[opensuse] Accessing apaches server with SSL on port 443
Listmates,
I am having fits accessing my server with SSL. I have built all certificates
and installed them and things seems to be working:
[22:36 nirvana~/CA/newset] # httpd2 -S -DSSL
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 www.3111skyline.com
(/etc/apache2/vhosts.d/vhost-ssl.conf:37)
Syntax OK
However, when I try and access the server, I get:
Forbidden
You don't have permission to access / on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an
ErrorDocument to handle the request.
Apache/2.2.4 (Linux/SUSE) Server at www.3111skyline.com Port 443
The apache logs are not that helpful with the problem:
error_log says:
[Tue May 06 22:36:50 2008] [error] [client 192.168.6.101] access to
/srv/www/testdir/ failed, reason: SSL requirement expression not fulfilled (see
SSL logfile for more details)
[Tue May 06 22:36:50 2008] [error] [client 192.168.6.101] access to
/srv/www/htdocs/ failed, reason: SSL requirement expression not fulfilled (see
SSL logfile for more details)
[Tue May 06 22:36:50 2008] [error] [client 192.168.6.101] access to
/usr/share/apache2/error/HTTP_FORBIDDEN.html.var failed, reason: SSL
requirement expression not fulfilled (see SSL logfile for more details)
ssl_reques_log adds only a little:
[06/May/2008:22:36:50 -0500] 192.168.6.101 TLSv1 DHE-RSA-AES256-SHA "GET
/testdir/ HTTP/1.1" 300 "-" "Mozilla/5.0 (compatible; Konqueror/3.5; Linux)
KHTML/3.5.9 (like Gecko) SUSE"
[06/May/2008:22:36:50 -0500] 192.168.6.101 TLSv1 DHE-RSA-AES256-SHA "GET /
HTTP/1.1" - "-" "Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.9
(like Gecko) SUSE"
The certificates are seen and accepted both by konqueror and firefox. They
give the options to use them "forever". The vhost config is:
[23:04 nirvana/etc/apache2/vhosts.d] # grep -v '#' vhost-ssl.conf | grep -v ^$
<IfDefine SSL>
David C. Rankin wrote:
The apache logs are not that helpful with the problem:
error_log says:
[Tue May 06 22:36:50 2008] [error] [client 192.168.6.101] access to /srv/www/testdir/ failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details)
I don't know that particular error, but it seems to be related to this:
<Location /> SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ </Location>
What is the purpose of this exactly? /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
David C. Rankin wrote:
The apache logs are not that helpful with the problem:
error_log says:
[Tue May 06 22:36:50 2008] [error] [client 192.168.6.101] access to /srv/www/testdir/ failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details)
I don't know that particular error, but it seems to be related to this:
<Location /> SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ </Location>
What is the purpose of this exactly?
/Per Jessen, Zürich
Per, You're a genius! That was it. In following a tutorial, they had uncommented the above to demonstrate per directory access based on lookup directives in the AuthUserFile. The tutorial worked, but when I created my own certificates, I forgot to comment it back out. Thanks, it works fine now. -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
David C. Rankin
-
Per Jessen