Setting up https with a self-signed certificate on Apache
I'm trying to set up HTTPS on Apache, using a self-signed certificate. But instead of displaying the page, I get a bunch of weird errors. An a different error from each browser!
From Chrome:
Error 2 (net::ERR_FAILED): Unknown error.
From Firefox:
SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)
I followed the steps detailed on http://slacksite.com/apache/certificate.php, as well as about 4 other guides. They are all about the same, but all give the same result. So I must be doing something wrong.
Briefly, here's what I did:
-
Generate the server key:
openssl genrsa -des3 -out server.key 1024 -
Generate CSR:
openssl req -new -key server.key -out server.csr
[while generating the request, I was careful to enter my actual hostname as the "Common Name (eg, your name or your server's hostname)"]
-
remove password from key:
cp server.key server.key.orgopenssl rsa -in server.key.org -out server.key -
Self-sign the certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Configured apache to point at those files, and use those certificates.
Any ideas?
UPDATE: Here's my virtual host configuration:
LoadModule ssl_module modules/mod_ssl.so
Listen 443
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
## Virtual host to redirect to HTTPS
<VirtualHost *:80>
ServerName mail.craimer.org
Redirect permanent / https://mail.craimer.org:443
</VirtualHost>
##
## SSL Virtual Host Context
##
<VirtualHost mail.craimer.org:443>
ServerName mail.craimer.org
DocumentRoot "/usr/share/roundcubemail/trunk/roundcubemail/"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/conf/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# Deal with broken MSIE
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
The issue is more likely to lie with your vhost configuration.
The ssl_error_rx_record_too_long error can be produced by initiating an HTTPS session against an HTTP resource. Such as - https://host.name:80.
The approach I've used in the past is slightly different to the one you detailed. The instructions below were originally detailed in this post I found whilst looking how to set up ssl: Step by Step Installation Of Subversion Over Apache/SSL Authenticating through Active Directory (SSPI)
To summarise:
-
Under apache\bin create openssl.conf and set its contents as follows:
[ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true [ req ] default_bits = 1024 default_keyfile = server.key distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca string_mask = nombstr [ req_distinguished_name ] commonName = Common Name commonName_default = My Server Name [ req_attributes ]
-
Open a command prompt up, navigate to apache\bin and run the following command:
openssl req -config openssl.conf -new -out server.csr When prompted enter a pass phrase and then a second time to verify.
You will then be prompted to enter a Common Name [My Server Name]. Enter the name of the machine
-
Next remove the passphrase from the private key with the following command (note this may give a warning about not being able to find openssl.conf - this can be ignored):
openssl rsa -in server.key -out server.key Enter the previously used passphrase when prompted
-
Next create the self signed certificate with the following command
`openssl x509 -in server.csr -out server.cert -req -signkey server.key -days 365
Delete the server.csr file from the apache\bin folder.
Copy the server.key and server.cert files from the apache\bin folder to the apache\conf folder.
Open apache\conf\httpd.conf in a text editor.
-
Change the listen port directive (which will probably either be Listen 80 or Listen 8080) to port 443:
Listen 443 -
Change the ServerName directive to include port 443 (note this may be commented out so remove the # at the start of the line if it is and replace server with your server name):
ServerName server:443 -
Uncomment or add the load module directive for mod_ssl (this should be present and commented so remove the # at the start of the line):
LoadModule ssl_module modules/mod_ssl.so -
Add an IfModule section for mod_ssl (this shouldn't already be there, but if it is overwrite it):
<IfModule mod_ssl.c> SSLEngine on SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLPassPhraseDialog builtin SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex default SSLCertificateFile conf\server.cert SSLCertificateKeyFile conf\server.key </IfModule> Restart the Apache service. Test configuration by attempting (and failing) to connect via http, and attempting (and succeeding) to connect via https.