logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Help troubleshooting Apache config/SSL certificates
Author
julifos



Joined: 12 Feb 2022
Posts: 3
Location: Spain

PostPosted: Sat 12 Feb '22 19:05    Post subject: Help troubleshooting Apache config/SSL certificates Reply with quote

Apache 2.4.29, Ubuntu 18.04
Hi!
I'm trying to setup different domains in the same config file and everything works fine till the last domain (called domain3 in this example):
Code:
NameVirtualHost xxx.xxx.xxx.xxx:80
NameVirtualHost xxx.xxx.xxx.xxx:443

<VirtualHost xxx.xxx.xxx.xxx:80>
   ServerAdmin webmaster@localhost
   DocumentRoot /var/www/domain1/
   ServerName www.domain1.com
   ...
</VirtualHost>

<VirtualHost xxx.xxx.xxx.xxx:443>
   DocumentRoot /var/www/domain1/
   ServerName domain1.com
   SSLEngine On
   SSLCertificateFile      /etc/ssl/certs/www.domain1.com_ssl_certificate.cer
   SSLCertificateKeyFile /etc/ssl/private/www.domain1.com_private_key.key
   SSLCertificateChainFile /etc/ssl/certs/www.domain1.com_ssl_certificate_INTERMEDIATE.cer
   ...
</VirtualHost>


<VirtualHost xxx.xxx.xxx.xxx:443>
   DocumentRoot /var/www/domain2/
   ServerName domain2.com
   SSLEngine On
   SSLCertificateFile      /etc/ssl/certs/www.domain2.com_ssl_certificate.cer
   SSLCertificateKeyFile /etc/ssl/private/www.domain2.com_private_key.key
   SSLCertificateChainFile /etc/ssl/certs/www.domain2.com_ssl_certificate_INTERMEDIATE.crt
   ...
</VirtualHost>

<VirtualHost xxx.xxx.xxx.xxx:443>
   DocumentRoot /var/www/domain3/
   ServerName domain3.com
   #SSLEngine On #uncommenting this line avoids Apache restart
   SSLCertificateFile      /etc/ssl/certs/www.domain3.com_ssl_certificate.cer
   SSLCertificateKeyFile /etc/ssl/private/www.domain3.com_private_key.key
   SSLCertificateChainFile /etc/ssl/certs/www.domain3.com_ssl_certificate_INTERMEDIATE.crt
   ...
</VirtualHost>

Using this config, both domain1.com and domain2.com works as expected, but visiting "https://domain3.com" will serve to the browser domain1.com's SSL certificate (so, it will refuse the connection via SSL).

Uncommenting the line "SSLEngine On" in domain3's VirtualHost declaration will make Apache fail (can't be started). This is the error:
Code:
Job for apache2.service failed because the control process exited with error code.
See "systemctl status apache2.service" and "journalctl -xe" for details.

systemctl status brings this info:
Code:
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
  Drop-In: /lib/systemd/system/apache2.service.d
           └─apache2-systemd.conf
   Active: failed (Result: exit-code) since Sat 2022-02-12 12:43:38 UTC; 15s ago
  Process: 6502 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/SUCCESS)
  Process: 54717 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
  Process: 6508 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
 Main PID: 6456 (code=exited, status=0/SUCCESS)

Feb 12 12:43:38 localhost systemd[1]: Starting The Apache HTTP Server...
Feb 12 12:43:38 localhost apachectl[6508]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-default.conf:1
Feb 12 12:43:38 localhost apachectl[6508]: Action 'start' failed.
Feb 12 12:43:38 localhost apachectl[6508]: The Apache error log may have more information.
Feb 12 12:43:38 localhost systemd[1]: apache2.service: Control process exited, code=exited status=1
Feb 12 12:43:38 localhost systemd[1]: apache2.service: Failed with result 'exit-code'.
Feb 12 12:43:38 localhost systemd[1]: Failed to start The Apache HTTP Server.

No relevant info is shown in the Apache error log.
As far as I know, both SSL certificates were purchased and installed using the same company and installation process, so not difference should exist (?)
Any hint? What could I do?
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Sat 12 Feb '22 22:18    Post subject: Reply with quote

Good evening,

Quote:
Using this config, both domain1.com and domain2.com works as expected, but visiting "https://domain3.com" will serve to the browser domain1.com's SSL certificate (so, it will refuse the connection via SSL).

That is normal - if there is no matching VirtualHost for domain3.com then the first VirtualHost is used.

Would be interesting to see the output of "apachectl -t" and "apachectl -S" if SSLEngine is set to on for domain3.com.
Back to top
julifos



Joined: 12 Feb 2022
Posts: 3
Location: Spain

PostPosted: Sat 12 Feb '22 22:36    Post subject: Reply with quote

Thanks for your answer.

This is the output without SSLEngine On:
Code:
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-default.conf:1
Syntax OK


AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-default.conf:1
VirtualHost configuration:
82.223.3.128:80        is a NameVirtualHost
         default server server1.com (/etc/apache2/sites-enabled/000-default.conf:4)
         port 80 namevhost server1.com (/etc/apache2/sites-enabled/000-default.conf:4)
82.223.3.128:443       is a NameVirtualHost
         default server gestinot.com (/etc/apache2/sites-enabled/000-default.conf:375)
         port 443 namevhost server1.com (/etc/apache2/sites-enabled/000-default.conf:375)
         port 443 namevhost server2.com (/etc/apache2/sites-enabled/000-default.conf:699)
         port 443 namevhost server3.com (/etc/apache2/sites-enabled/000-default.conf:743)
*:*                    localhost.localdomain (/etc/apache2/sites-enabled/000-default.conf:1109)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33


Some differences in the last part with SSLEngine On:
Code:
*:*                    localhost.localdomain (/etc/apache2/sites-enabled/000-default.conf:1109)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Mon 14 Feb '22 18:11    Post subject: Reply with quote

Since the virtual host definitions are similar (apart from the certificates of course), it rather suggests your problem lies with the certificate files/chain.

My suggestions for domain3 would be to:
    a) Check the ownership and permissions on the certificate files (presuming the key file is read only to the Apache process owner).

    b) Temporarily, try using domain2 certificates for domain3, to see if Apache still starts. If so, you know there's a problem with the domain3 certs.

    c) Is there a password assigned to the domain3 private key file, preventing Apache from starting? Check the start of the key file for the word encrypted, e.g.
    Code:
    $ head -3 private-key.pem
    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: AES-256-CBC,C0A142839C75245013ABCADBA500BB8E

    If there is a password on the private key then create a new private key file without one.
    Code:
    $ openssl rsa -in old-key.pem -out new-key.pem

    d) Check your certificate and private key match using the openssl modulus command, e.g. compare the hash outputs from:
    Code:
    $ openssl x509 –noout –modulus –in site-cert.pem  | openssl sha256
    $ openssl rsa –noout –modulus –in site-key.pem | openssl sha256

    e) Enable SSL debug in the configuration, and restart Apache. The error log file should contain helpful information over what the problem is.
    Code:
    LogLevel info ssl:debug

    At this point my guess would be there's a problem with the certificate chain, which you'd need to resolve. There are any number of links on the net showing how to use the openssl verify option to do this, but you'll probably need to split the CA and Intermediate certificates into separate files to check, e.g.
    Code:
    $ openssl verify -CAfile root-ca-cert.pem -untrusted intermediate-cert.pem site-cert.pem
Let us know how you get on.
Back to top
julifos



Joined: 12 Feb 2022
Posts: 3
Location: Spain

PostPosted: Mon 14 Feb '22 22:27    Post subject: Reply with quote

Tx!

a) Ownership and permissions are the same both for domain2 and domain3.
b) Yes, using domain2 certificates for domain3 lets Apache start, so some kind of issue exists with the certificates of domain3...
c) No encryption.
d) Match!
e) From different error-log files:
Code:
[Mon Feb 14 20:15:41.749766 2022] [mpm_prefork:notice] [pid 78150] AH00169: caught SIGTERM, shutting down
[Mon Feb 14 20:15:41.824469 2022] [ssl:info] [pid 78687] AH01887: Init: Initializing (virtual) servers for SSL
AH00016: Configuration Failed
[Mon Feb 14 20:15:41.825313 2022] [ssl:emerg] [pid 78687] AH02565: Certificate and private key domain3:443:0 from /etc/ssl/certs/domain3_ssl_certificate.cer and /etc/ssl/private/domain3_private_key.key do not match


Now I don't know where I got (or how I created) the private key Embarassed

I purchased the certificate and I can donwload both the certificate and the intermediate. How can I obtain a working private key??? (and how I was able to install it properly for the two previous domains...)
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Mon 14 Feb '22 23:08    Post subject: Reply with quote

I'm somewhat confused, since if the modulus for the key and certificate match, they should be ok. You should be able to check the modulus for the corresponding CSR, which should also be the same (use "openssl req –noout –modulus ...")

Are the domain3 files all clean, PEM layout, no missing final EOL character, no mixed LF / CRLF problems?

Key problem aside though, I'd still verify the CA, Intermediate and site cert files, to make sure the certificate chain is valid, and confirm your CA hasn't provided an incorrect/expired Intermediate.

You can't re-create a key for existing certificates. If things really are still broken, you'll have to speak nicely to your CA and see if you can start again with a new key file and CSR.
Back to top


Reply to topic   Topic: Help troubleshooting Apache config/SSL certificates View previous topic :: View next topic
Post new topic   Forum Index -> Apache