| Author |
Message |
smiffy
Joined: 23 Jan 2007
Posts: 66
Location: 80 miles from Adelaide, Australia
|
| Posted: Wed Jan 24, 2007 6:24 am Post subject: Apache SSL Oddity on transfer to Linode |
|
|
Hi Folks
I'm hoping that someone out there will have seen this same problem (and fixed it!):
In the process of moving things from my colo box to my Linode, all going smoothly apart from my https site.
My setup: Gentoo 2006.1, but Apache, MySQL and PHP all hand-build and identical configuration to other machines I have set up.
I have copied my entire Apache config directory from my colo box (including SSL certificates) to my Linode.
If I try to access the SSL host FROM the Linode, using Lynx, it works without complaint. (I set the host up in /etc/hosts as the "real" one is still running on the colo box.)
However, when I try to access it from somewhere else, Firefox give me an error -12263, which documentation suggests that my SSL is stuffed. (en-GB: broken). Lynx just says "unable to make secure connection to remote host".
I have tested this with no firewall running at all, with no different result.
Before I rush off and build a separate version of OpenSSL and re-build Apache against it, I was wondering if anyone had any bright ideas on this?
Cheers
M |
|
| Back to top |
|
tronic
Joined: 04 Dec 2004
Posts: 123
|
| Posted: Sun Jan 28, 2007 2:11 am Post subject: |
|
|
Perhaps check out with:
Code: $ openssl s_client -connect <host>:443
from a remote site?
You're looking to see if it returns a reasonably valid SSL certificate without some unusual or nasty errors.
Also, what does the Apache access_log and error_log say about your Firefox connection attempt? |
|
| Back to top |
|
smiffy
Joined: 23 Jan 2007
Posts: 66
Location: 80 miles from Adelaide, Australia
|
| Posted: Sun Jan 28, 2007 11:12 pm Post subject: |
|
|
I guess this counts as a nasty error:
Code:
smith@brutus ~ $ openssl s_client -connect andreas:443
CONNECTED(00000003)
7431:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:
|
|
| Back to top |
|
sweh
Joined: 13 Apr 2004
Posts: 232
|
| Posted: Mon Jan 29, 2007 11:22 am Post subject: |
|
|
smiffy wrote: I guess this counts as a nasty error:
Code:
smith@brutus ~ $ openssl s_client -connect andreas:443
CONNECTED(00000003)
7431:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:
Sounds like it's listening to port 443 but _not_ with SSL. Potentially you might have just a plain webserver running on it, so try telnet'ing to it and doing the "GET" by hand. That'd imply a misconfig. If the connection opens and aborts then check the server logs; it might be complaining about permissions or missing files or something. |
|
| Back to top |
|
smiffy
Joined: 23 Jan 2007
Posts: 66
Location: 80 miles from Adelaide, Australia
|
| Posted: Mon Jan 29, 2007 3:39 pm Post subject: |
|
|
If I telnet and do a GET, I am given the error page that I set up for when you call the machine by its IP, rather than a legitimate virtual host.
No errors at all - just a brief mention in access_log.
So, you are right - it appears to be do a non-SSL listen on the SSL port.
Setting up Apache is something I always do myself, using a script that feeds configure. So, build is the same as on two other machines that are running properly. The entire Apache config directory, including the SSL certificates, was taken from the existing, working machine.
The problem is occuring on both my Linodes (configuration the same on both, as one is a backup). I have started doing experimentation on my backup unit, so as not to disturb normal operations. I have re-built OpenSSH and then Apache on that one, with no difference.
This is most puzzling. |
|
| Back to top |
|
smiffy
Joined: 23 Jan 2007
Posts: 66
Location: 80 miles from Adelaide, Australia
|
| Posted: Mon Jan 29, 2007 3:53 pm Post subject: |
|
|
Just tried adding "Listen 67.18.176.140:443" to my httpd.conf; when I tried to restart using apachectl sslstart, I got this:
Code:
(98)Address already in use: make_sock: could not bind to address 67.18.176.140:443
no listening sockets available, shutting down
Unable to open logs
Ignore this! The listen was already being pulled in by an include ;-) |
|
| Back to top |
|
smiffy
Joined: 23 Jan 2007
Posts: 66
Location: 80 miles from Adelaide, Australia
|
| Posted: Tue Jan 30, 2007 12:36 am Post subject: |
|
|
Many thanks to those who offered advice on this.
The issue is now CLOSED, not because I've fixed the problem, but because I decided to uprade from httpd 2.0.19 to 2.2.4.
I have been putting this off for some time, due to possible difficulties with mod_auth_mysql, on which many of my applications are dependent.
SSL worked straight off, when I did this; it did mean that I have spent most of the day fixing all the other issues - like getting mod_auth_mysql working (there's a patch available) - rebuilding PHP (twice), etc, etc.
Now all working fine on my backup Linode; will install on my production Linode early one morning, before my clients are awake ;-) |
|
| Back to top |
|
Internat
Joined: 17 Aug 2004
Posts: 173
Location: Brisbane, Australia
|
| Posted: Tue Jan 30, 2007 2:14 am Post subject: |
|
|
| on the note of mod_auth_mysql how did u get it working"? cause buggered if i have been able to with the new setup they have |
|
| Back to top |
|
smiffy
Joined: 23 Jan 2007
Posts: 66
Location: 80 miles from Adelaide, Australia
|
| Posted: Tue Jan 30, 2007 2:47 am Post subject: |
|
|
OK, two things you need to get the current version (3.0.0) working:
1) http://www.bleb.org/software/mod_auth_mysql-3.0.0-apache-2.2.3.patch
Works with 2.2.4.
2) You need to fiddle with your directives in your Apache config; fit between your 'AuthType Basic' and the first of the MySQL directives:
Code:
AuthType Basic
AuthBasicAuthoritative Off
AuthUserFile /dev/null
AuthMySQLAuthoritative On
Hope this works for you too... |
|
| Back to top |
|
smiffy
Joined: 23 Jan 2007
Posts: 66
Location: 80 miles from Adelaide, Australia
|
| Posted: Tue Jan 30, 2007 3:01 am Post subject: |
|
|
I spoke too soon on the SSL problem :-(
Although working on my backup unit, the production unit, now running httpd 2.2.4 with an identical config, is spitting the same stupid error :-(
EDIT: Whoohoo! Think I've found it. It occurred to me to do apachectl -S - the SSL vhost was trying to lookup the IP address of the host in question (IE: another host) and bind to that IP address:443.
I have now added the vhost name to /etc/hosts against the REAL IP address of the Linode and openssl is now spitting back a certificate at me.
And not an entry in any log anywhere. Good, eh? |
|
| Back to top |
|
cbeck
Joined: 27 Mar 2007
Posts: 1
|
| Posted: Tue Mar 27, 2007 2:39 pm Post subject: |
|
|
| For some reason I was getting a similar message when my SSL vhost conf files were in vhosts.d, but not when they were in modules.d. |
|
| Back to top |
|
smiffy
Joined: 23 Jan 2007
Posts: 66
Location: 80 miles from Adelaide, Australia
|
| Posted: Tue Mar 27, 2007 4:23 pm Post subject: |
|
|
Although I got around it, I still can't pinpoint the cause. It is a bit of an oddity as your experience shows.
(Note: I don't use the ebuild Apache, but build it myself so it's not a distribution-specific issue.) |
|
| Back to top |
|
shavais
Joined: 13 May 2007
Posts: 1
|
| Posted: Sun May 13, 2007 11:20 am Post subject: similar problem, fixed |
|
|
I got that same result (unknown protocol) recently (in fact I found this forum thread by pasting the error message into Google), and eventually found that apache was being started without the defines which are checked in the config files. (ie. in IFDEF statements.) I had to add "-D SSL" and such into the APACHE_OPTS variable in the apache2 file in /etc/init.d/conf.d. (This may be somewhat different for you, I'm running under Gentoo.) So apache was actually being started without the SSLEngine on directive, etc., because an IFDEF in 40_mod_ssl.conf was excluding that section, in my case.
Shavais
One awesome thing about Apache is that it's incredibly configurable. One really sucky thing about it is that it's so freaking configurable. |
|
| Back to top |
|
| |
