I'm trying to set up HTTPS on Apache, using a self-signed certificate. But instead of displaying the page, I get a bunch of weird errors. An a different error from each browser!
From Chrome:
Error 2 (net::ERR_FAILED): Unknown error.
From Firefox:
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
I followed the steps detailed on http://slacksite.com/apache/certificate.php, as well as about 4 other guides. They are all about the same, but all give the same result. So I must be doing something wrong.
Briefly, here's what I did:
Generate the server key:
openssl genrsa -des3 -out server.key 1024Generate CSR:
openssl req -new -key server.key -out server.csr
[while generating the request, I was careful to enter my actual hostname as the "Common Name (eg, your name or your server's hostname)"]
remove password from key:
cp server.key server.key.orgopenssl rsa -in server.key.org -out server.keySelf-sign the certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crtConfigured apache to point at those files, and use those certificates.
Any ideas?
UPDATE: Here's my virtual host configuration:
LoadModule ssl_module modules/mod_ssl.so
Listen 443
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
## Virtual host to redirect to HTTPS
ServerName mail.craimer.org
Redirect permanent / https://mail.craimer.org:443
##
## SSL Virtual Host Context
##
ServerName mail.craimer.org
DocumentRoot "/usr/share/roundcubemail/trunk/roundcubemail/"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/conf/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/server.key
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
# Deal with broken MSIE
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Answer
Well, since the user Jure1873 hasn't written up an answer, I cannot give him the credit deserved. Here is his solution:
what if you replace
with?
And that was the solution. It turns out that (as of this writing) httpd cannot support multiple virtual hosts for HTTPS, so any connections to 443 must be directed to a single host. So I guess httpd was just silently rejecting the configuration that attempting to run a virtual host for HTTPS.
Oh, and don't rail against apache for this "missing feature". It's not their fault! The HTTPS protocol doesn't support virtual hosts.
Boring Explaination:
You see, when you connect to port 443, and start an HTTPS session, all that's happening is security negotiation. HTTPS is all about setting up a secure tunnel between two points, and has nothing to do with HTTP. Only once the tunnel is set up, will data flow through. That data is the HTTP stream.
This means that the Host: directive (which is part of HTTP, not HTTPS) will only get sent after the secure tunnel has been constructed. It is the Host: header which tells HTTP server which virtual host is being accessed. But in HTTPS, we get this information far too late: it arrives after we had to choose encryption keys.
Bottom line: HTTPS cannot choose encryption keys based on the HTTP hostname.
No comments:
Post a Comment