[opensuse] Accessing apaches server with SSL on port 443

7 May 2008

      Listmates,

	I am having fits accessing my server with SSL. I have built all certificates 
and installed them and things seems to be working:

[22:36 nirvana~/CA/newset] # httpd2 -S -DSSL
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443          www.3111skyline.com 
(/etc/apache2/vhosts.d/vhost-ssl.conf:37)
Syntax OK

	However, when I try and access the server, I get:

Forbidden
You don't have permission to access / on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an 
ErrorDocument to handle the request.
Apache/2.2.4 (Linux/SUSE) Server at www.3111skyline.com Port 443

	The apache logs are not that helpful with the problem:

error_log says:

[Tue May 06 22:36:50 2008] [error] [client 192.168.6.101] access to 
/srv/www/testdir/ failed, reason: SSL requirement expression not fulfilled (see 
SSL logfile for more details)
[Tue May 06 22:36:50 2008] [error] [client 192.168.6.101] access to 
/srv/www/htdocs/ failed, reason: SSL requirement expression not fulfilled (see 
SSL logfile for more details)
[Tue May 06 22:36:50 2008] [error] [client 192.168.6.101] access to 
/usr/share/apache2/error/HTTP_FORBIDDEN.html.var failed, reason: SSL 
requirement expression not fulfilled (see SSL logfile for more details)

ssl_reques_log adds only a little:

[06/May/2008:22:36:50 -0500] 192.168.6.101 TLSv1 DHE-RSA-AES256-SHA "GET 
/testdir/ HTTP/1.1" 300 "-" "Mozilla/5.0 (compatible; Konqueror/3.5; Linux) 
KHTML/3.5.9 (like Gecko) SUSE"
[06/May/2008:22:36:50 -0500] 192.168.6.101 TLSv1 DHE-RSA-AES256-SHA "GET / 
HTTP/1.1" - "-" "Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.9 
(like Gecko) SUSE"

	The certificates are seen and accepted both by konqueror and firefox. They 
give the options to use them "forever". The vhost config is:

[23:04 nirvana/etc/apache2/vhosts.d] # grep -v '#' vhost-ssl.conf | grep -v ^$
<IfDefine SSL>

<VirtualHost _default_:443>
         DocumentRoot "/srv/www/htdocs"
         ServerName www.3111skyline.com:443
         ServerAdmin dell@3111skyline.com
         ErrorLog /var/log/apache2/error_log
         TransferLog /var/log/apache2/access_log
         SSLEngine on
         SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
         SSLCertificateFile /etc/apache2/ssl.crt/server.crt
         SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
         SSLCertificateChainFile /etc/apache2/ssl.crt/server.crt
         SSLCACertificatePath /etc/apache2/ssl.crt
         SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
         <Location />
         SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
                     and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
                     and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
                     and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
                     and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
                    or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
         </Location>
         SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

             SSLOptions +StdEnvVars
         </Files>

             SSLOptions +StdEnvVars
         </Directory>
         SetEnvIf User-Agent ".*MSIE.*" \
                  nokeepalive ssl-unclean-shutdown \
                  downgrade-1.0 force-response-1.0
         CustomLog /var/log/apache2/ssl_request_log   ssl_combined
</VirtualHost>
</IfDefine>
</IfDefine>

	With the certificates generated by:

#!/bin/bash
md newkeyset
cd newset/
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
cp server.key server.key.protected
openssl rsa -in server.key.protected -out server.key
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
cp server.crt /etc/apache2/ssl.crt
cp server.key /etc/apache2/ssl.key
cp server.csr /etc/apache2/ssl.csr

	The http.conf.local directory directive looks like:

	SSLOptions +StrictRequire
	SSLRequireSSL
	SSLRequire %{HTTP_HOST} eq "www.3111skyline.com"
	ErrorDocument 403 https://www.3111skyline.com
<snip>

	But still I must be missing a piece of the puzzle. Anybody have ssl working 
with apache that wouldn't mind sharing the secret or a good howto, I would much 
appreciate it.

-- 
David C. Rankin, J.D., P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
Telephone: (936) 715-9333
Facsimile: (936) 715-9339
www.rankinlawfirm.com
-- 
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse+help@opensuse.org