SSL setup problems causing me bad health

[BoarderLine]

Hi.

 

2 weeks trying to get this to work and I am at a loss.  I am hoping someone with more knowledge on the subject can point me in the right direction here.

 

MY SSL TEST ERROR: Results:SSL Connection Failed!

 

Apache 2.2.15, fedora 12, mod_ssl

 

Created CSR and Private Key pair.

 

Have had CSR signed by GoDaddy.

 

Uploaded signed cert and gd_bundle.crt onto server and placed with private key.

 

FILE PERMISSIONS & OWNERSHIP:-

 

-r--r--r--      1 root root 4604 gd_bundle.crt

-r--r--r--      1 root root 1931 site.crt

-r---------    1 root root 1704 site.key

 

SSL.conf settings:-

 

Listen 443

SSLPassPhraseDialog builtin

SSLSessionCachTimeout 600

SSLMutex default

SSLRandomSeed startup file:/dev/urandom 256

SSLRandomSeed connect builtin

SSLCryptoDevice builtin

 

<VirtualHost *:443>

#General setup for the virtual host inherited from global config

SSLEngine on

SSLProtocol all -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RCA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /etc/httpd/ssl/site.crt

SSLCertificateKeyFile /etc/httpd/ssl/site.key

SSLCertifcateChainFile /etc/httpd/ssl/gd_bundle.crt

<Files ~ "\.(cgi|shtml|phtml|php3?)$">

  SSLOptions +StdEnvVars

</Files>

<Directory "/var/www/cgi-bin">

  SSLOptions +StdEnvVars

</Directory>

SetEnvIf User-Agent ".MSIE.*" \

  nokeepalive ssl-unclean-shutdown \

  downgrade-1.0 force-response-1.0

</VirtualHost>

 

LISTED IN  netstat -vatn RESULT

 

tcp 0 0 0.0.0.0:443 0.0.0.0:*  LISTEN

 

SET LOG SETTING TO DEBUG AND RECEIVE FOLLOWING OUTPUT IN SSL_LOG:-

 

28 10:54:13 2011] [debug] ssl_engine_init.c(611): Configuring permitted SSL ciphers [

28 10:54:13 2011] [debug] ssl_engine_init.c(695): Configuring server certificate chai

28 10:54:13 2011] [debug] ssl_engine_init.c(370): Configuring TLS extension handling

28 10:54:13 2011] [debug] ssl_engine_init.c(742): Configuring RSA server certificate

28 10:54:13 2011] [debug] ssl_engine_init.c(781): Configuring RSA server private key

28 10:54:13 2011] [info] Loading certificate & private key of SSL-aware server

28 10:54:13 2011] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pa

28 10:54:13 2011] [info] Configuring server for SSL protocol

28 10:54:13 2011] [debug] ssl_engine_init.c(415): Creating new SSL context (protocols

28 10:54:13 2011] [debug] ssl_engine_init.c(611): Configuring permitted SSL ciphers [

28 10:54:13 2011] [debug] ssl_engine_init.c(695): Configuring server certificate chai

28 10:54:13 2011] [debug] ssl_engine_init.c(370): Configuring TLS extension handling

28 10:54:13 2011] [debug] ssl_engine_init.c(742): Configuring RSA server certificate

28 10:54:13 2011] [debug] ssl_engine_init.c(781): Configuring RSA server private key

 

HERE IS WHATS IN THE APACHE LOG:-

 

[Thu Apr 28 10:54:12 2011] [notice] caught SIGTERM, shutting down

[Thu Apr 28 10:54:12 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

[Thu Apr 28 10:54:13 2011] [notice] Digest: generating secret for digest authentication ...

[Thu Apr 28 10:54:13 2011] [notice] Digest: done

[Thu Apr 28 10:54:13 2011] [notice] Apache/2.2.15 (Unix) DAV/2 mod_ssl/2.2.15 OpenSSL/1.0.0a-fips configured -- resuming normal operations

 

Any assistance with this is really appreciated as im sick of it and GoDaddy support/Documentation is poor.

 

Thanks.

 

 

 

 

 

 

 

 

 

[BoarderLine]

Additional information:-

 

nmap -sS localhost

 

Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-28 13:25

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000011s latency).

rDNS record for 127.0.0.1: localhost.localdomain

Not shown: 992 closed ports

PORT    STATE SERVICE

21/tcp  open  ftp

25/tcp  open  smtp

53/tcp  open  domain

80/tcp  open  http

110/tcp  open  pop3

143/tcp  open  imap

443/tcp  open  https

3306/tcp open  mysql

 

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

 

But it seems SSL module may not be present in apache:-

 

# httpd -l

Compiled in modules:

  core.c

  prefork.c

  http_core.c

  mod_so.c

 

 

looking in to it...

 

 

[BoarderLine]

hold on but I am running mod_ssl ?  Im confused 

[BoarderLine]

Sorry SSL error log in original post should read:

 

[Thu Apr 28 14:19:58 2011] [info] Loading certificate & private key of SSL-aware server

[Thu Apr 28 14:19:58 2011] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required

[Thu Apr 28 14:19:58 2011] [info] Configuring server for SSL protocol

[Thu Apr 28 14:19:58 2011] [debug] ssl_engine_init.c(415): Creating new SSL context (protocols: SSLv3, TLSv1)

[Thu Apr 28 14:19:58 2011] [debug] ssl_engine_init.c(611): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW]

[Thu Apr 28 14:19:58 2011] [debug] ssl_engine_init.c(695): Configuring server certificate chain (3 CA certificates)

[Thu Apr 28 14:19:58 2011] [debug] ssl_engine_init.c(370): Configuring TLS extension handling

[Thu Apr 28 14:19:58 2011] [debug] ssl_engine_init.c(742): Configuring RSA server certificate

[Thu Apr 28 14:19:58 2011] [debug] ssl_engine_init.c(781): Configuring RSA server private key

[Thu Apr 28 14:25:27 2011] [info] Loading certificate & private key of SSL-aware server

[Thu Apr 28 14:25:27 2011] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required

[Thu Apr 28 14:25:27 2011] [info] Configuring server for SSL protocol

[Thu Apr 28 14:25:27 2011] [debug] ssl_engine_init.c(415): Creating new SSL context (protocols: SSLv3, TLSv1)

[Thu Apr 28 14:25:27 2011] [debug] ssl_engine_init.c(611): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW]

[Thu Apr 28 14:25:27 2011] [debug] ssl_engine_init.c(695): Configuring server certificate chain (3 CA certificates)

[Thu Apr 28 14:25:27 2011] [debug] ssl_engine_init.c(370): Configuring TLS extension handling

[Thu Apr 28 14:25:27 2011] [debug] ssl_engine_init.c(742): Configuring RSA server certificate

[Thu Apr 28 14:25:27 2011] [debug] ssl_engine_init.c(781): Configuring RSA server private key

[Thu Apr 28 14:25:27 2011] [info] Loading certificate & private key of SSL-aware server

[Thu Apr 28 14:25:27 2011] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required

[Thu Apr 28 14:25:27 2011] [info] Configuring server for SSL protocol

[Thu Apr 28 14:25:27 2011] [debug] ssl_engine_init.c(415): Creating new SSL context (protocols: SSLv3, TLSv1)

[Thu Apr 28 14:25:27 2011] [debug] ssl_engine_init.c(611): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW]

[Thu Apr 28 14:25:27 2011] [debug] ssl_engine_init.c(695): Configuring server certificate chain (3 CA certificates)

[Thu Apr 28 14:25:27 2011] [debug] ssl_engine_init.c(370): Configuring TLS extension handling

[Thu Apr 28 14:25:27 2011] [debug] ssl_engine_init.c(742): Configuring RSA server certificate

[Thu Apr 28 14:25:27 2011] [debug] ssl_engine_init.c(781): Configuring RSA server private key

[BoarderLine]

To start the ssl_module I added LoadModule ssl_module modules/mod_ssl.so and restarted apache, however this returns '[warn] module ssl_module is already loaded, skipping' on startup.

 

So the module is loaded!

 

Back to SSL.conf.......

 

I will look into named virtual host being the problem here........

 

This is kinda good it's like a troubleshooting log to myself :-)

[BoarderLine]

In my .conf I did have a NameVirtualHost *:443 which I commented out restarted apache but still no love.

 

A good debug command I found in the mod_ssl documentation:

 

[]#openssl s_client -connect locahost:443 -state -debug

 

However the output was huge.

 

Some meaning things I could see here were:-

 

No client certificate CA names sent

SSL handshake has read 5548 bytes and written 311 bytes

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: zlib compression

Expansion: zlib compression

--bla --bla lists SESSION-ID and Master-Key OK and then --

SSL3 alert read:warning:close notify

closed

 

 

[BoarderLine]

After the openssl debug command above ssl_error_log.conf reads:

 

[Thu Apr 28 16:51:45 2011] [debug] ssl_engine_kernel.c(1870): OpenSSL: Handshake: done

[Thu Apr 28 16:51:45 2011] [info] Connection: Client IP: 127.0.0.1, Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits)

[Thu Apr 28 16:53:45 2011] [debug] ssl_engine_io.c(1893): OpenSSL: I/O error, 5 bytes expected to read on BIO#7fdaa8f92250 [mem: 7fdaa8faa0c3]

[Thu Apr 28 16:53:45 2011] [info] [client 127.0.0.1] (70007)The timeout specified has expired: SSL input filter read failed.

[Thu Apr 28 16:53:45 2011] [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSL negotiation finished successfully

 

Looks like OpenSSL I/O error accuring then times out!

[BoarderLine]

Correction: Debug command above []#openssl s_client -connect localhost:443 -state -debug

[BoarderLine]

Argghh.  Handshake works so this would suggest SSL cert,key,chain are communicating and setup correct yes?  I still receive Results:SSL Connection Failed! from GoDaddy's install tool and when I try and connect to https://atmydomain I get a 'This webpage is not available' message with Error 118 (net::ERR_CONNECTION_TIMED_OUT): The operation timed out.  However there seems to be no major errors in the logs??? 

 

If someone has any ideas/comments/even abuse, please please suggest.

[BoarderLine]

OK i have US$50 via paypal for anyone that can point me to a fix on this. 

[steviewdr]

I take it there is no firewall involved?

 

I see you done a nmap. Can you do a telnet yourdomain 443 from a remote computer and see if port 443 is open.

 

If I were you'd I'd go back to setting up a self-signed ssl cert and get that working first.

Although its not for fedora take a look at:

http://wiki.kartbuilding.net/index.php/Apache_2_%26_SSL_-_PHP4_-_MySQL_4.1

 

exerpt of what you need to try:

mkdir /etc/apache2/ssl

cd /etc/apache2/ssl

openssl req -x509 -days 365 -newkey rsa:1024 -keyout hostkey.pem -nodes -out hostcert.pem

cat hostkey.pem >> hostcert.pem

mv hostcert.pem apache.pem

 

<VirtualHost *:443>

//insert code as Normal; same as above

SSLEngine On

SSLCertificateFile /etc/apache2/ssl/apache.pem

</VirtualHost>

 

-steve

[BoarderLine]

Thanks Steve,

 

[]#telnet mydomain 443

Trying ###.#.###.###...

telnet: connect to address ###.#.###.###: Connection refused

 

I created a self signed certificate and changed the details in ssl.conf.

 

[]#service httpd restart

  Stopping httpd: [ OK ]

  Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)

  Some of your private key files are encrypted for security reasons.

  In order to read them you have to provide the pass phrase.

 

  Server mydomain:443 (RSA)

  Enter pass phrase:

 

  OK: Pass Phrase Dialog successful.  [ OK ]

 

[]#telnet mydomain 443

Trying ###.#.###.###...

telnet: connect to address ###.#.###.###: Connection refused

 

 

[steviewdr]

what does the following show:

netstat -tap

 

what does the following show:

iptables -L

 

-steve

[hate_to_register]

I'll take the $50

Apache has a problem with SSL and keepalives in M$... I've just successfully fixed the problem for me, maybe it works for you too. (change the useragent as needed)

 

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully nokeepalive

 

One additional question: Why do people choose boards to whre you cannot annonymously post a solution' Often I'll find solutions for problems that are not only happen to me. I would answer them and share my knowledge... But do I have to register at each and any forum for that!? I don't think so... Please consider using mailinglists, there people like me can answer without registering or adding themselves to anything.... I've a good day today and have searched long for a solution. It makes me happy to share knowlege, but I HATE TO REGISTER!

 

Have a nice day, and I hope the solution will work for you too!

[thegotoguy]

Every year I have to renew my GoDaddy SSL on my Fedora Virtual Host and every year I forget how to so it (and Go Daddy's docs don't help much) so I wrote this little tutorial...

 

From GoDaddy's 'Manage Certificates' interface, download:

 

yourdomain.com.crt

gd_bundle.crt

 

…and drop them into /etc/pki/tls/certs

 

Go Daddy's docs advise you to now restart Apache (once you've configured ssl.conf) and if you do, Apache will fail because...

 

you need to MANUALLY upload www.yourdomain.com.key to /etc/pki/tls/private

 

What's confusing is that there's no way to obtain www.yourdomain.com.key from the 'Manage Certificates' interface

 

You need to log into Simple Control Panel and click the SSL Certificates icon then click the edit icon on your latest certificate files.

 

From there, you need to copy and paste the contents of ‘intermediate certificate chain’ and paste into a file called www.yourdomain.com.key which can then be uploaded to /etc/pki/tls/private

 

Restarting Apache will now work (not FAIL)