Help starting Apache with OpenSSL on FreeBSD 5.1

Help starting Apache with OpenSSL on FreeBSD 5.1

Post by Roumen Sem » Tue, 24 Jun 2003 08:25:29



Hello, everyone!
I will be forever grateful to anyone who gives me an idea or
suggestion about the situation I have!
I am running FreeBSD 5.1 and I installed Apache 2.0.46 from source
with options "./configure --enable-so --enable-ssl" after I installed
openssl-0.9.7b from source with options
"./config --prefix=/usr/local/ssl/install
--openssldir=/usr/local/ssl/install/openssl".
After I edited my openssl.conf and httpd.conf config files (I'll
enclose them too) I tried to run apache like this:
"/usr/local/apache2/bin/apachectl startssl" and it started, opened
port 80, it serves http pages but it never opened the https port 443.
What is wrong? I checked the log file(I enclosed this one too) and
there's nothing that gives me a clue about what's wrong, there's no
single error showing there. I had such configuration running really
smoothly before on my FreeBSD 4.7 machine, I even compared the config
files of that old install with the configs of the current one and it
still doesn't work.
Here is my httpd.conf file (without commented lines):
====================================
ServerRoot "/usr/local/apache2"
<IfModule !mpm_winnt.c>
<IfModule !mpm_netware.c>
</IfModule>
</IfModule>
<IfModule !mpm_netware.c>
<IfModule !perchild.c>
</IfModule>
</IfModule>
<IfModule !mpm_netware.c>
PidFile logs/httpd.pid
</IfModule>
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
<IfModule prefork.c>
StartServers ? ? ? ? 5
MinSpareServers ? ? ?5
MaxSpareServers ? ? 10
MaxClients ? ? ? ? 150
MaxRequestsPerChild ?0
</IfModule>
<IfModule worker.c>
StartServers ? ? ? ? 2
MaxClients ? ? ? ? 150
MinSpareThreads ? ? 25
MaxSpareThreads ? ? 75
ThreadsPerChild ? ? 25
MaxRequestsPerChild ?0
</IfModule>
<IfModule perchild.c>
NumServers ? ? ? ? ? 5
StartThreads ? ? ? ? 5
MinSpareThreads ? ? ?5
MaxSpareThreads ? ? 10
MaxThreadsPerChild ?20
MaxRequestsPerChild ?0
</IfModule>
<IfModule mpm_winnt.c>
ThreadsPerChild 250
MaxRequestsPerChild ?0
</IfModule>
<IfModule beos.c>
StartThreads ? ? ? ? ? ? ? 10
MaxClients ? ? ? ? ? ? ? ? 50
MaxRequestsPerThread ? ? ? 10000
</IfModule>
<IfModule mpm_netware.c>
ThreadStackSize ? ? ?65536
StartThreads ? ? ? ? ? 250
MinSpareThreads ? ? ? ? 25
MaxSpareThreads ? ? ? ?250
MaxThreads ? ? ? ? ? ?1000
MaxRequestsPerChild ? ? ?0
</IfModule>
<IfModule mpmt_os2.c>
StartServers ? ? ? ? ? 2
MinSpareThreads ? ? ? ?5
MaxSpareThreads ? ? ? 10
MaxRequestsPerChild ? ?0
</IfModule>
Listen 0.0.0.0:80
Listen [::]:80
<IfModule !mpm_winnt.c>
<IfModule !mpm_netware.c>
User nobody
Group #-1
</IfModule>
</IfModule>
ServerAdmin y...@your.address
UseCanonicalName Off
DocumentRoot "/usr/local/apache2/htdocs"
<Directory />
? ? Options FollowSymLinks
? ? AllowOverride None
</Directory>
<Directory "/usr/local/apache2/htdocs">
? ? Options Indexes FollowSymLinks
? ? AllowOverride None
? ? Order allow,deny
? ? Allow from all
</Directory>
UserDir public_html
DirectoryIndex index.html index.html.var
AccessFileName .htaccess
<Files ~ "^\.ht">
? ? Order allow,deny
? ? Deny from all
</Files>
TypesConfig conf/mime.types
DefaultType text/plain
<IfModule mod_mime_magic.c>
? ? MIMEMagicFile conf/magic
</IfModule>
HostnameLookups Off
ErrorLog logs/error_log
LogLevel debug
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog logs/access_log common
ServerTokens Full
ServerSignature On
Alias /icons/ "/usr/local/apache2/icons/"
<Directory "/usr/local/apache2/icons">
? ? Options Indexes MultiViews
? ? AllowOverride None
? ? Order allow,deny
? ? Allow from all
</Directory>
Alias /manual "/usr/local/apache2/manual"
<Directory "/usr/local/apache2/manual">
? ? Options Indexes FollowSymLinks MultiViews IncludesNoExec
? ? AddOutputFilter Includes html
? ? AllowOverride None
? ? Order allow,deny
? ? Allow from all
</Directory>
ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
<IfModule mod_cgid.c>
</IfModule>
<Directory "/usr/local/apache2/cgi-bin">
? ? AllowOverride None
? ? Options None
? ? Order allow,deny
? ? Allow from all
</Directory>
IndexOptions FancyIndexing VersionSort
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
DefaultIcon /icons/unknown.gif
ReadmeName README.html
HeaderName HEADER.html
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
AddEncoding x-compress Z
AddEncoding x-gzip gz tgz
AddLanguage da .dk
AddLanguage nl .nl
AddLanguage en .en
AddLanguage et .et
AddLanguage fr .fr
AddLanguage de .de
AddLanguage he .he
AddLanguage el .el
AddLanguage it .it
AddLanguage ja .ja
AddLanguage pl .po
AddLanguage ko .ko
AddLanguage pt .pt
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pt-br .pt-br
AddLanguage ltz .ltz
AddLanguage ca .ca
AddLanguage es .es
AddLanguage sv .sv
AddLanguage cs .cz .cs
AddLanguage ru .ru
AddLanguage zh-TW .zh-tw
AddLanguage hr .hr
LanguagePriority en da nl et fr de el it ja ko no pl pt pt-br ltz ca
es sv tw
ForceLanguagePriority Prefer Fallback
AddDefaultCharset ISO-8859-1
AddCharset ISO-8859-1 ?.iso8859-1 ?.latin1
AddCharset ISO-8859-2 ?.iso8859-2 ?.latin2 .cen
AddCharset ISO-8859-3 ?.iso8859-3 ?.latin3
AddCharset ISO-8859-4 ?.iso8859-4 ?.latin4
AddCharset ISO-8859-5 ?.iso8859-5 ?.latin5 .cyr .iso-ru
AddCharset ISO-8859-6 ?.iso8859-6 ?.latin6 .arb
AddCharset ISO-8859-7 ?.iso8859-7 ?.latin7 .grk
AddCharset ISO-8859-8 ?.iso8859-8 ?.latin8 .heb
AddCharset ISO-8859-9 ?.iso8859-9 ?.latin9 .trk
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5 ? ? ? ?.Big5 ? ? ? .big5
AddCharset WINDOWS-1251 .cp-1251 ? .win-1251
AddCharset CP866 ? ? ? .cp866
AddCharset KOI8-r ? ? ?.koi8-r .koi8-ru
AddCharset KOI8-ru ? ? .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-8 ? ? ? .utf8
AddCharset GB2312 ? ? ?.gb2312 .gb
AddCharset utf-7 ? ? ? .utf7
AddCharset utf-8 ? ? ? .utf8
AddCharset big5 ? ? ? ?.big5 .b5
AddCharset EUC-TW ? ? ?.euc-tw
AddCharset EUC-JP ? ? ?.euc-jp
AddCharset EUC-KR ? ? ?.euc-kr
AddCharset shift_jis ? .sjis
AddType application/x-tar .tgz
AddType image/x-icon .ico
AddHandler type-map var
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0
force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider"
redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
<IfModule mod_ssl.c>
? ? Include conf/ssl.conf
</IfModule>
=============================================

And here is my /usr/local/apache2/conf/ssl.conf file:
=============================================
<IfDefine SSL>
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl ? ?.crl
SSLPassPhraseDialog ?builtin
SSLSessionCache ? ? ? ? dbm:logs/ssl_scache
SSLSessionCacheTimeout ?300
SSLMutex ?file:logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<VirtualHost _default_:443>
DocumentRoot "/usr/local/apache2/htdocs"
ServerName www.semov.com
ServerAdmin y...@your.address
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
? ? SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache2/cgi-bin">
? ? SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
? ? ? ? ?nokeepalive ssl-unclean-shutdown \
? ? ? ? ?downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
? ? ? ? ? "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
==============================================

And here is my /usr/local/apache2/logs/error_log (considering I had
"LogLevel debug" in the /usr/local/apache2/conf/httpd.conf file):

=============================================
[Sat Jun 21 19:59:53 2003] [info] Init: Initializing OpenSSL library
[Sat Jun 21 19:59:53 2003] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Sat Jun 21 19:59:53 2003] [info] Loading certificate & private key of
SSL-aware server
[Sat Jun 21 19:59:53 2003] [debug] ssl_engine_pphrase.c(497):
unencrypted RSA private key - pass phrase not required
[Sat Jun 21 19:59:53 2003] [info] Init: Generating temporary RSA
private keys (512/1024 bits)
[Sat Jun 21 19:59:55 2003] [info] Init: Generating temporary DH
parameters (512/1024 bits)
[Sat Jun 21 19:59:55 2003] [debug] ssl_scache_dbm.c(422):
Inter-Process Session Cache (DBM) Expiry: old: 0, new: 0, removed: 0
[Sat Jun 21 ...

read more »

 
 
 

Help starting Apache with OpenSSL on FreeBSD 5.1

Post by Rainer Duffn » Tue, 24 Jun 2003 17:03:57



> Hello, everyone!
> I will be forever grateful to anyone who gives me an idea or
> suggestion about the situation I have!
> I am running FreeBSD 5.1 and I installed Apache 2.0.46 from source
> with options "./configure --enable-so --enable-ssl" after I installed
> openssl-0.9.7b from source with options
> "./config --prefix=/usr/local/ssl/install
> --openssldir=/usr/local/ssl/install/openssl".

Try to install from a port (is there a reason why you didn't ?)
cd /usr/ports/www/apache2 && make install clean
or, if you have portupgrade installed
portinstall apache2

See the makefile for various options - SSL is standard.

See

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports-using...

for information about the ports-collection.

cheers,
Rainer

 
 
 

Help starting Apache with OpenSSL on FreeBSD 5.1

Post by Reko Turj » Tue, 24 Jun 2003 18:34:43


Do you have certificates installed and in the proper place for the server?
If not, check the Apache2 SSL FAQ at
http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html. SSL wont start without
those.

-Reko

 
 
 

Help starting Apache with OpenSSL on FreeBSD 5.1

Post by Roumen Sem » Wed, 25 Jun 2003 15:32:33




> > Hello, everyone!
> > I will be forever grateful to anyone who gives me an idea or
> > suggestion about the situation I have!
> > I am running FreeBSD 5.1 and I installed Apache 2.0.46 from source
> > with options "./configure --enable-so --enable-ssl" after I installed
> > openssl-0.9.7b from source with options
> > "./config --prefix=/usr/local/ssl/install
> > --openssldir=/usr/local/ssl/install/openssl".

> Try to install from a port (is there a reason why you didn't ?)
> cd /usr/ports/www/apache2 && make install clean
> or, if you have portupgrade installed
> portinstall apache2

No particular reason for doing the ports thing. Many times I take the
harder path - as a learning experience, also I always had it installed
from source on previous FreeBSD versions. This time I think I am
getting tired of trying without any success so I may get me the
binaries soon and finish this thing up.
Thank you for your response.
Roumen.
 
 
 

Help starting Apache with OpenSSL on FreeBSD 5.1

Post by Roumen Sem » Wed, 25 Jun 2003 15:34:50



> Do you have certificates installed and in the proper place for the server?
> If not, check the Apache2 SSL FAQ at
> http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html. SSL wont start without
> those.

> -Reko

Yes, they are in the right place. If I put them in the wrong place
it'll complain in the log file - I already tried that :).
I read that apache doc too.
Thank you for your response though.
Roumen.
 
 
 

Help starting Apache with OpenSSL on FreeBSD 5.1

Post by Dariusz Kulinski / TaKeD » Wed, 25 Jun 2003 17:55:18



> No particular reason for doing the ports thing. Many times I take the
> harder path - as a learning experience, also I always had it installed
> from source on previous FreeBSD versions. This time I think I am
> getting tired of trying without any success so I may get me the
> binaries soon and finish this thing up.
> Thank you for your response.
> Roumen.

Installing from ports is also compiling.
Anyway what realy port is is just a Makefile, and sometimes
patches, if you want to learn just check what port maintainer
did to successfuly compile it

--

UIN# 15827691, GG# 113344
SCSA, SCNA, LPIC, CCNA, MCP

 
 
 

1. Apache/OpenSSL problem - httpsd won't start

Posted this to the apache-ssl mailing list, without results - any ideas
anyone?

I'm just setting up a test https server, using Apache 1.3.3 (happened to
have the source for this on the box already, and a running config.

As this machine is firewalled from the world, it's been set up as
a CA, using CA.sh. I've also doen a key verification using

openssl x509 -noout -text -in <certificate.crt>

and

openssl rsa -noout -text -in <key.key>

For the relevant certificate and key files.

The key file has been decrypted using

openssl rsa -in <key.key.orig> -out <key.key>

to permit unattended startup.

***PROBLEM***

On attempting a startup (from the standard Apache startup
script) I get:

Reading key for server hal.so-net.co.uk:443
./S99apache start: httpd could not be started

There is nothing in the error log. Running httpsd -t
reports "Syntax OK"

***THAT'S IT*** - no indication of what might be at fault!  

Any ideas??

The apache httpd.conf is copied pretty much from the "mixed http
and https" example - here are relevant sections:

SSLVerifyClient 0
SSLVerifyDepth 10
SSLCertificateKeyFile /home1/sonyadm/certs/so-net.co.uk.key
SSLCertificateFile /home1/sonyadm/certs/so-net.co.uk.cert
#SSLCACertificateFile /home1/sonyadm/certs/CA.cert
SSLCacheServerPath /usr/local/apache/sbin/gcache
SSLCacheServerPort 12345
#SSLCacheServerPort /home1/sonyadm/cache/so-net.co.uk.cache.socket
SSLSessionCacheTimeout 300
NameVirtualHost 172.20.14.2

<VirtualHost 172.20.14.2:443>
Port 443

DocumentRoot /home1/sonyadm/htdocs
ServerName extweb.so-net.co.uk
ErrorLog /usr/local/apache/var/log/extweb.so-net.co.uk-error_log_ssl
ScriptAlias /cgi-bin/ /usr/local/apache/share/cgi-bin/
TransferLog /usr/local/apache/var/log/extweb.so-net.co.uk-access_log_ssl
<Directory /home1/sonyadm/htdocs/postpet/2001/user/cgi-bin>
Options ExecCGI
</Directory>
<Directory /home1/sonyadm/htdocs/postpet/2001/user/admin/cgi-bin>
Options ExecCGI
</Directory>
</VirtualHost>

<VirtualHost 172.20.14.2:80>
SSLDisable
Port 80

DocumentRoot /home1/intweb
ServerName intweb.so-net.co.uk
ErrorLog /usr/local/apache/var/log/intweb.so-net.co.uk-error_log
ScriptAlias /cgi-bin/ /usr/local/apache/share/cgi-bin/
TransferLog /usr/local/apache/var/log/intweb.so-net.co.uk-access_log
</VirtualHost>

--
Keith Oborn      Sony Communication Network       0171 426 8655
15th Floor, Commercial Union Tower, 1, Undershaft, London EC3A 8NP

2. Byte 4 byte copy of DAT tape? how?

3. Urgent: Help needed on apache, openssl and apache-ssl

4. Anyone recommend a telnetd?

5. Freebsd/Apache + OpenSSL

6. Why Linux should be #1 choice for students!

7. Compiling Apache / PHP 4 / OpenSSL / Mod_SSL on FreeBSD 4.2

8. I love this echo.

9. Starting FreeBSD 4.0 with Linux or starting Linux with FreeBSD

10. help on compiling apache 1.3b3 on Solaris2.5.1

11. Help for APACHE 1.2 with PHP 2 to access PostgreSQL 6.2 on REDHAT 5.1

12. AIX 5.1.B and 5.1.C and AIX 5.1.D

13. Need help with Apache on RH 5.1