Nefunkční HTTPS u apache2

[Martin]

Dobrý den,
opracim se na Vám s prosbou o vyřešení problému. Na jednom z VPS se mě nedaří zprovoznit protokol HTTPS na APache2 serveri (2.4.10v)

Port ale 443 je otevřený viz:

Kód: [Vybrat]

root@blog3centrum:~# telnet localhost 443
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.


root@blog3centrum:~# lsof -i -P | grep 443
sshd      18082     root    3r  IPv4 349338914      0t0  TCP blog3centrum.vserver.cz:22->dynamic-109-81-208-137.ipv4.broadband.iol.cz:2443 (ESTABLISHED)
apache2   19195     root    4u  IPv4 349807390      0t0  TCP *:443 (LISTEN)
apache2   19199 www-data    4u  IPv4 349807390      0t0  TCP *:443 (LISTEN)
apache2   19200 www-data    4u  IPv4 349807390      0t0  TCP *:443 (LISTEN)
apache2   19219 www-data    4u  IPv4 349807390      0t0  TCP *:443 (LISTEN)
apache2   19220 www-data    4u  IPv4 349807390      0t0  TCP *:443 (LISTEN)
apache2   19221 www-data    4u  IPv4 349807390      0t0  TCP *:443 (LISTEN)
apache2   19222 www-data    4u  IPv4 349807390      0t0  TCP *:443 (LISTEN)
apache2   19223 www-data    4u  IPv4 349807390      0t0  TCP *:443 (LISTEN)
apache2   19251 www-data    4u  IPv4 349807390      0t0  TCP *:443 (LISTEN)
apache2   19260 www-data    4u  IPv4 349807390      0t0  TCP *:443 (LISTEN)
apache2   19261 www-data    4u  IPv4 349807390      0t0  TCP *:443 (LISTEN)
apache2   19262 www-data    4u  IPv4 349807390      0t0  TCP *:443 (LISTEN)
apache2   19263 www-data    4u  IPv4 349807390      0t0  TCP *:443 (LISTEN)

Log v error.log (Apache)

Kód: [Vybrat]

[Tue Aug 02 00:58:34.465790 2016] [mpm_prefork:notice] [pid 19195] AH00169: caught SIGTERM, shutting down
[ 2016-08-02 00:58:35.6701 19434/7fc59679b740 agents/Watchdog/Main.cpp:538 ]: Options: { 'analytics_log_user' => 'nobody', 'default_group' => 'nogroup', 'default_python' => 'python', 'default_ruby' => '/usr/bin/ruby', 'default_user' => 'nobody', 'log_level' => '0', 'max_pool_size' => '6', 'passenger_root' => '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini', 'passenger_version' => '4.0.53', 'pool_idle_time' => '300', 'temp_dir' => '/tmp', 'union_station_gateway_address' => 'gateway.unionstationapp.com', 'union_station_gateway_port' => '443', 'user_switching' => 'true', 'web_server_passenger_version' => '4.0.53', 'web_server_pid' => '19432', 'web_server_type' => 'apache', 'web_server_worker_gid' => '33', 'web_server_worker_uid' => '33' }
[ 2016-08-02 00:58:35.6876 19437/7f7db8d2e740 agents/HelperAgent/Main.cpp:650 ]: PassengerHelperAgent online, listening at unix:/tmp/passenger.1.0.19432/generation-0/request
[ 2016-08-02 00:58:35.7250 19442/7f9726b83780 agents/LoggingAgent/Main.cpp:321 ]: PassengerLoggingAgent online, listening at unix:/tmp/passenger.1.0.19432/generation-0/logging
[ 2016-08-02 00:58:35.7252 19434/7fc59679b740 agents/Watchdog/Main.cpp:728 ]: All Phusion Passenger agents started!
[Tue Aug 02 00:58:35.726483 2016] [ssl:warn] [pid 19432] AH01909: blog3centrum.vserver.cz:443:0 server certificate does NOT include an ID which matches the server name
[Tue Aug 02 00:58:35.726688 2016] [ssl:warn] [pid 19432] AH01916: Init: (blog3centrum.vserver.cz:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Tue Aug 02 00:58:35.726736 2016] [suexec:notice] [pid 19432] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Tue Aug 02 00:58:35.807660 2016] [auth_digest:notice] [pid 19454] AH01757: generating secret for digest authentication ...
[Tue Aug 02 00:58:35.815560 2016] [:notice] [pid 19458] FastCGI: process manager initialized (pid 19458)
[ 2016-08-02 00:58:35.8333 19460/7f790323e740 agents/Watchdog/Main.cpp:538 ]: Options: { 'analytics_log_user' => 'nobody', 'default_group' => 'nogroup', 'default_python' => 'python', 'default_ruby' => '/usr/bin/ruby', 'default_user' => 'nobody', 'log_level' => '0', 'max_pool_size' => '6', 'passenger_root' => '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini', 'passenger_version' => '4.0.53', 'pool_idle_time' => '300', 'temp_dir' => '/tmp', 'union_station_gateway_address' => 'gateway.unionstationapp.com', 'union_station_gateway_port' => '443', 'user_switching' => 'true', 'web_server_passenger_version' => '4.0.53', 'web_server_pid' => '19454', 'web_server_type' => 'apache', 'web_server_worker_gid' => '33', 'web_server_worker_uid' => '33' }
[ 2016-08-02 00:58:35.8549 19463/7f32eba74740 agents/HelperAgent/Main.cpp:650 ]: PassengerHelperAgent online, listening at unix:/tmp/passenger.1.0.19454/generation-0/request
[ 2016-08-02 00:58:35.8917 19468/7fb3ea61f780 agents/LoggingAgent/Main.cpp:321 ]: PassengerLoggingAgent online, listening at unix:/tmp/passenger.1.0.19454/generation-0/logging
[ 2016-08-02 00:58:35.8919 19460/7f790323e740 agents/Watchdog/Main.cpp:728 ]: All Phusion Passenger agents started!
[Tue Aug 02 00:58:35.957223 2016] [ssl:warn] [pid 19454] AH01909: blog3centrum.vserver.cz:443:0 server certificate does NOT include an ID which matches the server name
[Tue Aug 02 00:58:35.957429 2016] [ssl:warn] [pid 19454] AH01916: Init: (blog3centrum.vserver.cz:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Tue Aug 02 00:58:35.957546 2016] [wsgi:warn] [pid 19454] mod_wsgi: Compiled for Python/2.7.8.
[Tue Aug 02 00:58:35.957554 2016] [wsgi:warn] [pid 19454] mod_wsgi: Runtime using Python/2.7.9.
[Tue Aug 02 00:58:35.966053 2016] [mpm_prefork:notice] [pid 19454] AH00163: Apache/2.4.10 (Debian) mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_fcgid/2.3.9 Phusion_Passenger/4.0.53 OpenSSL/1.0.1t mod_wsgi/4.3.0 Python/2.7.9 configured -- resuming normal operations
[Tue Aug 02 00:58:35.966107 2016] [core:notice] [pid 19454] AH00094: Command line: '/usr/sbin/apache2'

Při zadání příkazu WGET na https na localhost vyleze toto

Kód: [Vybrat]

root@blog3centrum:~# wget https://localhost/
converted 'https://localhost/' (ANSI_X3.4-1968) -> 'https://localhost/' (UTF-8)
--2016-08-02 00:57:45--  https://localhost/
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:443... failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:443... connected.
GnuTLS: An unexpected TLS packet was received.
Unable to establish SSL connection.

Když zadám url http://blog3centrum.vserver.cz:443 stránka se načte ale při zadání https://blog3centrum.vserver.cz to nefunguje jako by nefungoval SSL mod ale ten se načítá ověřeno přes php script

Kód: [Vybrat]

<?php
if (!extension_loaded('openssl')) 
{
  echo "not loaded";
}
else
{
  echo "loaded"   ;
}

Vyleze "loaded"

Viz:

Kód: [Vybrat]

 http://blog3centrum.vserver.cz/ssl.php

Děkuji předem za jakoukoliv odpověď už si nevim rady.

Děkuji a přeji pěkný den

[Reklama]

[Wily]

Co nastavení apache? Vhost.conf atd... ?

[Sten]

Kód: [Vybrat]

You configured HTTP(80) on the standard HTTPS(443) port!

Apache nemá nastavené, aby šifroval. Chybí SSLEngine on.

Kód: [Vybrat]

<?php
if (!extension_loaded('openssl')) 
{
  echo "not loaded";
}
else
{
  echo "loaded"   ;
}

Rozšíření OpenSSL v PHP nemá s nastavením HTTPS v Apache nic společného. Jestli je zapnuté HTTPS, se dá v PHP zjistit pomocí $_SERVER['HTTPS'].

[Martin]

SSL mám zapnuté ted jsem zjistil když změnim port z 443 na 442 v souboru ports.conf a v default-ssl.conf tak to funguje. opravdu nevim.

default-ssl.conf

Kód: [Vybrat]

<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		ServerAdmin webmaster@localhost

		DocumentRoot /var/www/html

		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
		# error, crit, alert, emerg.
		# It is also possible to configure the loglevel for particular
		# modules, e.g.
		#LogLevel info ssl:warn

		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined

		# For most configuration files from conf-available/, which are
		# enabled or disabled at a global level, it is possible to
		# include a line for only one particular virtual host. For example the
		# following line enables the CGI configuration for this host only
		# after it has been globally disabled with "a2disconf".
		#Include conf-available/serve-cgi-bin.conf

		#   SSL Engine Switch:
		#   Enable/Disable SSL for this virtual host.
		SSLEngine on

		#   A self-signed (snakeoil) certificate can be created by installing
		#   the ssl-cert package. See
		#   /usr/share/doc/apache2/README.Debian.gz for more info.
		#   If both key and certificate are stored in the same file, only the
		#   SSLCertificateFile directive is needed.
		SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
		SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

		#   Server Certificate Chain:
		#   Point SSLCertificateChainFile at a file containing the
		#   concatenation of PEM encoded CA certificates which form the
		#   certificate chain for the server certificate. Alternatively
		#   the referenced file can be the same as SSLCertificateFile
		#   when the CA certificates are directly appended to the server
		#   certificate for convinience.
		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

		#   Certificate Authority (CA):
		#   Set the CA certificate verification path where to find CA
		#   certificates for client authentication or alternatively one
		#   huge file containing all of them (file must be PEM encoded)
		#   Note: Inside SSLCACertificatePath you need hash symlinks
		#		 to point to the certificate files. Use the provided
		#		 Makefile to update the hash symlinks after changes.
		#SSLCACertificatePath /etc/ssl/certs/
		#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

		#   Certificate Revocation Lists (CRL):
		#   Set the CA revocation path where to find CA CRLs for client
		#   authentication or alternatively one huge file containing all
		#   of them (file must be PEM encoded)
		#   Note: Inside SSLCARevocationPath you need hash symlinks
		#		 to point to the certificate files. Use the provided
		#		 Makefile to update the hash symlinks after changes.
		#SSLCARevocationPath /etc/apache2/ssl.crl/
		#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

		#   Client Authentication (Type):
		#   Client certificate verification type and depth.  Types are
		#   none, optional, require and optional_no_ca.  Depth is a
		#   number which specifies how deeply to verify the certificate
		#   issuer chain before deciding the certificate is not valid.
		#SSLVerifyClient require
		#SSLVerifyDepth  10

		#   SSL Engine Options:
		#   Set various options for the SSL engine.
		#   o FakeBasicAuth:
		#	 Translate the client X.509 into a Basic Authorisation.  This means that
		#	 the standard Auth/DBMAuth methods can be used for access control.  The
		#	 user name is the `one line' version of the client's X.509 certificate.
		#	 Note that no password is obtained from the user. Every entry in the user
		#	 file needs this password: `xxj31ZMTZzkVA'.
		#   o ExportCertData:
		#	 This exports two additional environment variables: SSL_CLIENT_CERT and
		#	 SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
		#	 server (always existing) and the client (only existing when client
		#	 authentication is used). This can be used to import the certificates
		#	 into CGI scripts.
		#   o StdEnvVars:
		#	 This exports the standard SSL/TLS related `SSL_*' environment variables.
		#	 Per default this exportation is switched off for performance reasons,
		#	 because the extraction step is an expensive operation and is usually
		#	 useless for serving static content. So one usually enables the
		#	 exportation for CGI and SSI requests only.
		#   o OptRenegotiate:
		#	 This enables optimized SSL connection renegotiation handling when SSL
		#	 directives are used in per-directory context.
		#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars
		</Directory>

		#   SSL Protocol Adjustments:
		#   The safe and default but still SSL/TLS standard compliant shutdown
		#   approach is that mod_ssl sends the close notify alert but doesn't wait for
		#   the close notify alert from client. When you need a different shutdown
		#   approach you can use one of the following variables:
		#   o ssl-unclean-shutdown:
		#	 This forces an unclean shutdown when the connection is closed, i.e. no
		#	 SSL close notify alert is send or allowed to received.  This violates
		#	 the SSL/TLS standard but is needed for some brain-dead browsers. Use
		#	 this when you receive I/O errors because of the standard approach where
		#	 mod_ssl sends the close notify alert.
		#   o ssl-accurate-shutdown:
		#	 This forces an accurate shutdown when the connection is closed, i.e. a
		#	 SSL close notify alert is send and mod_ssl waits for the close notify
		#	 alert of the client. This is 100% SSL/TLS standard compliant, but in
		#	 practice often causes hanging connections with brain-dead browsers. Use
		#	 this only for browsers where you know that their SSL implementation
		#	 works correctly.
		#   Notice: Most problems of broken clients are also related to the HTTP
		#   keep-alive facility, so you usually additionally want to disable
		#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
		#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
		#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
		#   "force-response-1.0" for this.
		BrowserMatch "MSIE [2-6]" \
				nokeepalive ssl-unclean-shutdown \
				downgrade-1.0 force-response-1.0
		# MSIE 7 and newer should be able to use keepalive
		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

	</VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

ports.conf

Kód: [Vybrat]

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
Listen 443
</IfModule>

<IfModule mod_gnutls.c>
Listen 443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
# NameVirtualHost *:80
# NameVirtualHost *:443

[Martin]

Vyřešeno byl nastaven blbě jeden vhost.
Jednalo se o roundcube přímo z instalace. Který se instaluje automaticky.

Nechápu proč to udělal. Hlavní je že vše již funguje.

Děkuji za nakopnutí

[Reklama]