Listmates,
I am having fits accessing my server with SSL. I have built all certificates
and installed them and things seems to be working:
[22:36 nirvana~/CA/newset] # httpd2 -S -DSSL
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 www.3111skyline.com
(/etc/apache2/vhosts.d/vhost-ssl.conf:37)
Syntax OK
However, when I try and access the server, I get:
Forbidden
You don't have permission to access / on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an
ErrorDocument to handle the request.
Apache/2.2.4 (Linux/SUSE) Server at www.3111skyline.com Port 443
The apache logs are not that helpful with the problem:
error_log says:
[Tue May 06 22:36:50 2008] [error] [client 192.168.6.101] access to
/srv/www/testdir/ failed, reason: SSL requirement expression not fulfilled (see
SSL logfile for more details)
[Tue May 06 22:36:50 2008] [error] [client 192.168.6.101] access to
/srv/www/htdocs/ failed, reason: SSL requirement expression not fulfilled (see
SSL logfile for more details)
[Tue May 06 22:36:50 2008] [error] [client 192.168.6.101] access to
/usr/share/apache2/error/HTTP_FORBIDDEN.html.var failed, reason: SSL
requirement expression not fulfilled (see SSL logfile for more details)
ssl_reques_log adds only a little:
[06/May/2008:22:36:50 -0500] 192.168.6.101 TLSv1 DHE-RSA-AES256-SHA "GET
/testdir/ HTTP/1.1" 300 "-" "Mozilla/5.0 (compatible; Konqueror/3.5; Linux)
KHTML/3.5.9 (like Gecko) SUSE"
[06/May/2008:22:36:50 -0500] 192.168.6.101 TLSv1 DHE-RSA-AES256-SHA "GET /
HTTP/1.1" - "-" "Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.9
(like Gecko) SUSE"
The certificates are seen and accepted both by konqueror and firefox. They
give the options to use them "forever". The vhost config is:
[23:04 nirvana/etc/apache2/vhosts.d] # grep -v '#' vhost-ssl.conf | grep -v ^$
<IfDefine SSL>
<VirtualHost _default_:443>
DocumentRoot "/srv/www/htdocs"
ServerName www.3111skyline.com:443
ServerAdmin dell@3111skyline.com
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
SSLCertificateChainFile /etc/apache2/ssl.crt/server.crt
SSLCACertificatePath /etc/apache2/ssl.crt
SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
<Location />
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
</Location>
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLOptions +StdEnvVars
</Files>
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/apache2/ssl_request_log ssl_combined
</VirtualHost>
</IfDefine>
</IfDefine>
With the certificates generated by:
#!/bin/bash
md newkeyset
cd newset/
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
cp server.key server.key.protected
openssl rsa -in server.key.protected -out server.key
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
cp server.crt /etc/apache2/ssl.crt
cp server.key /etc/apache2/ssl.key
cp server.csr /etc/apache2/ssl.csr
The http.conf.local directory directive looks like:
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.3111skyline.com"
ErrorDocument 403 https://www.3111skyline.com
<snip>
But still I must be missing a piece of the puzzle. Anybody have ssl working
with apache that wouldn't mind sharing the secret or a good howto, I would much
appreciate it.
--
David C. Rankin, J.D., P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
Telephone: (936) 715-9333
Facsimile: (936) 715-9339
www.rankinlawfirm.com
--
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse+help@opensuse.org