logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.



Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Need Help Setting up SSL - CentOS7 / Apache/2.4.6
Author
SuperGeorge



Joined: 18 May 2020
Posts: 4

PostPosted: Thu 16 Jul '20 20:45    Post subject: Need Help Setting up SSL - CentOS7 / Apache/2.4.6 Reply with quote

Okay, so I'm really hoping someone can help me, as I've been at this for weeks/months and still can't figure it out.

I originally posted the issue in a CentOS-7 forum, but I still can't make any headway:
https://forums.centos.org/viewtopic.php?f=48&t=73789

So, I have Apache/2.4.6 running on a CentOS 7 virtual machine on Azure, and it's been happily doing it's thing for several months, with multiple websites on the same IP. More recently I added a new site, with its own IP, which is also working fine. None of the sites currently use SSL.

Now I'm trying to add SSL for the newer site (and only that one site). I've purchased the certificate through GoDaddy and downloaded the cert and the key, and created two files on the server, as guided by some instructions I found (path names provided below).

However, I'm a bit stuck on how to proceed from here. Obviously the server already listens on port 80 for all current web traffic, and I somehow need to listen on port 443 for traffic for the one site I need SSL for.

I did already install mod_ssl:
Code:
$ sudo yum install mod_ssl


So I tried just adding "Listen 443" to httpd.conf, below "Listen 80", but the server then failed to start at all:
Code:
$ sudo journalctl -xe
-- Unit httpd.service has begun starting up.
Mar 21 17:14:59 dgbvm httpd[77384]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf/httpd.conf:382
Mar 21 17:14:59 dgbvm httpd[77384]: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
Mar 21 17:14:59 dgbvm systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Mar 21 17:14:59 dgbvm kill[77385]: kill: cannot find process ""
Mar 21 17:14:59 dgbvm systemd[1]: httpd.service: control process exited, code=exited status=1
Mar 21 17:14:59 dgbvm systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed


Also tried just modifying the virtual host section, as below, to listen on 443 (which I didn't expect to work and I was not disappointed):
Code:
<VirtualHost 10.0.0.5:443>
ServerName blah...
ServerAlias www.blah...

DocumentRoot "/var/www/sites/blah/"
...
SSLCertificateFile      /etc/httpd/conf/ssl.crt/blah.crt
SSLCertificateKeyFile   /etc/httpd/conf/ssl.key/blah.key
</VirtualHost>


Also added the following above the virtual host section:
Code:
SSLStrictSNIVHostCheck                  on


So, I've put the crt and key files into the relevant dirs, amended httpd.conf, checked permissions, and restarted httpd, but it still just defaults to the default domain as soon as I try to do anything with the 443 stuff.
Code:
SSLStrictSNIVHostCheck on

<VirtualHost 10.0.0.5:443>
ServerName xxx.com
ServerAlias www.xxx.com

DocumentRoot "/var/www/sites/lac/"

SSLCertificateFile      /etc/pki/tls/certs/lac.crt
SSLCertificateKeyFile   /etc/pki/tls/private/lac.key
...
...
</VirtualHost>


Code:
$ ls -l /etc/pki/tls/certs/lac.crt
-rw-------. 1 root root 891 Mar 25 15:17 /etc/pki/tls/certs/lac.crt

$ ls -l /etc/pki/tls/private/lac.key
-rw-------. 1 root root 1705 Mar 25 15:19 /etc/pki/tls/private/lac.key

$ sudo cat /etc/pki/tls/certs/lac.crt
-----BEGIN CERTIFICATE REQUEST-----
blah ....
.....
.....
.....
blah ....
-----END CERTIFICATE REQUEST-----

$ sudo cat /etc/pki/tls/private/lac.key
-----BEGIN PRIVATE KEY-----
longer...blah ...
...
...
...
...
-----END PRIVATE KEY-----


I always have SELinux on, but I did temporarily put it into permissive mode, but it made no difference, so presumably it's not an SELinux problem.

So, checking another config which was provided, I saw that I did not have the "SSLEngine on" directive in my config, so I added it. However, httpd wouldn't even start when I did that, so I took it out again.

There is additional info' from testing things out on the original CentOS forum post, but I think I've included most of the relevant bits.

The server appears to be listening on port 443, per below, so I'm sure it must be some sort of Apache config issue.
Code:
$ sudo lsof -i -P -n | grep LISTEN
rpcbind    525      rpc    8u  IPv4    16846      0t0  TCP *:111 (LISTEN)
rpcbind    525      rpc   11u  IPv6    16849      0t0  TCP *:111 (LISTEN)
sshd       862     root    3u  IPv4    20164      0t0  TCP *:22 (LISTEN)
sshd       862     root    4u  IPv6    20249      0t0  TCP *:22 (LISTEN)
mysqld     889    mysql   17u  IPv6    21462      0t0  TCP *:3306 (LISTEN)
master     986     root   13u  IPv4    21159      0t0  TCP 127.0.0.1:25 (LISTEN)
master     986     root   14u  IPv6    21160      0t0  TCP [::1]:25 (LISTEN)
httpd    44623     root    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    44623     root    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    44637   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    44637   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    44713   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    44713   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    44957   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    44957   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    44982   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    44982   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    45708   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    45708   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    45760   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    45760   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    45763   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    45763   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    45778   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    45778   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    45784   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    45784   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)
httpd    45785   apache    4u  IPv6 60213351      0t0  TCP *:80 (LISTEN)
httpd    45785   apache    8u  IPv6 60213359      0t0  TCP *:443 (LISTEN)


I've never done SSL before, despite twenty odd years of messing around with Apache servers, so it's quite possible I'm doing something/missing something really basic, not knowing any different. Anyway, I am really desperate to get this working now and would deeply appreciate assistance.

Many thanks!
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 115
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Fri 17 Jul '20 12:08    Post subject: Reply with quote

Hello,

plese ensure that the certificate + key are readable by the Apache-process (if it is not readable there should be a message within Apache's error.log - this file is always a good point to start for with troubleshooting Wink)

But something else that catches my eye is the lac.crt-file. According to the content you have posted it is only the CSR (certificate signing request) instead of the signed certificate.
If should be something like
Code:
-----BEGIN CERTIFICATE-----
blah...
...
blah...
-----END CERTIFICATE-----

instead of
Code:
-----BEGIN CERTIFICATE REQUEST-----
blah ....
.....
.....
.....
blah ....
-----END CERTIFICATE REQUEST-----


Best regards
Matthias Smile
Back to top
SuperGeorge



Joined: 18 May 2020
Posts: 4

PostPosted: Fri 17 Jul '20 15:19    Post subject: Reply with quote

Yeah, I think those permissions should be okay, and the certificate does indeed look as you suggest it should. I believe what I posted was what I had in the original post on the CentOS7 forum. I should have updated it here, but alas. Anyway, currently the cert file does look like:
Code:
-----BEGIN CERTIFICATE-----
blah...
...
blah...
-----END CERTIFICATE-----
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 115
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Fri 17 Jul '20 19:37    Post subject: Reply with quote

Hello,

on a linux you can check with
Code:
sudo netstat -tulpn

which process is already listening on port 443.
Back to top
SuperGeorge



Joined: 18 May 2020
Posts: 4

PostPosted: Fri 17 Jul '20 20:02    Post subject: Reply with quote

Turns out that the 443 error was because the "Listen 443" directive is already defined in ssl.conf. (I actually removed that part of my comment, but I guess you noticed it before I did that).
Anyway:
Code:
sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      34873/master
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      35149/rpcbind
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      34700/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      34873/master
tcp6       0      0 :::443                  :::*                    LISTEN      50502/httpd
tcp6       0      0 :::3306                 :::*                    LISTEN      34627/mysqld
tcp6       0      0 :::111                  :::*                    LISTEN      35149/rpcbind
tcp6       0      0 :::80                   :::*                    LISTEN      50502/httpd
tcp6       0      0 :::22                   :::*                    LISTEN      34700/sshd
udp        0      0 127.0.0.1:323           0.0.0.0:*                           35017/chronyd
udp        0      0 0.0.0.0:980             0.0.0.0:*                           35149/rpcbind
udp        0      0 0.0.0.0:111             0.0.0.0:*                           35149/rpcbind
udp6       0      0 ::1:323                 :::*                                35017/chronyd
udp6       0      0 :::980                  :::*                                35149/rpcbind
udp6       0      0 :::111                  :::*                                35149/rpcbind
Back to top
SuperGeorge



Joined: 18 May 2020
Posts: 4

PostPosted: Sat 18 Jul '20 1:16    Post subject: Reply with quote

Okay, so I actually ended up getting this working. Needed to create a CSR file and get the certificate re-issued.
It's now pretty much working as I wish it to.
Thanks.
Back to top


Reply to topic   Topic: Need Help Setting up SSL - CentOS7 / Apache/2.4.6 View previous topic :: View next topic
Post new topic   Forum Index -> Apache