[gentoo-user] Apache SSL configuration gone AWOL...

[gentoo-user] Apache SSL configuration gone AWOL...

[Steve]

After a recent update, I restarted Apache...

I host a number of trivial development servers (using named virtual 
hosts) and also support access to one of them over SSL.  While I can 
access all my data over http, access by https has stopped working.

I wondered if an update had made apache fussy that my old self-signed 
certificate didn't "match" the domains it was serving - so re-created 
new certificates to no avail.  No illuminating information is written to 
the log files in /var/log/apache2 - but if I attempt to access the https 
services (which worked with my configuration prior to re-starting 
apache) I get various errors:

Firefox under Windows and Ubuntu :

Secure Connection Failed
An error occurred during a connection to <<server>>.
Peer's certificate has an invalid signature.
(Error code: sec_error_bad_signature)

IE 7:

Navigation to the webpage was canceled

I didn't intend to change my configuration... the only 
/etc/conf.d/apache2 (as far as I recall) was altered - and the 
APACHE2_OPTS setting is now

APACHE2_OPTS="-D DEFAULT_VHOST -D PHP5 -D DAV -D INFO -D SSL -D 
SSL_DEFAULT_VHOST -D LANGUAGE"

Any ideas?

Re: [gentoo-user] Apache SSL configuration gone AWOL...

[Steve]

Steve wrote:
> Firefox under Windows and Ubuntu :
> Secure Connection Failed
> An error occurred during a connection to <<server>>.
> Peer's certificate has an invalid signature.
> (Error code: sec_error_bad_signature)

Weirder and weirder... when I switch to lynx, it works!

Lynx remotely gives these two warnings:
> SSL error:no issuer was found-Continue? (y)
> SSL error:host(shost.shic.co.uk)!=cert(CN<localhost>)-Continue? (y) 
This is odd,  because the CN for the certificate is shost.shic.co.uk 
(the same as the site name) not <localhost>...

On gentoo, addressing the server as https://localhost/ I only get the 
first warning - which is absolutely true.

I've tried adding certificates explicitly to Firefox and to Windows - 
but this doesn't make any difference.  It looks very much like an Apache 
problem... though I've no idea what... nothing useful arises in the 
logs... no warnings or errors.... only successful page accesses from 
lynx are to be found.

Am I the only one who's had this go wonky?

Re: [gentoo-user] Apache SSL configuration gone AWOL...

[felix]

On Thu, Nov 12, 2009 at 08:09:00PM +0000, Steve wrote:
> Lynx remotely gives these two warnings:
> > SSL error:no issuer was found-Continue? (y)
> > SSL error:host(shost.shic.co.uk)!=cert(CN<localhost>)-Continue? (y) 
> This is odd,  because the CN for the certificate is shost.shic.co.uk 
> (the same as the site name) not <localhost>...

I'd take that as a big broad hint that it is looking somewhere else
for certificates in this release and it found default certs.

-- 
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

Re: [gentoo-user] Apache SSL configuration gone AWOL...

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 886 bytes --]

On Thursday 12 November 2009 21:10:07 felix@crowfix.com wrote:
> On Thu, Nov 12, 2009 at 08:09:00PM +0000, Steve wrote:
> > Lynx remotely gives these two warnings:
> > > SSL error:no issuer was found-Continue? (y)
> > > SSL error:host(shost.shic.co.uk)!=cert(CN<localhost>)-Continue? (y)
> >
> > This is odd,  because the CN for the certificate is shost.shic.co.uk
> > (the same as the site name) not <localhost>...
> 
> I'd take that as a big broad hint that it is looking somewhere else
> for certificates in this release and it found default certs.

+1

Check in your default apache (most likely) or vhosts configuration files that 
you have SSLCertificateFile and SSLCertificateKeyFile paths pointing to where 
your certs and private key are stored.  It may be that you were not very 
careful with etc-update and it restored default settings?
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Apache SSL configuration gone AWOL...

[Steve]

Mick wrote:
>> I'd take that as a big broad hint that it is looking somewhere else
>> for certificates in this release and it found default certs.
>>     
> +1
>
> Check in your default apache (most likely) or vhosts configuration files that 
> you have SSLCertificateFile and SSLCertificateKeyFile paths pointing to where 
> your certs and private key are stored.  It may be that you were not very 
> careful with etc-update and it restored default settings?
>   
Many thanks!!!

While I remain sceptical that it was etc-update that spannered my 
configuration, stating the obvious to me overcame this... I've still no 
idea what did cause this to go wrong - but... essentially, my config was 
looking for /etc/ssl/apache2/server.crt, while the certificates I was 
checking were /etc/apache2/ssl/server.crt - and similarly for the key.  
I'm still a little baffled about how it appeared to work previously... 
but I now see what is wrong - even if I'm puzzled about how I got here...

I guess, one might ask if default certificates are a good idea - and, if 
they are - maybe we should ask why they don't "work".  For my purposes, 
however... solved! Thanks again.