logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: HTTPS connection attempts time out
Author
AlanH



Joined: 05 Aug 2018
Posts: 6

PostPosted: Mon 06 Aug '18 13:03    Post subject: HTTPS connection attempts time out Reply with quote

Running Apache 2.4 on W2016 server. I installed OpenSSL, generated the CSR, got a certificate from RapidSSLOnline. Installed it on Apache using information from https://www.phildev.net/ssl/, https://tud.at/programm/apache-ssl-win32-howto.php3, as well as info on this site. Apache starts up with no errors, and my site is available via port 80, but HTTPS connection attempts fail with timeout or “unable to connect” errors.

I set the log level to debug, restarted Apache, and confirmed there are no obvious errors in the log from any module, the ssl messages are shown below.

I never see an entry in either the error log or the access log for the attempted HTTPS connection. I double checked firewall settings and both 80 & 443 are open.

I ran wireshark, and I do see activity on port 443, but what seems odd is that there’s a noticeable delay – maybe 5 seconds – after I attempt the https connection before wireshark shows any activity. I’m not sufficiently familiar with what I should be seeing in wireshark to know whether the packets are normal or not, but the fact that port 443 traffic is coming in seems to prove the firewall settings are correct.

I’ve only been working with Apache for a couple of months, so I’m still a novice, and this is my first attempt with SLL & certificates, so I may have done something monumentally stupid. Any suggestions for how to track down this problem would be greatly appreciated!

Excerpt from error.log


Code:

[Sat Aug 04 20:08:08.954333 2018] [ssl:info] [pid 2628:tid 520] AH01887: Init: Initializing (virtual) servers for SSL
[Sat Aug 04 20:08:08.954333 2018] [ssl:info] [pid 2628:tid 520] AH01914: Configuring server www.website.com:443 for SSL protocol
[Sat Aug 04 20:08:08.954333 2018] [ssl:debug] [pid 2628:tid 520] ssl_engine_init.c(1694): AH10083: Init: (www.website.com:443) mod_md support is unavailable.
[Sat Aug 04 20:08:08.954333 2018] [ssl:debug] [pid 2628:tid 520] ssl_engine_init.c(1061): AH01904: Configuring server certificate chain (1 CA certificate)
[Sat Aug 04 20:08:08.954333 2018] [ssl:debug] [pid 2628:tid 520] ssl_engine_init.c(477): AH01893: Configuring TLS extension handling
[Sat Aug 04 20:08:08.954333 2018] [ssl:debug] [pid 2628:tid 520] ssl_util_ssl.c(476): AH02412: [www.website.com:443] Cert matches for name 'www.website.com' [subject: CN=www.website.com / issuer: CN=RapidSSL RSA CA 2018,OU=www.digicert.com,O=DigiCert Inc,C=US / serial: 0BF79E38C029A147EA3226F4FD424097 / notbefore: Aug  4 00:00:00 2018 GMT / notafter: Aug  4 12:00:00 2019 GMT]
[Sat Aug 04 20:08:08.954333 2018] [ssl:info] [pid 2628:tid 520] AH02568: Certificate and private key www.website.com:443:0 configured from C:/apache24/conf/ssl/website-server.crt and C:/apache24/conf/ssl/website-server.key
[Sat Aug 04 20:08:08.954333 2018] [ssl:info] [pid 2628:tid 520] AH01876: mod_ssl/2.4.33 compiled against Server: Apache/2.4.33, Library: OpenSSL/1.1.0h
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Tue 07 Aug '18 10:39    Post subject: Reply with quote

Hello Alan,

do you have checked the local firewall-settings on your W2016-server so that connections to tcp-port 443 are allowed?
The log-lines provided look good (from my point of view) - no errors or warnings. Smile

What exactly do you mean by "...before wireshark shows any activity"? What activity can be seen there? Only SYN-packets or a complete SYN-(SYN-ACK)-ACK-handshake followed by the packets for establishing a SSL-connection?
And where is the "noticable delay - maybe 5 seconds"? Between hitting enter in the browser's address bar and the first SYN-packet or between somewhere later after the SYN-(SYN-ACK)-ACK-handshake?

Best regards
Matthias
Back to top
AlanH



Joined: 05 Aug 2018
Posts: 6

PostPosted: Tue 07 Aug '18 13:36    Post subject: Reply with quote

mraddi wrote:
Hello Alan,

do you have checked the local firewall-settings on your W2016-server so that connections to tcp-port 443 are allowed?

Thanks for your reply!

Yes, double checked that again last night.
Also, one other thing I neglected to mention in my post -- I confirmed via netstat that httpd is listening on both 80 & 443 (and I realize if the firewall was blocking 443, netstat would still show the "listening" state).

mraddi wrote:

What exactly do you mean by "...before wireshark shows any activity"? What activity can be seen there? Only SYN-packets or a complete SYN-(SYN-ACK)-ACK-handshake followed by the packets for establishing a SSL-connection?
And where is the "noticable delay - maybe 5 seconds"? Between hitting enter in the browser's address bar and the first SYN-packet or between somewhere later after the SYN-(SYN-ACK)-ACK-handshake?

I think that may have been just a coincidence. I had wireshark set with a capture filter for port=443, then initiated an HTTPS://www.mysite.com request from a different computer, expecting to see traffic hit wireshark immediately. Nothing happened on wireshark for about 5 seconds, but I think what came in was from a bot, not from my browser.

The other thing that may be important is that I never see any activity from my HTTPS requests in any of the Apache logs (and I have the logging set to "trace8"). So it seems to me that something is preventing the traffic from ever getting to Apache.

If there was something mis-configured in my httpd.conf, shouldn't there be something entered into either the error or access log?
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Tue 07 Aug '18 14:46    Post subject: Reply with quote

Hello,

you have used Wireshark (I guess you have doublechecked to listen to the correct network-interface) on the W2016-server that is running Apache and didn't see any packets from/to the other workstation running the browser?
If yes, that sounds strange. Please ensure that the packets are leaving the other computer running the browser and see if you see some odds there. You can also do a test using telnet to the W2016-server's port 443 to see if the problem is within the network (or the client's network stack) or the browser.
What is the result if you try to open https://localhost on the W2016-server's browser? Result should be an certificate-error.

Depending on your network there are many reasons - some of them are a firewall between the server and the client, some faulty routing or a misconfired pac-file for browser-configuration (as seen sometimes in the company I work for). Another idea is an anti-virus-package on the client-machine that prevents it from talking to its neighbours.

Best regards
Matthias
Back to top
AlanH



Joined: 05 Aug 2018
Posts: 6

PostPosted: Wed 08 Aug '18 1:42    Post subject: Reply with quote

mraddi wrote:

What is the result if you try to open https://localhost on the W2016-server's browser? Result should be an certificate-error.

Thanks, that was a great idea! Indeed, I get a "SSL_ERROR_BAD_CERT_DOMAIN" (presumably because 127.0.0.1 is not the domain name contained in the certificate). I took your idea one step further, and added "www.mydomain.com 127.0.0.1" to the HOSTS file, and I get my green padlock, proving that I installed the certificate & set the apache configuration correctly.

I'm still faced with figuring out why the traffic is never reaching apache, but knowing the certificate is functional is a relief. BTW, this is an Amazon Lightsail instance, and I'm using Route 53 as my domain registrar, if you're aware of any reasons why that combination would block HTTPS but not HTTP, please let me know. I'll be researching this on the AWS forums.

Many thanks for your point in the right direction! Very Happy
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Wed 08 Aug '18 6:36    Post subject: Reply with quote

Good to hear that at the apache is working as expected Smile. You are right - the certificate-error occured because localhost is (usually) not within the certificate's SAN (subject alternate name).

As you said that packets are coming in on port 443 (as seen with Wireshark on the W2016-server) - but not from you client - you now can focus on the next step "are these packets leaving my client?".

The registrar is (according to my knowledge) not the reason for anything being blocked as it only provides the link between name and ip-address.
Back to top
AlanH



Joined: 05 Aug 2018
Posts: 6

PostPosted: Thu 09 Aug '18 3:05    Post subject: Reply with quote

mraddi wrote:

As you said that packets are coming in on port 443 (as seen with Wireshark on the W2016-server) - but not from you client - you now can focus on the next step "are these packets leaving my client?".

Those packets I thought were coming in on 443 were an incorrect interpretation on my part. I had set a capture filter on port 443, and when I saw traffic just a few seconds after my HTTPS request, I made an incorrect assumption they were incoming packets. Turns out they were outgoing packets, and further investigation proved that nothing was making it in to Apache on 443.

The resolution of the problem turned out to be very simple. It turns out that the management interface for Lightsail has its own firewall (still not sure how I missed seeing this), and 443 was getting blocked. The fact that I had it enabled on the server firewall was irrelevant, since they were never getting that far.

Two errors on my part, but a great suggestion from you helped me isolate the problem & get it fixed quickly. Thanks again for your help!
Back to top


Reply to topic   Topic: HTTPS connection attempts time out View previous topic :: View next topic
Post new topic   Forum Index -> Apache