| Author |
|
20160413
Joined: 13 Apr 2016
Posts: 28
|
 Posted: Wed 13 Apr '16 19:02 Post subject: Configuring Apache 2.4 for SSL on Debian 8 |
 |
|
I would like to configure my Apache 2.4 to use two different server certs for two different VirtualHosts on one server with one IP. Unexpectedly this is not easy to configure and I also found no working tut in the web.
This is a disaster since all websites are served by the first VirtualHost on https for http and https after I activate this. I would think that this is an relatively easy thing to configure but reality proves different.
My setup:
ports.conf
| Code: | Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
|
default-ssl.conf
| Code: | <IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin me@example.org
DocumentRoot /var/www/htdocs
[...]
</VirtualHost>
</IfModule>
|
example.org.conf
| Code: |
<VirtualHost *:80>
ServerAdmin me@example.org
ServerName www.example.org
RedirectPermanent / https://www.example.org/
[...]
</VirtualHost>
<IfModule mod_ssl.c>
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)
<VirtualHost *:443>
ServerAdmin me@example.org
ServerName www.example.org
ServerAlias example.org
[...]
SSLEngine on
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLCertificateFile /etc/ssl/certs/2016.www.example.org.crt
SSLCertificateKeyFile /etc/ssl/private/2016.www.example.org.key
SSLCertificateChainFile /etc/ssl/certs/root_bundle.crt
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
[...]
</VirtualHost>
</IfModule>
|
alt.example.org.conf
| Code: |
<VirtualHost *:80>
ServerAdmin me@example.org
ServerName alt.example.org
DocumentRoot /var/www/htdocs/path/to/root/
[...]
</VirtualHost>
<VirtualHost *:443>
ServerAdmin me@example.org
ServerName alt.example.org
RedirectPermanent / http://alt.example.org/
[...]
</VirtualHost>
|
- In case I change <VirtualHost *:443> to <VirtualHost _default_:443> in the "default-ssl.conf" I get the the "SSL_ERROR_RX_RECORD_TOO_LONG" error in the browser.
- If I add NameVirtualHost *:80 and NameVirtualHost *:443 to "ports.conf" to mitigate this as suggested for earlier versions of Apache I get "AH00548: NameVirtualHost has no effect and will be removed in the next release"
- If I have <VirtualHost www.muster.org:443> in my VirtualHosts the first one gets served for all websites on the server e.g. www.example.org for ports 443 and 80.
The following resources led to nothing:
-http://stackoverflow.com/questions/119336/ssl-error-rx-record-too-long-and-apache-ssl
-http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
I just seem to be incapable of converting the docu into a working environment. Any help appreciated. Thanks for your time. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Mon 18 Apr '16 11:47 Post subject: |
|
|
In ports.conf there should be only
| Code: |
Listen 80
Listen 443
|
Your vhosts should be only with port and not a name in the container ( except for the __default_ vhost)
So only
| Code: |
<VirtualHost _default_:80>
...
<VirtualHost *:80>
ServerName muster.org
ServerAlias www.muster.org
...
<VirtualHost _default_:443>
...
<VirtualHost *:443>
ServerName muster.org
ServerAlias www.muster.org
...
|
|
|
| Back to top |
|
20160413
Joined: 13 Apr 2016
Posts: 28
|
| Posted: Tue 19 Apr '16 22:23 Post subject: |
|
|
Thank you for your suggestion. I just tried it and I am again running out of luck. Following the suggesting gives me a "Error code: SSL_ERROR_RX_RECORD_TOO_LONG" error.
In other forums the standard reply to this is that I should add NameVirtualHost *:80 and NameVirtualHost *:443 to "ports.conf" to get this working. However this option is no longer available for Apache 2.4
To be able to restart Apache I had to replace <VirtualHost _default_:443> with <VirtualHost *:443> for the default 443 VirtualHost since it is otherwise impossible to start Apache.
Any idea which may help overcome this frustrating situation is welcome. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
|
| Back to top |
|
20160413
Joined: 13 Apr 2016
Posts: 28
|
| Posted: Sun 22 May '16 2:20 Post subject: |
|
|
Thank you for your reply and I am sorry that it took me so long to answer. Today I tried again and I am still out of luck. The diffenence between your gist and my setup is that I do not have the default 80 and 443 in apache.conf but having it in 000-default.conf and defaults-ssl.conf and loading these via apache.conf
Now I disabled all https sites on the server and I am still getting "An error occurred during a connection to www.mediawikiwidgets.org. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG" for my domain on https. Shouldn't this domain just void on https since on VirtualHost is configured for it?
I am still utterly amazed for why I run into this issue. Worked for me on Apache 1.3, 2.0 and 2.2. No idea why 2.4 is a big fail. Basically I would liked to serve a domain just over https and I would like to stay with Apache. I understand that this is a standard operation which should work right away. I now spent an total of 6 hours on this failure. I am pretty disappointed and in despair. Is there anything further I can check to get this running? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
|
| Back to top |
|
20160413
Joined: 13 Apr 2016
Posts: 28
|
| Posted: Tue 24 May '16 23:10 Post subject: |
|
|
Thank you for your patience with me. I have no idea what is going on. This is confusing and unexpected.
Indeed mod_ssl is loaded:
Loaded Modules:
...
ssl_module (shared)
...
Why do you and up at <bs.wikihoster.de>?
"default-ssl.conf" which is enabled is being ignored and "bs.wikihoster.de.conf" is the first file with a configured 443 port which is doing a permanent redirect. That's probably why this nonsense at first glance is shown.
So why is "default-ssl.conf" being ignored though it is loaded? I just moved the file to "000-default-ssl" et voilĂ at least I get the expected webpage on
| Code: | | http://www.mediawikiwidgets.org:443 |
I am not sure why I put <VirtualHost _default_:443> into "default-ssl.conf" and <VirtualHost *:443> in all other configured VirtualHosts if this (_default_) is being ignored. I just feels so wrong. The only thing I can imagine is to prevent the default being taken by another or several other VirtualHosts.
Still do not know why Apache 2.4 starts being so painful. Well I am in general unterbelichtet when it comes to Apache but still this appears and easy task to me.
Starting from here I will again try to get https for mediawikiwidgets.org going, probably tomorrow. I expect pain and failure. Real defeatism  |
|
| Back to top |
|
20160413
Joined: 13 Apr 2016
Posts: 28
|
| Posted: Sun 27 Nov '16 11:31 Post subject: End of pain |
|
|
I did not have time to work on this since end of May. However yesterday I gave it another shot and it worked without further modifications to the config files. I dunno what went wrong in April/May. In the meantime I had about two or three updates for Apache, so a fix for an undisclosed issue I ran into was provided. Just speculating though. I am just happy that I finally can use https for Apache.
Thanks for all your time. |
|
| Back to top |
|
