Monday, October 8, 2007

Apache2, SSL and Ubuntu 6.06

Recently, I had to configure a dedicated SSL certificate with Apache2 on a Virtual Host -- and proceeded to use a combination of information from Verisign & the Ubuntu Documentation Project.

After tweaking the install, I ran foul of the infamous "error -12263" in my browser.

My configuration consisted of:

* cp'ing the original vhost configuration to 'secure' in /etc/apache2/sites-available/ and symlinking them to /etc/apache2/sites-enabled/

* adding "Listen 443" followed by a newline to /etc/apache2/ports.conf

* Changing /etc/apache2/sites-available/secure to read:

--- <virtualhost>*:80</virtualhost>
+++ <virtualhost>*:443</virtualhost>

* and beneath the 'ServerAdmin' line -- Adding:

+++ SSLCertificateFile /etc/ssl/certs/server.crt
+++ SSLCertificateKeyFile /etc/ssl/private/server.key
+++ SSLCACertificateFile /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority.pem

At this point, Apache starts normally & listens on both the HTTP and HTTPS ports, as referenced by the change in /var/log/apache2/error_log

from:

[notice] Apache/2.0.55 (Ubuntu) PHP/5.1.2 configured -- resuming normal operations

to:

[notice] Apache/2.0.55 (Ubuntu) PHP/5.1.2 mod_ssl/2.0.55 OpenSSL/0.9.8a configured -- resuming normal operations

However, when you try and https:// address, browsers error out.

Worse still, Apache doesn't actually log anything about this request by default -- but we know the site works because using a standard http:// request works fine.

Actually, that's not quite true -- it does log a cryptic error message that looks similar to:

127.0.0.1 - - [04/Aug/2007:23:38:58 +1000] "\x80\x8c\x01\x03\x01" 200 16564 "-" "-"

Some googling later, this seems to indicate that port 443 is serving non-SSL requests to clients.

Luckily, you can use OpenSSL to confirm this behaviour:

Running:

openssl s_client -connect localhost:443

Returns:

CONNECTED(00000003)
7431:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:

Instead of your key.

The trick, of course -- turns out to be remarkably simple, open /etc/apache2/sites-available/secure -- and add:

+++ SSLEngine on

So your configuration becomes:

---
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCACertificateFile /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority.pem
---

Save the file and restart Apache, then run the OpenSSL command line again:

openssl s_client -connect localhost:443

It should now return your key information properly -- now fire up your browser and use https:// to your hearts content.

1 comment:

Jag said...

This helped me solve a problem with getting Pylons working under SSL. I'd made a similar mistake (actually a more stupid one of having VirtualHost:* before VirtualHost *:443 etc. Changing it to VirtualHost *:80 solved the problem. The above post gave me the clue I needed.

I had the following entries in my SSL VirtualHost directive:

SSLEngine On
SSLCertificateFile /somwhere/server.crt
SSLCertificateKeyFile /somewhere/server.key
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

Thanks