Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Need Help Setting up SSL - CentOS7 / Apache/2.4.6 |
|
| Author |
|
SuperGeorge
Joined: 18 May 2020
Posts: 4
|
 Posted: Thu 16 Jul '20 20:45 Post subject: Need Help Setting up SSL - CentOS7 / Apache/2.4.6 |
 |
|
Okay, so I'm really hoping someone can help me, as I've been at this for weeks/months and still can't figure it out.
I originally posted the issue in a CentOS-7 forum, but I still can't make any headway:
https://forums.centos.org/viewtopic.php?f=48&t=73789
So, I have Apache/2.4.6 running on a CentOS 7 virtual machine on Azure, and it's been happily doing it's thing for several months, with multiple websites on the same IP. More recently I added a new site, with its own IP, which is also working fine. None of the sites currently use SSL.
Now I'm trying to add SSL for the newer site (and only that one site). I've purchased the certificate through GoDaddy and downloaded the cert and the key, and created two files on the server, as guided by some instructions I found (path names provided below).
However, I'm a bit stuck on how to proceed from here. Obviously the server already listens on port 80 for all current web traffic, and I somehow need to listen on port 443 for traffic for the one site I need SSL for.
I did already install mod_ssl:
| Code: | | $ sudo yum install mod_ssl |
So I tried just adding "Listen 443" to httpd.conf, below "Listen 80", but the server then failed to start at all:
| Code: | $ sudo journalctl -xe
-- Unit httpd.service has begun starting up.
Mar 21 17:14:59 dgbvm httpd[77384]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf/httpd.conf:382
Mar 21 17:14:59 dgbvm httpd[77384]: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
Mar 21 17:14:59 dgbvm systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Mar 21 17:14:59 dgbvm kill[77385]: kill: cannot find process ""
Mar 21 17:14:59 dgbvm systemd[1]: httpd.service: control process exited, code=exited status=1
Mar 21 17:14:59 dgbvm systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed |
Also tried just modifying the virtual host section, as below, to listen on 443 (which I didn't expect to work and I was not disappointed):
| Code: | <VirtualHost 10.0.0.5:443>
ServerName blah...
ServerAlias www.blah...
DocumentRoot "/var/www/sites/blah/"
...
SSLCertificateFile /etc/httpd/conf/ssl.crt/blah.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/blah.key
</VirtualHost> |
Also added the following above the virtual host section:
| Code: | | SSLStrictSNIVHostCheck on |
So, I've put the crt and key files into the relevant dirs, amended httpd.conf, checked permissions, and restarted httpd, but it still just defaults to the default domain as soon as I try to do anything with the 443 stuff.
| Code: | SSLStrictSNIVHostCheck on
<VirtualHost 10.0.0.5:443>
ServerName xxx.com
ServerAlias www.xxx.com
DocumentRoot "/var/www/sites/lac/"
SSLCertificateFile /etc/pki/tls/certs/lac.crt
SSLCertificateKeyFile /etc/pki/tls/private/lac.key
...
...
</VirtualHost> |
| Code: | $ ls -l /etc/pki/tls/certs/lac.crt
-rw-------. 1 root root 891 Mar 25 15:17 /etc/pki/tls/certs/lac.crt
$ ls -l /etc/pki/tls/private/lac.key
-rw-------. 1 root root 1705 Mar 25 15:19 /etc/pki/tls/private/lac.key
$ sudo cat /etc/pki/tls/certs/lac.crt
-----BEGIN CERTIFICATE REQUEST-----
blah ....
.....
.....
.....
blah ....
-----END CERTIFICATE REQUEST-----
$ sudo cat /etc/pki/tls/private/lac.key
-----BEGIN PRIVATE KEY-----
longer...blah ...
...
...
...
...
-----END PRIVATE KEY----- |
I always have SELinux on, but I did temporarily put it into permissive mode, but it made no difference, so presumably it's not an SELinux problem.
So, checking another config which was provided, I saw that I did not have the "SSLEngine on" directive in my config, so I added it. However, httpd wouldn't even start when I did that, so I took it out again.
There is additional info' from testing things out on the original CentOS forum post, but I think I've included most of the relevant bits.
The server appears to be listening on port 443, per below, so I'm sure it must be some sort of Apache config issue.
| Code: | $ sudo lsof -i -P -n | grep LISTEN
rpcbind 525 rpc 8u IPv4 16846 0t0 TCP *:111 (LISTEN)
rpcbind 525 rpc 11u IPv6 16849 0t0 TCP *:111 (LISTEN)
sshd 862 root 3u IPv4 20164 0t0 TCP *:22 (LISTEN)
sshd 862 root 4u IPv6 20249 0t0 TCP *:22 (LISTEN)
mysqld 889 mysql 17u IPv6 21462 0t0 TCP *:3306 (LISTEN)
master 986 root 13u IPv4 21159 0t0 TCP 127.0.0.1:25 (LISTEN)
master 986 root 14u IPv6 21160 0t0 TCP [::1]:25 (LISTEN)
httpd 44623 root 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 44623 root 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 44637 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 44637 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 44713 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 44713 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 44957 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 44957 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 44982 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 44982 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 45708 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 45708 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 45760 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 45760 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 45763 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 45763 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 45778 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 45778 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 45784 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 45784 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN)
httpd 45785 apache 4u IPv6 60213351 0t0 TCP *:80 (LISTEN)
httpd 45785 apache 8u IPv6 60213359 0t0 TCP *:443 (LISTEN) |
I've never done SSL before, despite twenty odd years of messing around with Apache servers, so it's quite possible I'm doing something/missing something really basic, not knowing any different. Anyway, I am really desperate to get this working now and would deeply appreciate assistance.
Many thanks! |
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Fri 17 Jul '20 12:08 Post subject: |
|
|
Hello,
plese ensure that the certificate + key are readable by the Apache-process (if it is not readable there should be a message within Apache's error.log - this file is always a good point to start for with troubleshooting  )
But something else that catches my eye is the lac.crt-file. According to the content you have posted it is only the CSR (certificate signing request) instead of the signed certificate.
If should be something like
| Code: | -----BEGIN CERTIFICATE-----
blah...
...
blah...
-----END CERTIFICATE----- |
instead of
| Code: | -----BEGIN CERTIFICATE REQUEST-----
blah ....
.....
.....
.....
blah ....
-----END CERTIFICATE REQUEST----- |
Best regards
Matthias  |
|
| Back to top |
|
SuperGeorge
Joined: 18 May 2020
Posts: 4
|
| Posted: Fri 17 Jul '20 15:19 Post subject: |
|
|
Yeah, I think those permissions should be okay, and the certificate does indeed look as you suggest it should. I believe what I posted was what I had in the original post on the CentOS7 forum. I should have updated it here, but alas. Anyway, currently the cert file does look like:
| Code: | -----BEGIN CERTIFICATE-----
blah...
...
blah...
-----END CERTIFICATE----- |
|
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Fri 17 Jul '20 19:37 Post subject: |
|
|
Hello,
on a linux you can check with
| Code: | | sudo netstat -tulpn |
which process is already listening on port 443. |
|
| Back to top |
|
SuperGeorge
Joined: 18 May 2020
Posts: 4
|
| Posted: Fri 17 Jul '20 20:02 Post subject: |
|
|
Turns out that the 443 error was because the "Listen 443" directive is already defined in ssl.conf. (I actually removed that part of my comment, but I guess you noticed it before I did that).
Anyway:
| Code: | sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 34873/master
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 35149/rpcbind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 34700/sshd
tcp6 0 0 ::1:25 :::* LISTEN 34873/master
tcp6 0 0 :::443 :::* LISTEN 50502/httpd
tcp6 0 0 :::3306 :::* LISTEN 34627/mysqld
tcp6 0 0 :::111 :::* LISTEN 35149/rpcbind
tcp6 0 0 :::80 :::* LISTEN 50502/httpd
tcp6 0 0 :::22 :::* LISTEN 34700/sshd
udp 0 0 127.0.0.1:323 0.0.0.0:* 35017/chronyd
udp 0 0 0.0.0.0:980 0.0.0.0:* 35149/rpcbind
udp 0 0 0.0.0.0:111 0.0.0.0:* 35149/rpcbind
udp6 0 0 ::1:323 :::* 35017/chronyd
udp6 0 0 :::980 :::* 35149/rpcbind
udp6 0 0 :::111 :::* 35149/rpcbind |
|
|
| Back to top |
|
SuperGeorge
Joined: 18 May 2020
Posts: 4
|
| Posted: Sat 18 Jul '20 1:16 Post subject: |
|
|
Okay, so I actually ended up getting this working. Needed to create a CSR file and get the certificate re-issued.
It's now pretty much working as I wish it to.
Thanks. |
|
| Back to top |
|
|
|
|
|
|
