topic Re: Apache and SSL in Operating System - HP-UX

Apache and SSL

Brent Wiley — Mon, 26 Aug 2002 17:22:07 GMT

Hello all. Not sure if this is the proper place in the forum, so please advise as to the best place for this post.

I've recently install Apache 2.0 using binary package B9416AA on a 9000 machine running HP-UX 11.x. This upgraded from Apache 1.3.4 that was installed from source. I have converted the old configuration file and set up the new config to run SSL.

Problem: I can connect to the server over port 443 using normal http, but when I try using https either the request returns "Cannot find server" or it just seems to hang...? Any thoughts?

I have successfully created a CSR and received my CRT from Thawte, so the elements all seem to exist. Have used apachectl startssl and even gone so far as to have mod_ssl load regardless...

Please, I have shaved my head to prevent myself from pulling my hair out one strand at a time...

Re: Apache and SSL

Jordan Bean — Mon, 26 Aug 2002 18:04:15 GMT

Two guesses:

1. It is configured to listen on port 443 whether or not mod_ssl is actually loaded.

2. mod_ssl is loading, but the virtualhost is not configured.

Check the error_log to verify that mod_ssl is loading when httpd is invoked.

Also ensure in httpd.conf that mod_ssl.c is marked for loading if it a DSO library:

LoadModule mod_ssl.c modules/mod_ssl.so

And also ensure that all SSL config directives are processed only if mod_ssl is loaded:

Listen 443

...

Re: Apache and SSL

Brent Wiley — Mon, 26 Aug 2002 21:48:54 GMT

Jordan,

Thanks for the help. Took your advice to heart and re-encapsulated all the SSL directives in containers. Started a new error log file and nothing comes up in the error log except:

[Mon Aug 26 15:52:06 2002] [notice] Digest: generating secret for digest authentication ...
[Mon Aug 26 15:52:07 2002] [notice] Digest: done

Can I assume this to mean all is well with mod_ssl? Admittedly, my experience with HP-UX is only what I have inherited lately. Would yourself or anyone else be willing to part with an all ready existing HP httpd.conf that is configured for SSL that I could swap out to test against? Or better yet, know of any decently detailed step by step beyond the hp_apache_docs?

Thanks again.

Re: Apache and SSL

Jordan Bean — Mon, 26 Aug 2002 22:19:09 GMT

I was looking for an error_log entry similar to this:

[Mon Aug 26 05:00:03 2002] [notice] Apache/2.0.40 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g configured -- resuming normal operations

The Digest entries may refer to mod_auth_digest.

I'd also like to know if mod_ssl is static or dynamic... httpd -l will tell.

If dynamic:
$ ./httpd -l
Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c

If static:
$ ./httpd -l
Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c
mod_ssl.c

At this time I do not have mod_ssl built for Apache 2.0.40, but only for 1.3.

I'd also take another look at the httpd.conf and ssl.conf to see if the SSL macro is expected. If so, the SSL configuration sections will be wrapped between:

and

If this is so, try to determine if httpd is being invoked with -DSSL. Perhaps it needs to be added in /etc/rc.config.d/apache or /etc/rc.config.d/httpd (assuming the bundle provides the appropriate startup scripts). I generally just replace all use of the SSL macro with the because I like to control the use of modules strictly from the httpd.conf file.

Re: Apache and SSL

oiram — Tue, 27 Aug 2002 07:52:32 GMT

Hi Brent,

Could you post your httpd.conf file as it is now?

Regards.

Re: Apache and SSL

Brent Wiley — Tue, 27 Aug 2002 11:36:19 GMT

Jordan,

Thanks for bearing with me- I don't have access to the machine all the time so as yet am unable to perform the dynamic/static check. I did get this line from the new error log after start up:

[Mon Aug 26 15:52:07 2002] [notice] HP Apache-based Web Server/2.0.32 configured -- resuming normal operations

Originally the SSL macro was expected, but I removed the containers as I want SSL to start regardless every time without having to specifically use the startssl command parameter

Oiram,

I've included the httpd.conf file. Very interested to know what you think.

As soon as I figure out how to make the points I assign stick, you'll have a few more... thanks to you both

Brent

Re: Apache and SSL

oiram — Tue, 27 Aug 2002 13:52:01 GMT

Hi Brent,

I??d modify the lines in which the mod_ssl module is loaded:

LoadModule ssl_module /opt/hpapache2/modules/libssl.so

*note the absolute path

If this don??t solve the problem could you check that the symptoms are the same(you can connect to port 443 using http but not https)

Have you tried to run tusc over the start script(with the -f option to trace childs).

Regards.

Re: Apache and SSL

Jordan Bean — Tue, 27 Aug 2002 17:07:03 GMT

Brent,

I just took another look at our internal server... We have mod_ssl statically linked. Perhaps this is why I would expect it to show up in the "resuming normal operations" entry in error_log. As I think about it, none of the other dynamically loaded modules are reported. So I'll bet mod_ssl is loading unless you see new errors in the log suggesting that there is a problem with it.

I forgot that the mod_ssl logs to another file. Look for ssl_engine_log for more clues.

Your conf looks okay, but I question the use of two VirtualHosts on 192.168.50.201:80. They appear to be identical. Would it make more sense to include ServerAlias mphlab in the first one? Correct me if I'm wrong, but does Apache stop processing VirtualHosts when it runs into a problem? Perhaps the SSL vhost is not being initialized.

Re: Apache and SSL

Brent Wiley — Tue, 27 Aug 2002 18:11:57 GMT

Oiram,

Is it necessary to use the container? meaning that if I don't encapsulate the module it should load every time? Or does the module itself require the SSL environment variable created by starting Apache using *startssl* parameter?

Sorry, i'm not familiar with tusc and tracing events that way...? Would love to learn though ;) My one HP-UX reference makes no mention of it.

Jordan,

Good thought on the ServerAlias... Removed the mphlab VH and then stopped restarted Apache. Upon restart I tried to connect and had the same problem, but found this in the log:

[Tue Aug 27 13:33:45 2002] [error] [client 24.242.163.50] Invalid method in request ???L
[Tue Aug 27 13:33:45 2002] [error] [client 24.242.163.50] Invalid method in request ???L

Another (potentially)interesting tidbit is that neither Netscape 6 nor IE 6 do anything but the behavior described above, but Netscape 4.7 throws a 'Connection refused' error dialog...?

Thanks to you and Oiram I feel pretty confident about my configuration file not being the cause. I am waiting to hear from the sys admin as to whether i'll be granted telnet access so i can run some of the debugging suggestions previously mentioned.

Again, thanks again.

Re: Apache and SSL

Jordan Bean — Tue, 27 Aug 2002 18:55:28 GMT

I need to retract or amend what I wrote about dynamic modules not being identified on the startup entry in the error_log. I just installed mod_perl as a DSO using APXS and it shows up:

Apache/2.0.40 mod_perl/1.99_05 Perl/5.8.0 -- resuming normal operations...

I think that the core modules are not reported.

I'll examine your conf file again.

Re: Apache and SSL

Jordan Bean — Tue, 27 Aug 2002 19:08:10 GMT

I'm still not sure if your vhosts are sufficiently defined... Try this:

NameVirtualHost 192.168.50.201:80

NameVirtualHost 192.168.50.201:443

...

...

rather than using _default_:443.

Re: Apache and SSL

Jordan Bean — Tue, 27 Aug 2002 19:14:36 GMT

Attached is our httpd.conf with two sites in four vhosts (two http, two https).

Re: Apache and SSL

Brent Wiley — Tue, 27 Aug 2002 20:40:08 GMT

Thanks Jordan. I've just found out the sys admin isn't going to allow me telnet access to the site, so i'll have to be on location to do any of the command line debugging. Appreciate the reference httpd.conf file- didn't think it was necessary to specify anything more than the IP for the NameVirtualHost directive, but it certainly doesn't hurt to be specific. I've got a little BSD box i'm going to rework tonight and see how well my config works on that.

Thanks for all the help.

-Brent

Re: Apache and SSL

Brent Wiley — Wed, 28 Aug 2002 21:50:00 GMT

Well, thought I would follow up as to how this finished out. It was the virtual host container that wasn't configured sufficiently using the catch all '_default_:443'

Needed to explicitly state:

NameVirtualHost [address:port]

for each of the normal and secure server sites.

Anyway, many thanks to both of you for the help on, in retrospect, what was better suited for an Apache forum.