Jump to content


Photo

Apache failed to start when using SSL

apache ssl security certificates

  • Please log in to reply
No replies to this topic

#1 iltdevunit

iltdevunit

    Newbie

  • Member
  • Pip
  • 4 posts
  • Main OS: Windows 7

Posted 26 September 2014 - 05:24 AM

Hi,

 

I'm trying to get SSL working on UniServer Zero XI 11.3.2.

 

Here are the steps I've taken so far:

 

  1. I've enabled the ssl_module
  2. Copied my websites.crt, websites.key and websites.ca-bundle files to C:\UniServerZ\core\apache2\server_certs
  3. Uncommented 'Include conf/extra/httpd-ssl.conf' in C:\UniServerZ\core\apache2\conf\httpd.conf
  4. Edited my httpd-ssl.conf to be:
#=========================================================
# File name: httpd-ssl.conf
# Created By: The Uniform Server Development Team
# Edited Last By: Mike Gleaves (ric) 
# Apache HTTP server configuration file.
# V 1.0 15-3-2013
#=========================================================


# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailed information about these 
# directives see <URL:http://httpd.apache.org/docs/2.4/mod/mod_ssl.html>
# 
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#
# Required modules: mod_log_config, mod_setenvif, mod_ssl,
#          socache_shmcb_module (for default value of SSLSessionCache)


#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512




#
# When we also provide SSL we have to listen to the 
# standard HTTP port (see above) and to the HTTPS port
#


#################### Global SSL ##########################
Listen ${AP_SSL_PORT} https


##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##
#== Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl


#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5


#   Speed-optimized SSL Cipher configuration:
#   If speed is your main concern (on busy HTTPS servers e.g.),
#   you might want to force clients to specific, performance
#   optimized ciphers. In this case, prepend those ciphers
#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
#   (as in the example below), most connections will no longer
#   have perfect forward secrecy - if the server's key is
#   compromised, captures of past or future traffic must be
#   considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on 


#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is an internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin


#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
#SSLSessionCache         "dbm:c:/Apache24/logs/ssl_scache"
SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300


#== Pseudo Random Number Generator (PRNG):
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin


##
## SSL Virtual Host Context
##


<VirtualHost _default_:${AP_SSL_PORT}>


#   General setup for the virtual host
ServerName ${US_SERVERNAME}
DocumentRoot ${US_ROOTF_SSL}
ServerAdmin you@example.com


ErrorLog logs/error_ssl.log
TransferLog logs/access_ssl.log


#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on
SSLOptions +StrictRequire


#== SSL Cipher Suite:
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM


#== Server Certificate:
SSLCertificateFile ${US_ROOTF}/core/apache2/server_certs/websites.crt


#== Server Private Key:
SSLCertificateKeyFile ${US_ROOTF}/core/apache2/server_certs/websites.key


#== StartSSL certificate chain for class 1 certificates
# Disable when using a self-signed certificate
# Enable remove # disable add #


SSLCertificateChainFile ${US_ROOTF}/core/apache2/server_certs/websites.ca-bundle


#SSLCertificateChainFile ${US_ROOTF}/core/apache2/server_certs/sub.class1.server.ca.pem
#SSLCACertificateFile    ${US_ROOTF}/core/apache2/server_certs/ca.pem


SSLVerifyClient none
SSLProxyEngine off


#== Server Root folder:
<Directory "${US_ROOTF_SSL}"> 
  AllowOverride All
  Order allow,deny 
  Allow from all
  SSLRequireSSL
</Directory> 




#== Most problems of broken clients are related to the HTTP
# keep-alive facility. Disable keep-alive for those clients.
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0


</VirtualHost>                                  
I've tried to start Apache, but UniServer Zero gives a 'Apache failed to start' dialog. I've looked in error.log and there's nothing to indicate a problem.  error_ssl.log didn't exist, so I created it and tried to restart Apache again. After the error dialog, error_ssl.log remains empty.
 
Where am I going wrong?






Also tagged with one or more of these keywords: apache, ssl, security certificates

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users