Re: [opensuse] Apache 2.4.6 on OpenSuse 13.1: ssl_error_rx_record_too_long and ERR_SSL_PROTOCOL_ERROR
On Wed, Jul 30, 2014 at 11:29 AM, Florian Gleixner <flo@redflo.de> wrote:
On 07/30/2014 03:47 PM, Ted Byers wrote:
140137415726736:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:787:
I think you are talking HTTP and not HTTPS on port 443. Try to browse to http://gremlin.site:443 to verify this.
Check if you have configured apache to load SSL modules. Edit /etc/sysconfig/apache2 and check if you have set:
APACHE_MODULES=".... ssl ...." APACHE_SERVER_FLAGS="SSL"
If this helps please post the solution to the list too :-)
Sorry. I sent my previous reply to the list once I noticed I had sent it only to you. Anyway, although ssl was in the list of modules, it wasn't in the apache_server_flags. I corrected that and now the server won't start: ted@gremlin:~/SSLwork> sudo systemctl status apache2.service -l apache2.service - The Apache Webserver Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled) Active: failed (Result: exit-code) since Wed 2014-07-30 11:50:07 EDT; 1min 50s ago Process: 12088 ExecStop=/usr/sbin/start_apache2 -D SYSTEMD -DFOREGROUND -k graceful-stop (code=exited, status=0/SUCCESS) Process: 12069 ExecStart=/usr/sbin/start_apache2 -D SYSTEMD -DFOREGROUND -k start (code=exited, status=1/FAILURE) Main PID: 12069 (code=exited, status=1/FAILURE) Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" Jul 30 11:50:06 gremlin start_apache2[12069]: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:443 Jul 30 11:50:06 gremlin start_apache2[12069]: (98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443 Jul 30 11:50:06 gremlin start_apache2[12069]: no listening sockets available, shutting down Jul 30 11:50:06 gremlin start_apache2[12069]: AH00015: Unable to open logs Jul 30 11:50:06 gremlin systemd[1]: apache2.service: main process exited, code=exited, status=1/FAILURE Jul 30 11:50:07 gremlin start_apache2[12088]: httpd (no pid file) not running Jul 30 11:50:07 gremlin systemd[1]: Failed to start The Apache Webserver. Jul 30 11:50:07 gremlin systemd[1]: Unit apache2.service entered failed state. ted@gremlin:~/SSLwork> I see something about the logs being inaccessable and also something about port 443 being unavailable. I have to check, but suspect that the log question may be due to a typo, but the question of the port is more concerning as there ought not be anything using 443 when apache is not running. How do I find out why apache can't bind to port 443? Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/30/2014 06:02 PM, Ted Byers wrote:
How do I find out why apache can't bind to port 443?
E.g. "lsof -i 4tcp:443" will give you which program is listening and therefore blocking the port. (Add "-Pn" if you don't like host- and port name resolution.) Most probably httpd2? ;-) Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Thanks Bernhard On Wed, Jul 30, 2014 at 12:43 PM, Bernhard Voelker <mail@bernhard-voelker.de> wrote:
On 07/30/2014 06:02 PM, Ted Byers wrote:
How do I find out why apache can't bind to port 443?
E.g. "lsof -i 4tcp:443" will give you which program is listening and therefore blocking the port. (Add "-Pn" if you don't like host- and port name resolution.) Most probably httpd2? ;-)
But, when I run lsof -i 4tcp:443, I get no output at all. I would suppose that means nothing is running that is listening on 443. But, what should I change in that command to let me see what output it would produce normally? What is httpd2? Is it different than apache2? If not, it could not be running because apache2 will not start now, and if so, where did it come from and why is it there, since, for web servers, I only asked for Apache2? If I were to want another web server, it would be nginx, so I could experiment to compare the two under different loads. Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/30/2014 07:15 PM, Ted Byers wrote:
But, when I run lsof -i 4tcp:443, I get no output at all.
You shoud try lsof -i tcp:443 -s TCP:LISTEN as root or netstat -tulpen |grep 443 and dont be confused, if its output only contains a IPv6 listening socket. As man ipv6 says: "IPv4 connections can be handled with the v6 API by using the v4-mapped-on-v6 address type; thus a program only needs to support this API type to support both protocols. This is handled transparently by the address handling functions in the C library. IPv4 and IPv6 share the local port space. When you get an IPv4 connection or packet to a IPv6 socket, its source address will be mapped to v6 and it will be mapped to v6." Also search for multiple "Listen" lines in your Apache conf. If nothing helps, reboot.
On Wed, Jul 30, 2014 at 1:35 PM, Florian Gleixner <flo@redflo.de> wrote:
On 07/30/2014 07:15 PM, Ted Byers wrote:
But, when I run lsof -i 4tcp:443, I get no output at all.
You shoud try
lsof -i tcp:443 -s TCP:LISTEN
as root or
netstat -tulpen |grep 443
and dont be confused, if its output only contains a IPv6 listening socket. As
man ipv6
says:
"IPv4 connections can be handled with the v6 API by using the v4-mapped-on-v6 address type; thus a program only needs to support this API type to support both protocols. This is handled transparently by the address handling functions in the C library.
IPv4 and IPv6 share the local port space. When you get an IPv4 connection or packet to a IPv6 socket, its source address will be mapped to v6 and it will be mapped to v6."
Also search for multiple "Listen" lines in your Apache conf.
It turns out that this was the key to my last problem. When Googling for answers, I found examples in which there was a listen directive for each IP address on which the server could receive a request. I had posted the contents of my listen.conf file earlier, so you can see what I had done, following that advice. I commented out all the IP specific listen statements and a single statement for https, enabled only when the server is told to use SSL, and that solved the problem. Obviously the advice I found using Google was either wrong or at least outdated. Two last questions. When I submit the following: openssl s_client -connect gremlin.site:443 -showcerts I get not only the server certificate that I created from my own CA, but also the certificate that I had installed, but which was bought from GoDaddy, for one of our development servers. The latter is not mentioned in my vhosts-ssl.conf, so why is it even sent. I thought apache would send only the certificate attached to the domain in the url in the request made to the server. Also, this command gives a return value of 19, complaining that there is a self signed certificate in the certificate chain. Now, I do not know how to make such a chain to begin with, but it is almost certain that it is referring to my CA certificate (is it possible to verify this one way or another?). Now, I thought ALL CA certificates are self signed. So, what do I do to have my CA treated in the same way that all other CA certificates are treated? (I posted the steps whereby I created my CA and then the certificates for gremlin.site). Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Jul 30, 2014 at 2:38 PM, Ted Byers <r.ted.byers@gmail.com> wrote:
Two last questions. When I submit the following:
openssl s_client -connect gremlin.site:443 -showcerts
I get not only the server certificate that I created from my own CA, but also the certificate that I had installed, but which was bought from GoDaddy, for one of our development servers. The latter is not mentioned in my vhosts-ssl.conf, so why is it even sent. I thought apache would send only the certificate attached to the domain in the url in the request made to the server.
On further investigation, this is more troubling. None of my configuration files refer to a certificate related to my other development server. Worse, in /etc/apache2/ssl.crt and /etc/apache2/ssl.key, there exists ONLY the keys and certificates that I made when creating first my CA and then the key and certificate for gremlin.site. So, where is this other certificate located and why is Apache using it? Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Jul 30, 2014 at 2:56 PM, Ted Byers <r.ted.byers@gmail.com> wrote:
On Wed, Jul 30, 2014 at 2:38 PM, Ted Byers <r.ted.byers@gmail.com> wrote:
Two last questions. When I submit the following:
openssl s_client -connect gremlin.site:443 -showcerts
I get not only the server certificate that I created from my own CA, but also the certificate that I had installed, but which was bought from GoDaddy, for one of our development servers. The latter is not mentioned in my vhosts-ssl.conf, so why is it even sent. I thought apache would send only the certificate attached to the domain in the url in the request made to the server.
The answer to this question is that I mistook the CA root certificate for the certificate I'd made for another server. Proof I am an idiot. :-(
On further investigation, this is more troubling. None of my configuration files refer to a certificate related to my other development server. Worse, in /etc/apache2/ssl.crt and /etc/apache2/ssl.key, there exists ONLY the keys and certificates that I made when creating first my CA and then the key and certificate for gremlin.site. So, where is this other certificate located and why is Apache using it?
This just goes to show I am an idiot. I had created my rootCA.crt many months ago, and had forgotten that I created it with the FQDN of dev.profitorius.com, so all is behaving as it ought. But, I think in due course, I will regenerate the rootCA with a different FQDN (with meaning only within my LAN). But what I have will suffice for my testing purposes. Thanks all. Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 30/07/14 a las #4, Ted Byers escribió:
This just goes to show I am an idiot.
Nope, it shows that cryptography-related software and usability are yet to meet. I am not holding my breath they ever will ;-). -- Cristian "I don't know the key to success, but the key to failure is trying to please everybody." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/30/2014 08:48 PM, Ted Byers wrote:
The answer to this question is that I mistook the CA root certificate for the certificate I'd made for another server. Proof I am an idiot. :-(
We all take our turns sitting quietly facing the corner of the room with the tall pointy hat on from time-to-time. Glad you are wading through the 2.4 forest and seeing most of the trees. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Bernhard Voelker -
Cristian Rodríguez -
David C. Rankin -
Florian Gleixner -
Ted Byers