logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: mod_ssl on Apache 2.2.2 won't start
Author
Firas



Joined: 29 May 2006
Posts: 1

PostPosted: Tue 30 May '06 0:13    Post subject: mod_ssl on Apache 2.2.2 won't start Reply with quote

Hi everybody,

Just downloaded httpd-2.2.2-win32-x86-ssl. But I can't get the mod_ssl to work: when the line containing 'SSLEngine on' directive is reached httpd just terminates. In Windows "Event Viewer" there's an entry for this error saying:
The Apache2 service terminated with service-specific error 1 (0x1).

If, however, mod_ssl is disabled, the server will function properly.

What could be the problem?

I'm running on WinXP SP2.

Thanks for your time.
Back to top
abxccd



Joined: 02 Jul 2006
Posts: 5

PostPosted: Sun 02 Jul '06 3:03    Post subject: Reply with quote

I seem to have this problem too.

Has anyone got any solutions for this?
Back to top
pnllan



Joined: 05 Dec 2005
Posts: 221

PostPosted: Sun 02 Jul '06 7:31    Post subject: Reply with quote

Do you have certificate and key files for SSL to use?

I created a 'self-signed' certifcate, and then edited the HTTPD-SSL.CONF appropriately. Then I created empty log files (error_ssl.log and access_ssl.log) as indicated below. My HTTPD-SSL.CONF looks something like this:

Code:

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300

#
# other than SSLMutex type being changed to default
#
# the configuration is stock
#
SSLMutex default

<VirtualHost _default_:443>

      DocumentRoot "c:/Apache2/htdocs"
      ServerName localhost:443
      ServerAdmin you@example.com
      ErrorLog logs/error_ssl.log
      TransferLog logs/access_ssl.log

      SSLEngine on

      SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
      SSLProtocol all -SSLv2
      SSLCertificateFile conf/my-server.crt
      SSLCertificateKeyFile conf/my-server.key

      <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
      </FilesMatch>

      <Directory "c:/Apache2/cgi-bin">
            SSLOptions +StdEnvVars
      </Directory>


      BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

      CustomLog logs/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>


Honestly, it worked for me without having to use any special voodoo or tricks.
..
.
Back to top
abxccd



Joined: 02 Jul 2006
Posts: 5

PostPosted: Sun 02 Jul '06 12:01    Post subject: Reply with quote

hi pnllan,

Still can't get it working though. I have both my cert and key in my conf directory.

I have also switched over to your ssl.conf and edited it.

I can't find anything wrong with my httpd.conf

I do have these lines at the end of httpd.conf though:
Code:
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>


Can't seem to find anything else that's wrong.

Here's an excerpt from error.log
Code:
[Sun Jul 02 19:58:04 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
[Sun Jul 02 19:58:04 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Sun Jul 02 19:58:04 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Sun Jul 02 19:58:04 2006] [info] Init: Initializing (virtual) servers for SSL
[Sun Jul 02 19:58:04 2006] [info] Server: Apache/2.2.2, Interface: mod_ssl/2.2.2, Library: OpenSSL/0.9.8b
[Sun Jul 02 19:58:05 2006] [info] Init: Seeding PRNG with 136 bytes of entropy


And heres one from SSLerror.log

Code:
[Sun Jul 02 19:58:04 2006] [info] Loading certificate & private key of SSL-aware server
[Sun Jul 02 19:58:04 2006] [info] Configuring server for SSL protocol
[Sun Jul 02 19:58:05 2006] [info] Loading certificate & private key of SSL-aware server


Seems to me that the server is going in a loop.

Is there anythign in httpd.conf I should have a look at?

cheers![/code]
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Sun 02 Jul '06 12:23    Post subject: Reply with quote

I have commented out:

#SSLMutex default

Maybe you can try it.


Steffen
Back to top
abxccd



Joined: 02 Jul 2006
Posts: 5

PostPosted: Sun 02 Jul '06 13:42    Post subject: Reply with quote

Tried commenting out SSLMutex, but apache still won't start.

New error messages though:

error.log
Code:
[Sun Jul 02 21:38:10 2006] [notice] Parent: Received restart signal -- Restarting the server.
[Sun Jul 02 21:38:10 2006] [notice] Child 1048: Exit event signaled. Child process is ending.
[Sun Jul 02 21:38:11 2006] [info] Child 1048: Accept thread exiting.
[Sun Jul 02 21:38:11 2006] [notice] Child 1048: Released the start mutex
[Sun Jul 02 21:38:11 2006] [info] Child 1048: 250 threads blocked on the completion port
[Sun Jul 02 21:38:11 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
[Sun Jul 02 21:38:12 2006] [notice] Child 1048: Waiting for 250 worker threads to exit.
[Sun Jul 02 21:38:12 2006] [notice] Child 1048: All worker threads have exited.
[Sun Jul 02 21:38:12 2006] [notice] Child 1048: Child process is exiting
[Sun Jul 02 21:38:12 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Sun Jul 02 21:38:12 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Sun Jul 02 21:38:12 2006] [info] Init: Initializing (virtual) servers for SSL
[Sun Jul 02 21:38:12 2006] [info] Server: Apache/2.2.2, Interface: mod_ssl/2.2.2, Library: OpenSSL/0.9.8b
[Sun Jul 02 21:38:12 2006] [notice] Apache/2.2.2 (Win32) mod_ssl/2.2.2 OpenSSL/0.9.8b PHP/5.2.0-dev configured -- resuming normal operations
[Sun Jul 02 21:38:12 2006] [notice] Server built: Apr 29 2006 18:32:31
[Sun Jul 02 21:38:12 2006] [notice] Parent: Created child process 216
[Sun Jul 02 21:38:13 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
[Sun Jul 02 21:38:13 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Sun Jul 02 21:38:13 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Sun Jul 02 21:38:13 2006] [info] Init: Initializing (virtual) servers for SSL
[Sun Jul 02 21:38:13 2006] [info] Server: Apache/2.2.2, Interface: mod_ssl/2.2.2, Library: OpenSSL/0.9.8b
[Sun Jul 02 21:38:13 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
[Sun Jul 02 21:38:14 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Sun Jul 02 21:38:14 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Sun Jul 02 21:38:14 2006] [info] Shared memory session cache initialised
[Sun Jul 02 21:38:14 2006] [info] Init: Initializing (virtual) servers for SSL
[Sun Jul 02 21:38:14 2006] [crit] master_main: create child process failed. Exiting.
[Sun Jul 02 21:38:14 2006] [notice] Parent: Forcing termination of child process 36
[Sun Jul 02 21:38:14 2006] [info] removed PID file C:/Apache Software Foundation/Apache2.2/logs/httpd.pid (pid=1804)



sslerror.log
Code:
[Sun Jul 02 21:38:12 2006] [info] Loading certificate & private key of SSL-aware server
[Sun Jul 02 21:38:12 2006] [info] Configuring server for SSL protocol
[Sun Jul 02 21:38:13 2006] [info] Loading certificate & private key of SSL-aware server
[Sun Jul 02 21:38:13 2006] [info] Configuring server for SSL protocol
[Sun Jul 02 21:38:14 2006] [info] Loading certificate & private key of SSL-aware server
[Sun Jul 02 21:38:14 2006] [info] Configuring server for SSL protocol
[Sun Jul 02 21:38:14 2006] [error] Unable to import RSA server private key
[Sun Jul 02 21:38:14 2006] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Sun Jul 02 21:38:14 2006] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Sun Jul 02 21:38:14 2006] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib


Any ideas?

Thanks!
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Sun 02 Jul '06 13:47    Post subject: Reply with quote

I see errors:

[error] Unable to import RSA server private key
[error] SSL Library Error: 218529960

Follow the suggestion of pnllan:... I created a 'self-signed' certifcate ...

And see if that goes.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Sun 02 Jul '06 14:17    Post subject: Reply with quote

Hm, found a batch file that will create those files placed in the apache folder. Needs openssl.exe,libeay32.dll, ssleay32.dll in apache\bin folder
Code:

@echo off
set OPENSSL_CONF=./bin/openssl.cnf

if not exist .\conf\ssl.crt mkdir .\conf\ssl.crt
if not exist .\conf\ssl.key mkdir .\conf\ssl.key

bin\openssl req -new -out server.csr
bin\openssl rsa -in privkey.pem -out server.key
bin\openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

set OPENSSL_CONF=
del .rnd
del privkey.pem
del server.csr

move /y server.crt .\conf\ssl.crt
move /y server.key .\conf\ssl.key

echo.
echo -----
echo Das Zertifikat wurde erstellt.
echo The certificate was provided.
echo.
pause


inside httpd.conf
Code:

Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin

SSLSessionCache         dbm:logs/ssl.scache
SSLSessionCacheTimeout  300

SSLMutex  default

<VirtualHost _default_:443>
    #   General setup for the virtual host
    DocumentRoot "/xampp/htdocs"

    ServerName localhost:443
    ServerAdmin admin@localhost

    ErrorLog logs/error.log
    <IfModule log_config_module>
        CustomLog logs/access.log combined
    </IfModule>

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on

       SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

       SSLCertificateFile conf/ssl.crt/server.crt

       SSLCertificateKeyFile conf/ssl.key/server.key

                <Location />
        #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
        #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
        #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
        #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
        #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
        #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
    </Location>

        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    <FilesMatch "\.(cgi|shtml|phtml|php|php5|php4|php3)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/xampp/apache/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
    <IfModule setenvif_module>
        BrowserMatch ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0
    </IfModule>

        <IfModule log_config_module>
        CustomLog logs/ssl_request.log \
                  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </IfModule>
</VirtualHost>


Hope there is no error in this sample config

openssl.cnf
Code:

HOME         = .
RANDFILE      = $ENV::HOME/.rnd
oid_section      = new_oids

[ new_oids ]


[ ca ]
default_ca   = CA_default      # The default ca section


[ CA_default ]

dir      = ./demoCA      # Where everything is kept
certs      = $dir/certs      # Where the issued certs are kept
crl_dir      = $dir/crl      # Where the issued crl are kept
database   = $dir/index.txt   # database index file.
               # several ctificates with same subject.
new_certs_dir   = $dir/newcerts      # default place for new certs.

certificate   = $dir/cacert.pem    # The CA certificate
serial      = $dir/serial       # The current serial number
crlnumber   = $dir/crlnumber   # the current crl number
               # must be commented out to leave a V1 CRL
crl      = $dir/crl.pem       # The current CRL
private_key   = $dir/private/cakey.pem# The private key
RANDFILE   = $dir/private/.rand   # private random number file

x509_extensions   = usr_cert      # The extentions to add to the cert


name_opt    = ca_default      # Subject Name options
cert_opt    = ca_default      # Certificate field options


default_days   = 365         # how long to certify for
default_crl_days= 30         # how long before next CRL
default_md   = sha1         # which md to use.
preserve   = no         # keep passed DN ordering


policy      = policy_match

[ policy_match ]
countryName      = match
stateOrProvinceName   = match
organizationName   = match
organizationalUnitName   = optional
commonName      = supplied
emailAddress      = optional


[ policy_anything ]
countryName      = optional
stateOrProvinceName   = optional
localityName      = optional
organizationName   = optional
organizationalUnitName   = optional
commonName      = supplied
emailAddress      = optional


[ req ]
default_bits      = 1024
default_keyfile    = privkey.pem
distinguished_name   = req_distinguished_name
attributes      = req_attributes
x509_extensions   = v3_ca   # The extentions to add to the self signed cert


string_mask = nombstr



[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default      = AU
countryName_min         = 2
countryName_max         = 2

stateOrProvinceName      = State or Province Name (full name)
stateOrProvinceName_default   = Some-State

localityName         = Locality Name (eg, city)

0.organizationName      = Organization Name (eg, company)
0.organizationName_default   = Internet Widgits Pty Ltd


organizationalUnitName      = Organizational Unit Name (eg, section)


commonName         = Common Name (eg, YOUR name)
commonName_max         = 64

emailAddress         = Email Address
emailAddress_max      = 64



[ req_attributes ]
challengePassword      = A challenge password
challengePassword_min      = 4
challengePassword_max      = 20

unstructuredName      = An optional company name

[ usr_cert ]


basicConstraints=CA:FALSE


nsComment         = "OpenSSL Generated Certificate"


subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer


[ v3_req ]



basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always


basicConstraints = CA:true


[ crl_ext ]


authorityKeyIdentifier=keyid:always,issuer:always

[ proxy_cert_ext ]

basicConstraints=CA:FALSE


nsComment         = "OpenSSL Generated Certificate"


subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always


proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

Back to top
abxccd



Joined: 02 Jul 2006
Posts: 5

PostPosted: Mon 03 Jul '06 2:56    Post subject: Reply with quote

Ok, here's what I did.
I regenerated my .crt and .key and placed them in /conf/ssl/

Here are my errors now:
error.log
Code:
[Mon Jul 03 10:53:28 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
[Mon Jul 03 10:53:28 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Mon Jul 03 10:53:28 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Mon Jul 03 10:53:28 2006] [info] Init: Initializing (virtual) servers for SSL
[Mon Jul 03 10:53:28 2006] [info] Server: Apache/2.2.2, Interface: mod_ssl/2.2.2, Library: OpenSSL/0.9.8b
[Mon Jul 03 10:53:29 2006] [info] Init: Seeding PRNG with 136 bytes of entropy


sslerror.log
Code:
[Mon Jul 03 10:53:28 2006] [info] Loading certificate & private key of SSL-aware server
[Mon Jul 03 10:53:28 2006] [info] Configuring server for SSL protocol
[Mon Jul 03 10:53:29 2006] [info] Loading certificate & private key of SSL-aware server


It seems like httpd-ssl.conf does not like relative paths. E.g. all paths to files must be "C:/x/x/x.file"

Server still won't start, and apache's test configuration passes all my confs.

I am also using James Blond's httpd-ssl.conf.

any ideas?

thanks!
Back to top
mphare



Joined: 12 May 2006
Posts: 43
Location: Texas

PostPosted: Wed 19 Jul '06 19:22    Post subject: Reply with quote

Excellant!

Thanks for this info! I now have a self-certified https running on my test server.
Back to top
ali_fareed



Joined: 04 Jul 2006
Posts: 61
Location: Bahrain

PostPosted: Thu 20 Jul '06 22:43    Post subject: Reply with quote

why use a self signed certificate when you can create your own ca with openssl using the ca.pl script. I used this script to create my own CA and I am using client side certificates for authentication and I can be sure I'm not being under a man in the middle attack just generate your CA and install it in your pc very easy.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Fri 21 Jul '06 8:53    Post subject: Reply with quote

ali_fareed wrote:
why use a self signed certificate when you can create your own ca with openssl using the ca.pl script.

First: if you have read the content from the batch script you might have seen, that I uses openssl to generate the certificate.
Secondly: Not all win32 users have installed perl. But the batch solution runs on every win32 based system.
Back to top
ali_fareed



Joined: 04 Jul 2006
Posts: 61
Location: Bahrain

PostPosted: Fri 21 Jul '06 18:15    Post subject: Reply with quote

openssl is included with most apache builds and you must compile it to use mod_ssl and most people who have apache use perl for cgi and even the test cgi printenv in the cgi-bin is a perl script and the ca.pl script uses openssl actually it is included with the openssl source check the apps folder in the source
Back to top
pnllan



Joined: 05 Dec 2005
Posts: 221

PostPosted: Fri 21 Jul '06 18:36    Post subject: Reply with quote

Whatever works for who ever - Does it really matter?

The point is: having the requistes to run SSL to begin with.

Let's not let this turn into a pissing battle - geeeeeez Laughing
Back to top
pnllan



Joined: 05 Dec 2005
Posts: 221

PostPosted: Fri 21 Jul '06 19:05    Post subject: Reply with quote

Ali,

Please, Post a tutorial or provide a link on how to build your own CA. It might be of interest to some.
Back to top
ali_fareed



Joined: 04 Jul 2006
Posts: 61
Location: Bahrain

PostPosted: Sun 23 Jul '06 22:00    Post subject: Reply with quote

to create a ca you must first configure openssl by editing the openssl.cnf file the extension is used for speed dial so you wont be able to open I straight away so opent it with a text editor and edit the ca and ca_default sections edit the directories you want your ca to be created in where your certs are placed and such. Change default_days to choose how many days your certificates will be valid the default is one year. Now you can use the ca.pl or if you have cygwin's sh.exe ca.sh you can find them in the apps directory in the openssl source you can build a ca without them but they will make your work easier I will be using the ca.pl file first edit the script and change the variables $CATOP, $CAKEY, $CAREQ, $CACERT, to whatever you configured the openssl.cnf file so if you chose directory to be ./democa change the $catop variable to ./democa now you can build your CA start ca.pl with:

CA.pl –newca

And this will generate your CA's private key and create your cert choose a good passphrase for your private key now you created your CA you must now install the CA in your pc just copy don't move your ca cert which you can find in your ca directory and change its extension from .pem to .crt now double click the ca cert and click on "install certificate" choose "place certificate in the following store" browse and choose "trusted root certification authority" now your ca is installed and trusted on your pc you must install it in every pc or if you are using pkcs12 files your ca will automatically be installed now it's time to issue your certs. You must first generate a certificate request you do this with the ca.pl script:

Ca.pl –newreq

Or for an unprotected key

Ca.pl –newreq-nodes

This will generate a private key and a certificate request you must enter a wildcard of your domain in the common name field so if your site is apachelounge.com you must enter *.apachelounge.com otherwise you will get a warning in your browser now your certificate request must be signed by your ca you can also do that with the ca.pl script:

CA.pl –sign

Or to create another intermediate CA

Ca.pl –signca

Enter your ca private key passphrase and issue the cert.

Now your done your private key should be called newkey.pem and your certificate should be called newcert.pem just copy them and rename them to whatever you like now your certs are signed by your ca if you would like to install a client side certificate it is easier to use pkcs12 files just use ca.pl script:

Ca.pl –pkcs12

This creates a pkcs12 file which contains your ca cert the cert in the newcert.pem file and the key in the nekey.pem file .

for more information you can go to these links
http://www.openssl.org/docs/apps/CA.pl.html
http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/doc/myownca.html
Back to top
pnllan



Joined: 05 Dec 2005
Posts: 221

PostPosted: Mon 24 Jul '06 2:21    Post subject: Reply with quote

Ali,

Looks to be a good post, I'll give it a try.

Thanks!
..
.

Edit: It works and it's nice to be able to issue certificates in various ways.
Back to top
feichangtaoqi



Joined: 01 Aug 2006
Posts: 1

PostPosted: Tue 01 Aug '06 7:02    Post subject: I meet the same problem of "Unable to import RSA server Reply with quote

38 2006] [error] Unable to import RSA server private key
[Tue Aug 01 12:51:38 2006] [error] SSL Library Error: 218570875 error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
[Tue Aug 01 12:51:38 2006] [error] SSL Library Error: 218529894 error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header
[Tue Aug 01 12:51:38 2006] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Tue Aug 01 12:51:38 2006] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

I set up the ssl.cnf as follows:

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300

#
# other than SSLMutex type being changed to default
#
# the configuration is stock
#
SSLMutex default

<VirtualHost _default_:443>

DocumentRoot "c:/Program Files/Apache Group/Apache2/htdocs"
ServerName localhost:443
ServerAdmin you@example.com
ErrorLog logs/error_ssl.log
TransferLog logs/access_ssl.log

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLProtocol all -SSLv2
SSLCertificateFile conf/ssl/my-server.crt
SSLCertificateKeyFile conf/ssl/my-server.key

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>

<Directory "c:/Program Files/Apache Group/Apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>


BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

and the ssl.bat as:
bin\openssl req -config bin\openssl.cnf -new -out my-server.csr

bin\openssl rsa -in privkey.pem -out my-server.key

bin\openssl x509 -in my-server.csr -out my-server.crt -req -signkey my-server.key -days 4000

and copyed the
my-server.crt
my-server.key
privkey.pem
my-server.csr

to the conf/ssl directory

well,it does not work !

admin edit (pnllan): Please note forum rules - and easy with your tone
Back to top
ali_fareed



Joined: 04 Jul 2006
Posts: 61
Location: Bahrain

PostPosted: Tue 01 Aug '06 19:15    Post subject: Reply with quote

I dont what you did but you have two keys one certificate request and one certificate one of the keys is corrupt . try doing this to create a key and a self-signed cert first you need to create the key:

openssl genrsa -out privkey.pem 2048

then you need to create a self-signed cert:

openssl req -new -x509 -key privkey.pem -out cert.pem -days 1095

fill the form and now you have a sel-signed certificate in cert.pem and a private key in privkey.pem copy the and edit the configuration in apache pont SSLCertificateFile to your certificate and SSLCertificateKeyFile to your key now it should work.
Back to top


Reply to topic   Topic: mod_ssl on Apache 2.2.2 won't start View previous topic :: View next topic
Post new topic   Forum Index -> Apache