Topic: mod_ssl on Apache 2.2.2 won't start

[Firas]

Hi everybody,

Just downloaded httpd-2.2.2-win32-x86-ssl. But I can't get the mod_ssl to work: when the line containing 'SSLEngine on' directive is reached httpd just terminates. In Windows "Event Viewer" there's an entry for this error saying:
The Apache2 service terminated with service-specific error 1 (0x1).

If, however, mod_ssl is disabled, the server will function properly.

What could be the problem?

I'm running on WinXP SP2.

Thanks for your time.

[abxccd]

(removed)

[pnllan]

Do you have certificate and key files for SSL to use?

I created a 'self-signed' certifcate, and then edited the HTTPD-SSL.CONF appropriately. Then I created empty log files (error_ssl.log and access_ssl.log) as indicated below. My HTTPD-SSL.CONF looks something like this:

[abxccd]

(removed)

[Steffen]

I have commented out:

#SSLMutex default

Maybe you can try it.


Steffen

[abxccd]

(removed)

[Steffen]

I see errors:

[error] Unable to import RSA server private key
[error] SSL Library Error: 218529960

Follow the suggestion of pnllan:... I created a 'self-signed' certifcate ...

And see if that goes.

[James Blond]

Hm, found a batch file that will create those files placed in the apache folder. Needs openssl.exe,libeay32.dll, ssleay32.dll in apache\bin folder

[abxccd]

(removed)

[mphare]

Excellant!

Thanks for this info! I now have a self-certified https running on my test server.

[ali_fareed]

why use a self signed certificate when you can create your own ca with openssl using the ca.pl script. I used this script to create my own CA and I am using client side certificates for authentication and I can be sure I'm not being under a man in the middle attack just generate your CA and install it in your pc very easy.

[James Blond]

[ali_fareed]

openssl is included with most apache builds and you must compile it to use mod_ssl and most people who have apache use perl for cgi and even the test cgi printenv in the cgi-bin is a perl script and the ca.pl script uses openssl actually it is included with the openssl source check the apps folder in the source

[pnllan]

Whatever works for who ever - Does it really matter?

The point is: having the requistes to run SSL to begin with.

Let's not let this turn into a pissing battle - geeeeeez

[pnllan]

Ali,

Please, Post a tutorial or provide a link on how to build your own CA. It might be of interest to some.

[ali_fareed]

to create a ca you must first configure openssl by editing the openssl.cnf file the extension is used for speed dial so you wont be able to open I straight away so opent it with a text editor and edit the ca and ca_default sections edit the directories you want your ca to be created in where your certs are placed and such. Change default_days to choose how many days your certificates will be valid the default is one year. Now you can use the ca.pl or if you have cygwin's sh.exe ca.sh you can find them in the apps directory in the openssl source you can build a ca without them but they will make your work easier I will be using the ca.pl file first edit the script and change the variables $CATOP, $CAKEY, $CAREQ, $CACERT, to whatever you configured the openssl.cnf file so if you chose directory to be ./democa change the $catop variable to ./democa now you can build your CA start ca.pl with:

CA.pl –newca

And this will generate your CA's private key and create your cert choose a good passphrase for your private key now you created your CA you must now install the CA in your pc just copy don't move your ca cert which you can find in your ca directory and change its extension from .pem to .crt now double click the ca cert and click on "install certificate" choose "place certificate in the following store" browse and choose "trusted root certification authority" now your ca is installed and trusted on your pc you must install it in every pc or if you are using pkcs12 files your ca will automatically be installed now it's time to issue your certs. You must first generate a certificate request you do this with the ca.pl script:

Ca.pl –newreq

Or for an unprotected key

Ca.pl –newreq-nodes

This will generate a private key and a certificate request you must enter a wildcard of your domain in the common name field so if your site is apachelounge.com you must enter *.apachelounge.com otherwise you will get a warning in your browser now your certificate request must be signed by your ca you can also do that with the ca.pl script:

CA.pl –sign

Or to create another intermediate CA

Ca.pl –signca

Enter your ca private key passphrase and issue the cert.

Now your done your private key should be called newkey.pem and your certificate should be called newcert.pem just copy them and rename them to whatever you like now your certs are signed by your ca if you would like to install a client side certificate it is easier to use pkcs12 files just use ca.pl script:

Ca.pl –pkcs12

This creates a pkcs12 file which contains your ca cert the cert in the newcert.pem file and the key in the nekey.pem file .

for more information you can go to these links
http://www.openssl.org/docs/apps/CA.pl.html
http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/doc/myownca.html

[pnllan]

Ali,

Looks to be a good post, I'll give it a try.

Thanks!
..
.

Edit: It works and it's nice to be able to issue certificates in various ways.

[feichangtaoqi]

38 2006] [error] Unable to import RSA server private key
[Tue Aug 01 12:51:38 2006] [error] SSL Library Error: 218570875 error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
[Tue Aug 01 12:51:38 2006] [error] SSL Library Error: 218529894 error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header
[Tue Aug 01 12:51:38 2006] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Tue Aug 01 12:51:38 2006] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

I set up the ssl.cnf as follows:

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300

#
# other than SSLMutex type being changed to default
#
# the configuration is stock
#
SSLMutex default

<VirtualHost _default_:443>

DocumentRoot "c:/Program Files/Apache Group/Apache2/htdocs"
ServerName localhost:443
ServerAdmin you@example.com
ErrorLog logs/error_ssl.log
TransferLog logs/access_ssl.log

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLProtocol all -SSLv2
SSLCertificateFile conf/ssl/my-server.crt
SSLCertificateKeyFile conf/ssl/my-server.key

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>

<Directory "c:/Program Files/Apache Group/Apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>


BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

and the ssl.bat as:
bin\openssl req -config bin\openssl.cnf -new -out my-server.csr

bin\openssl rsa -in privkey.pem -out my-server.key

bin\openssl x509 -in my-server.csr -out my-server.crt -req -signkey my-server.key -days 4000

and copyed the
my-server.crt
my-server.key
privkey.pem
my-server.csr

to the conf/ssl directory

well,it does not work !

admin edit (pnllan): Please note forum rules - and easy with your tone

[ali_fareed]

I dont what you did but you have two keys one certificate request and one certificate one of the keys is corrupt . try doing this to create a key and a self-signed cert first you need to create the key:

openssl genrsa -out privkey.pem 2048

then you need to create a self-signed cert:

openssl req -new -x509 -key privkey.pem -out cert.pem -days 1095

fill the form and now you have a sel-signed certificate in cert.pem and a private key in privkey.pem copy the and edit the configuration in apache pont SSLCertificateFile to your certificate and SSLCertificateKeyFile to your key now it should work.