Apache failed to start (no errors) after first time SSL config. Do I need different command/passcode?
Ok, found the answer. All my fault.
Turns out I had created a key file a few months ago and never used it. But then mistakenly copied that one to be used by the web server. So basically had the wrong file. Dumb dumb.
Also missed the original error (see my Update above) in one of my log files which would have put me on the right track to begin with.
Server is up now and ssl is working.
Related videos on Youtube
Fraggle
Updated on September 18, 2022Comments
-
Fraggle almost 2 years
I'm setting up SSL for the first time.
I edited my config files in sites-enabled and ran
apache2ctl configtest
. Got back Syntax OK.I then ran
apache2ctl graceful
. There weren't any errors or anything, and I was returned to the prompt. However the site was down after running this, so I quickly put back the old config files and restarted.If my syntax was okay, why didn't Apache restart? Do I need to do
apache2ctl stop
/apache2ctl start
instead of the graceful command? Will I be asked to enter the passphrase for my key file?Configuration changes made:
Changed
NameVirtualHost *
toNameVirtualHost *:80
and added line forNameVirtualHost *:443
Changed all
VirtualHost *
lines toVirtualHost *:80
Added
VirtualHost
section for the site that I want to have SSL available and made that sectionVirtualHost *:443
Added these lines to the new VirtualHost:
SSLEngine On SSLCertificateFile pathtocert SSLCertificateKeyFile pathtokey SSLCertificateChainFile pathtochainfile
UPDATE 8th July: After checking additional log files I finally found a smoking gun:
SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
So at least something else to go on.
-
James T Snell almost 13 yearsNote that "NameVirtualHost *:443" is deceptive. That doesn't ACTUALLY work. It seems to, but it doesn't. The hostname is encrypted with the HTTP traffic, so Apache can't know what ssl certs to apply to correct decrypt virtual host traffic on a single IP over ssl. As for your specific problem, I dunno, I've had this before, solved it by reading docs, don't recall a particularly helpful suggestion.
-
user1686 almost 13 years@ThouArtNotDoc: What you're saying was correct several years ago, but nowadays major web browsers support TLS SNI allowing to use virtual hosts over SSL.
-
James T Snell almost 13 years@grawity - sadly, we still get some traffic on IE6. I know.. I know.. It should be punished by mandatory rides through a woodchipper.. Anyway, thanks for pointing that out.. I recently learned about Google Chrome Frame, which may be a good enough fix for me to finally adopt TLS SNI. Much thanks.