in what
ought to be a valid
server key in the ssl.key directory and a server.crt
in the ssl.crt
directory as specified in the ssl.conf file in the
/etc/httpd/conf
directory, but httpd still does not start
Here is the terminal output when attempting to start
httpd:
[EMAIL PROTECTED] ~]# service httpd start
Starting httpd: [Mon May 08 06:20:21 2006] [warn]
The Alias directive
in /etc/httpd/conf/httpd.conf at line 557 will
probably never match
because it overlaps an earlier AliasMatch.
Warning: DocumentRoot
[/home/xxx/jakarta-tomcat-5.0.28] does not exist
[FAILED]
[EMAIL PROTECTED] ~]#
Here is the httpd error_log for that sequence:
[Mon May 08 06:20:21 2006] [notice] core dump file
size limit raised
to 4294967295 bytes
[Mon May 08 06:20:22 2006] [notice] suEXEC mechanism
enabled
(wrapper: /usr/sbin/suexec)
[Mon May 08 06:20:22 2006] [error] Server should be
SSL-aware but has
no certificate configured [Hint: SSLCertificateFile]
It's beginning to look like I will have to reinstall
apache.
Regards,
Rex
>what error are you getting?
>
>Try following the instructions at this URL. They've
> >always worked for me:
>
http://www.corserv.com/freebsd/apache-ssl-howto.html
>
>--- Rex Brooks <[EMAIL PROTECTED]> wrote:
>
>> Please see my previous post for details.
>>
>> I said that mod_ssl was not installed, but a
double
>> check showed that it is.
>>
>> My question is only about filenames for
>> SSLCertificateFile and/or
>> SSLCertificateKeyFile.
>>
>> ApacheSSL Documentation says at
>>
http://www.apache-ssl.org/docs.html#SSLCertificateFile:
>>
>> This is your PEM-encoded server certificate
>> (strictly, it is what
>> SSLeay calls PEM, which isn't really).
>>
>> Example:
>>
>> SSLCertificateFile
>> /usr/local/apache/certs/my.server.pem
>>
>> What the process described in RedHat Sys. Admin.
>> Guide Ch. 26.6-26.8
>> produces in the file ssl.conf located in
>> /etc/httpd/conf.d/ used to
>> configure SSL support is:
>>
>> SSLCertificateFile
>> /etc/httpd/conf/ssl.crt/server.crt
>>
>> and
>>
>> SSLCertificateKeyFile
>> /etc/httpd/conf/ssl.key/server.key
>>
>> There is a file named server.crt in the
specified
>> location, and an
>> server.key file in its corresponding location.
Could
>> this lack of a
>> PEM-encoded server certificate, however it is
>> produced, the root
>> cause of httpd start failure?
>>
>> I have downloaded and installed openssl-0.9.8b
and I
>> have also now
>> generated a privkey.pem and a cacert.pem and I
have
>> put them in the
>> same directories as the ssl.conf file specified,
and
>> edited that file
>> to reflect that, rebooted and httpd still fails
to
>> start.
>>
>>
>> Regards,
>> Rex Brooks
>>
>>
>> --
>> Rex Brooks
>> President, CEO
>> Starbourne Communications Design
>> GeoAddress: 1361-A Addison
>> Berkeley, CA 94702
>> Tel: 510-849-2309
>>
>>
---------------------------------------------------------------------
>> The official User-To-User support forum of the
>> Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html>
for
>> more info.
>> To unsubscribe, e-mail:
> > [EMAIL PROTECTED]
>> " from the digest:
>> [EMAIL PROTECTED]
>> For additional commands, e-mail:
>> [EMAIL PROTECTED]
>>
>>
>
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam
protection around
>http://mail.yahoo.com
--
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-849-2309
---------------------------------------------------------------------
The official User-To-User support forum of the
Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for
more info.
To unsubscribe, e-mail:
[EMAIL PROTECTED]
" from the digest:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-849-2309
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-849-2309
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
