Mailing List Archive: Gentoo: User

Apache SSL configuration gone AWOL...

Index | Next | Previous | View Threaded

gentoo_sjh at shic

Nov 11, 2009, 6:25 AM

Post #1 of 5 (1203 views)
Permalink

Apache SSL configuration gone AWOL...

After a recent update, I restarted Apache...

I host a number of trivial development servers (using named virtual
hosts) and also support access to one of them over SSL. While I can
access all my data over http, access by https has stopped working.

I wondered if an update had made apache fussy that my old self-signed
certificate didn't "match" the domains it was serving - so re-created
new certificates to no avail. No illuminating information is written to
the log files in /var/log/apache2 - but if I attempt to access the https
services (which worked with my configuration prior to re-starting
apache) I get various errors:

Firefox under Windows and Ubuntu :

Secure Connection Failed
An error occurred during a connection to <<server>>.
Peer's certificate has an invalid signature.
(Error code: sec_error_bad_signature)

IE 7:

Navigation to the webpage was canceled

I didn't intend to change my configuration... the only
/etc/conf.d/apache2 (as far as I recall) was altered - and the
APACHE2_OPTS setting is now

APACHE2_OPTS="-D DEFAULT_VHOST -D PHP5 -D DAV -D INFO -D SSL -D
SSL_DEFAULT_VHOST -D LANGUAGE"

Any ideas?

gentoo_sjh at shic

Nov 12, 2009, 12:09 PM

Post #2 of 5 (1179 views)
Permalink

Re: Apache SSL configuration gone AWOL... [In reply to]

Steve wrote:
> Firefox under Windows and Ubuntu :
> Secure Connection Failed
> An error occurred during a connection to <<server>>.
> Peer's certificate has an invalid signature.
> (Error code: sec_error_bad_signature)

Weirder and weirder... when I switch to lynx, it works!

Lynx remotely gives these two warnings:
> SSL error:no issuer was found-Continue? (y)
> SSL error:host(shost.shic.co.uk)!=cert(CN<localhost>)-Continue? (y)
This is odd, because the CN for the certificate is shost.shic.co.uk
(the same as the site name) not <localhost>...

On gentoo, addressing the server as https://localhost/ I only get the
first warning - which is absolutely true.

I've tried adding certificates explicitly to Firefox and to Windows -
but this doesn't make any difference. It looks very much like an Apache
problem... though I've no idea what... nothing useful arises in the
logs... no warnings or errors.... only successful page accesses from
lynx are to be found.

Am I the only one who's had this go wonky?

felix at crowfix

Nov 12, 2009, 1:10 PM

Post #3 of 5 (1176 views)
Permalink

Re: Apache SSL configuration gone AWOL... [In reply to]

On Thu, Nov 12, 2009 at 08:09:00PM +0000, Steve wrote:
> Lynx remotely gives these two warnings:
> > SSL error:no issuer was found-Continue? (y)
> > SSL error:host(shost.shic.co.uk)!=cert(CN<localhost>)-Continue? (y)
> This is odd, because the CN for the certificate is shost.shic.co.uk
> (the same as the site name) not <localhost>...

I'd take that as a big broad hint that it is looking somewhere else
for certificates in this release and it found default certs.

--
... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
Felix Finch: scarecrow repairman & rocket surgeon / felix [at] crowfix
GPG = E987 4493 C860 246C 3B1E 6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

michaelkintzios at gmail

Nov 12, 2009, 1:50 PM

Post #4 of 5 (1181 views)
Permalink

Re: Apache SSL configuration gone AWOL... [In reply to]

On Thursday 12 November 2009 21:10:07 felix [at] crowfix wrote:
> On Thu, Nov 12, 2009 at 08:09:00PM +0000, Steve wrote:
> > Lynx remotely gives these two warnings:
> > > SSL error:no issuer was found-Continue? (y)
> > > SSL error:host(shost.shic.co.uk)!=cert(CN<localhost>)-Continue? (y)
> >
> > This is odd, because the CN for the certificate is shost.shic.co.uk
> > (the same as the site name) not <localhost>...
>
> I'd take that as a big broad hint that it is looking somewhere else
> for certificates in this release and it found default certs.

+1

Check in your default apache (most likely) or vhosts configuration files that
you have SSLCertificateFile and SSLCertificateKeyFile paths pointing to where
your certs and private key are stored. It may be that you were not very
careful with etc-update and it restored default settings?
--
Regards,
Mick

Attachments:

signature.asc (0.19 KB)

gentoo_sjh at shic

Nov 12, 2009, 3:10 PM

Post #5 of 5 (1177 views)
Permalink

Re: Apache SSL configuration gone AWOL... [In reply to]

Mick wrote:
>> I'd take that as a big broad hint that it is looking somewhere else
>> for certificates in this release and it found default certs.
>>
> +1
>
> Check in your default apache (most likely) or vhosts configuration files that
> you have SSLCertificateFile and SSLCertificateKeyFile paths pointing to where
> your certs and private key are stored. It may be that you were not very
> careful with etc-update and it restored default settings?
>
Many thanks!!!

While I remain sceptical that it was etc-update that spannered my
configuration, stating the obvious to me overcame this... I've still no
idea what did cause this to go wrong - but... essentially, my config was
looking for /etc/ssl/apache2/server.crt, while the certificates I was
checking were /etc/apache2/ssl/server.crt - and similarly for the key.
I'm still a little baffled about how it appeared to work previously...
but I now see what is wrong - even if I'm puzzled about how I got here...

I guess, one might ask if default certificates are a good idea - and, if
they are - maybe we should ask why they don't "work". For my purposes,
however... solved! Thanks again.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads