[opensuse] Accessing apaches server with SSL on port 443
Listmates, I am having fits accessing my server with SSL. I have built all certificates and installed them and things seems to be working: [22:36 nirvana~/CA/newset] # httpd2 -S -DSSL VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: _default_:443 www.3111skyline.com (/etc/apache2/vhosts.d/vhost-ssl.conf:37) Syntax OK However, when I try and access the server, I get: Forbidden You don't have permission to access / on this server. Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request. Apache/2.2.4 (Linux/SUSE) Server at www.3111skyline.com Port 443 The apache logs are not that helpful with the problem: error_log says: [Tue May 06 22:36:50 2008] [error] [client 192.168.6.101] access to /srv/www/testdir/ failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details) [Tue May 06 22:36:50 2008] [error] [client 192.168.6.101] access to /srv/www/htdocs/ failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details) [Tue May 06 22:36:50 2008] [error] [client 192.168.6.101] access to /usr/share/apache2/error/HTTP_FORBIDDEN.html.var failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details) ssl_reques_log adds only a little: [06/May/2008:22:36:50 -0500] 192.168.6.101 TLSv1 DHE-RSA-AES256-SHA "GET /testdir/ HTTP/1.1" 300 "-" "Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.9 (like Gecko) SUSE" [06/May/2008:22:36:50 -0500] 192.168.6.101 TLSv1 DHE-RSA-AES256-SHA "GET / HTTP/1.1" - "-" "Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.9 (like Gecko) SUSE" The certificates are seen and accepted both by konqueror and firefox. They give the options to use them "forever". The vhost config is: [23:04 nirvana/etc/apache2/vhosts.d] # grep -v '#' vhost-ssl.conf | grep -v ^$ <IfDefine SSL> <IfDefine !NOSSL> <VirtualHost _default_:443> DocumentRoot "/srv/www/htdocs" ServerName www.3111skyline.com:443 ServerAdmin dell@3111skyline.com ErrorLog /var/log/apache2/error_log TransferLog /var/log/apache2/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key SSLCertificateChainFile /etc/apache2/ssl.crt/server.crt SSLCACertificatePath /etc/apache2/ssl.crt SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt <Location /> SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ </Location> SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/srv/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/apache2/ssl_request_log ssl_combined </VirtualHost> </IfDefine> </IfDefine> With the certificates generated by: #!/bin/bash md newkeyset cd newset/ openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr cp server.key server.key.protected openssl rsa -in server.key.protected -out server.key openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt cp server.crt /etc/apache2/ssl.crt cp server.key /etc/apache2/ssl.key cp server.csr /etc/apache2/ssl.csr The http.conf.local directory directive looks like: SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "www.3111skyline.com" ErrorDocument 403 https://www.3111skyline.com <snip> But still I must be missing a piece of the puzzle. Anybody have ssl working with apache that wouldn't mind sharing the secret or a good howto, I would much appreciate it. -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
The apache logs are not that helpful with the problem:
error_log says:
[Tue May 06 22:36:50 2008] [error] [client 192.168.6.101] access to /srv/www/testdir/ failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details)
I don't know that particular error, but it seems to be related to this:
<Location /> SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ </Location>
What is the purpose of this exactly? /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
David C. Rankin wrote:
The apache logs are not that helpful with the problem:
error_log says:
[Tue May 06 22:36:50 2008] [error] [client 192.168.6.101] access to /srv/www/testdir/ failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details)
I don't know that particular error, but it seems to be related to this:
<Location /> SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ </Location>
What is the purpose of this exactly?
/Per Jessen, Zürich
Per, You're a genius! That was it. In following a tutorial, they had uncommented the above to demonstrate per directory access based on lookup directives in the AuthUserFile. The tutorial worked, but when I created my own certificates, I forgot to comment it back out. Thanks, it works fine now. -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
David C. Rankin -
Per Jessen