Tom Allison wrote:
>
> OK, at one point in my life I had something working for a very brief
> period that looked like https.
> Unfortunately after a few days... it stopped. Never got it working
> again...

I've found a number of mailing lists in search engines that talk about

openssl s_client -connect localhost:443 -state -debug -showcerts
connect: Connection refused
connect:errno=29

as being a pretty consistent problem with the configuration. But I can't find
any thread where it's actually been resolved or the errno even clarified.

I'm really frustrated with this SSL stuff, is this like a state secret or something?

I've tried rebuilding keys using every possible combination I can find for doing
it. The latest was
openssl req -new -x509 -nodes -out server.crt -keyout server.key
taken straight from the apache2.2 site.

I'm stuck. How do you get SSL to work?

I did have this under apache 1 years ago.

How do you do it under Apache 2.2?

I created the keys as mentioned above.
I enabled ssl.conf
I added to http.conf the following:
SSLEngine on

and found that even though it was listed in ssl.conf I also had to include the
Directives for the CertificatFile, CertificatKeyFile, Cache and that would at
least allow it to start, but not serve a page.

Also tried moving all the SSL directives into the <VirtualHost *> Directive and
that also started but did nothing.

I did find that this is mentioned in a bug (267477 -- unclassified). Is this
all I have to work with under Debian? A bug that confirms my experience of:

ssl.conf is insufficient to get anything running.
There's no other mention of how to do it.
Maybe if you hack the shit out of apache2.conf and your virtual hosts you might,
but who knows what you'll be left with.

Or has the decision been made to relegate SSL to only the most uber elite of the
hackerz? I'm frustrated more than I've been in years and I'm even more
frustrated that I've been unable to find anyone who is willing to share any
success. Like I said, it seems to be a state secret.

HOWTO? Anyone have a HOWTO that actually works?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Mon, Jun 04, 2007 at 07:50:14PM -0400, Tom Allison wrote:
> Tom Allison wrote:
> >
> >OK, at one point in my life I had something working for a very brief
> >period that looked like https.
> >Unfortunately after a few days... it stopped. Never got it working
> >again...
>
> I've found a number of mailing lists in search engines that talk about
>
> openssl s_client -connect localhost:443 -state -debug -showcerts
> connect: Connection refused
> connect:errno=29

I only get that error when I do

openssl s_client

as soon as i put in the -connect localhost:443 part, it connects. And
I get various bits of output. (including some errors). I don't really
know about this, so i don't know how to interpret that except that
perhaps you are not listening on 443? I also get that error if I try
to connect to a port that I know is not listening, so I think that
might be the problem (simple as it may be...).

>
> I'm really frustrated with this SSL stuff, is this like a state secret or
> something?

probably

>
> I've tried rebuilding keys using every possible combination I can find for
> doing it. The latest was
> openssl req -new -x509 -nodes -out server.crt -keyout server.key
> taken straight from the apache2.2 site.
>
> I'm stuck. How do you get SSL to work?
>
> I did have this under apache 1 years ago.
>
> How do you do it under Apache 2.2?
>
> I created the keys as mentioned above.
> I enabled ssl.conf
> I added to http.conf the following:
> SSLEngine on
>

FWIW, this is what is in my /etc/apache2.2/sites-available/default
that might be pertinent. note that i made the key and cert using a
multi-step procedure that I can't find right now...


NameVirtualHost 192.168.2.3:80
NameVirtualHost 192.168.2.3:443

<VirtualHost 192.168.2.3:443>
...
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/key.pem
DocumentRoot /var/www/
...
</VirtualHost>



> and found that even though it was listed in ssl.conf I also had to include
> the Directives for the CertificatFile, CertificatKeyFile, Cache and that
> would at least allow it to start, but not serve a page.
>
> Also tried moving all the SSL directives into the <VirtualHost *> Directive
> and that also started but did nothing.
>
>
>
> HOWTO? Anyone have a HOWTO that actually works?

how about this one?


http://www.debian-administration.org/articles/349

it includes a few links to some other stuff as well.

hth

A

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGZM8TaIeIEqwil4YRAi9GAKDl5E15cyuAX8Bi9tuhzx vIvoLMTwCgrmIF
m9KkmJb5/PXzKNj8+31soWY=
=Jtj/
-----END PGP SIGNATURE-----

back on the list.

On Tue, Jun 05, 2007 at 06:57:43AM -0400, Tom Allison wrote:
> Your link did the trick.
> Thank you.
> I wasn't aware that SSLEngine on needed to be in the VirtualHost
> directive.


its always the little things.

> Not what I would have guessed. SSLRequire maybe.
>
>
> (I never did find an apache2-ssl-certificate script)

that may be written for sarge...

A

>
> On Jun 4, 2007, at 10:48 PM, Andrew Sackville-West wrote:
>
> >On Mon, Jun 04, 2007 at 07:50:14PM -0400, Tom Allison wrote:
> >>Tom Allison wrote:
> >>>
> >>>OK, at one point in my life I had something working for a very brief
> >>>period that looked like https.
> >>>Unfortunately after a few days... it stopped. Never got it working
> >>>again...
> >>
> >>I've found a number of mailing lists in search engines that talk
> >>about
> >>
> >>openssl s_client -connect localhost:443 -state -debug -showcerts
> >>connect: Connection refused
> >>connect:errno=29
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGZaXnaIeIEqwil4YRAnsjAKDiyrCBi0x7++pnDZzd6O ebe1yDVQCeLqI4
BVwxnjFpKgg6IEvOIMbmVYg=
=NUwF
-----END PGP SIGNATURE-----

Tom Allison wrote:
> Or has the decision been made to relegate SSL to only the most uber
> elite of the hackerz? I'm frustrated more than I've been in years and
> I'm even more frustrated that I've been unable to find anyone who is
> willing to share any success. Like I said, it seems to be a state
> secret.
>
> HOWTO? Anyone have a HOWTO that actually works?
You got me worried for an hour or so with this post. I've had the apache
ssl
for etch on my todo list for a while, without having an actual need for
it. So
I've postponed the test installation until now. I'm by no means an expert on
this, no über elite . This is just a quick writeup of what I did and what I
accomplished.

(I made a fresh xen domu with etch to do the testing, love xen)

Hostname : wwwtest.example.com
IP : 192.168.1.90

Install apache2

# aptitude install apache2

Open a browser.

http://192.168.1.90

I get the text : It works!

Then I need a certificate. I created the certificate request like this,
specifiying wwwtest.example.com as common name when prompted for it

# openssl req -new -days 365 -nodes -out wwwtest_server.pem -keyout
private/wwwtest_server_key.pem -config /etc/ssl/openssl.cnf

Then I need the certificate signed right ? I did my own signing

# openssl ca -config /etc/ssl/openssl.cnf -out wwwtest_server_cert.pem
-infiles wwwtest_server.pem

Now the certificate is signed, on to apache2

I made a direcorty to put the certificate and key in

# mkdir /etc/apache2/ssl

I then moved wwwtest_server_cert.pem to /etc/apache2/ssl/server.crt
and moved wwwtest_server_key.pem to /etc/apache2/ssl/server.key

Then I enabled the ssl module

# a2enmod ssl

Need to have apache listen to port 443, so added the line

Listen 443

to /etc/apache2/ports.conf

Then I edited /etc/apache2/sites-enabled/000-default
Deleted the line with NameVirtualHost, not using that now.

Changed <VirtualHost *> to <VirtualHost *:80>

And copied the whole VirutalHost definition , changing <VirtualHost *:80>
to <VirtualHost *:443> on the duplicated definition giving me two
virtualhost
defintions ,

<VirutalHost *:80>
..
..
</VirtualHost>

<VirutalHost *:443>
..
..
</VirtualHost>

At the end of the VirtualHost definition for port 443 I entered

<VirutalHost *:443>
..
..
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
</VirtualHost>

Then restart apache2. Did

netstat -tap

To verify that apache listens to port 443

# /etc/init.d/apache2 restart

https://192.168.1.90/

Depending on the browser different warnings about the CA or hostname may
pop up,
but that is no concern at the moment.

I get the text : It works!

Then just to be sure it's still working, I removed the VirtualHost *:80
definition from /etc/apache2/sites-enabled/000-default , leaving only the
ssl virtual host. Restarted apache2 and opened the https url in the browser
again and It Works.

This was only to verify that I could do a basic install of apache2 with ssl.

Maybe this s you.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Tue, Jun 05, 2007 at 08:47:04PM +0200, Jan-Petter Kruger wrote:

[ a lovely how-to for simple apache2 & ssl ]

thanks Jan-Petter. That was a perfect little how-to

A

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGZbjgaIeIEqwil4YRAim+AKC3Fq6N/70e9h6BVwdBJsDAA8YE3ACdGTyS
D5YB9rvaf9NItK6zm6ouFM8=
=29x+
-----END PGP SIGNATURE-----

On Jun 5, 2007, at 2:47 PM, Jan-Petter Kruger wrote:


This is excellent.

What was not mentioned in any of the docs is the requirement to put
SSLEngine on under the Virtual Host entry. In the majority of
documentation these SSL settings are in the main, general, area of
the configurations and not a part of specific directives. Not much
said to clarify this.

Thanks


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org