Can't start httpd 2.4.9 with self-signed SSL certificate

httpd openssl apache-2.4 mod-ssl
23,515

The issue seems to be with the certificate you've generated. Looks like you've forgotten/skipped some steps. I think you've specified some passphrase for the certificate and apache is unable to locate that. Passphrase could be specified through SSLPassPhraseDialog which is missing in your configuration file.

Alternately, you could avoid this passphrase by stripping it from the certificate while generating certificate. I had succesfully generated a self signed certificate by following steps at http://www.akadia.com/services/ssh_test_certificate.html

I would suggest to regenerate a new certificate using the instructions mentioned at the above link and test it again....

Share:
23,515

Related videos on Youtube

Sergey Shcherbakov
Author by

Sergey Shcherbakov

Updated on September 18, 2022

Comments

  • Sergey Shcherbakov
    Sergey Shcherbakov almost 2 years

    I cannot start the httpd 2.4.9 (tried 2.4.x too) on CentOS 6.5 with the simplest SSL config possible. The openssl version installed on the machine is OpenSSL 1.0.1e-fips 11 Feb 2013 (I've upgraded it using 'yum update' to the latest patched version as well)

    I have compiled and installed the httpd 2.4.9 using the following commands:

    ./configure --enable-ssl --with-ssl=/usr/local/ssl/ --enable-proxy=shared --enable-proxy_wstunnel=shared --with-apr=apr-1.5.1/ --with-apr-util=apr-util-1.5.3/
make
make install

    Now I'm generating the default self-signed certificate as described in the CentOS HowTo:

    openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
cp server.crt /usr/local/apache2/conf
cp server.key /usr/local/apache2/conf
cp server.csr /usr/local/apache2/conf

    Here is my httpd-ssl.conf file:

    Listen 443
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
<VirtualHost *:443>
    DocumentRoot "/usr/local/apache2/htdocs"
    ServerName 192.168.9.128
    ServerAdmin [email protected]
    ErrorLog "/usr/local/apache2/logs/error_log"
    TransferLog "/usr/local/apache2/logs/access_log"
    SSLEngine on
    SSLCertificateFile "/usr/local/apache2/conf/server.crt"
    SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/usr/local/apache2/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog "/usr/local/apache2/logs/ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

    when I start httpd using bin/apachectl -k start I get following errors in the error_log:

    Wed Jun 04 00:29:27.995654 2014] [ssl:info] [pid 24021:tid 139640404293376] AH01887: Init: Initializing (virtual) servers for SSL
[Wed Jun 04 00:29:27.995726 2014] [ssl:info] [pid 24021:tid 139640404293376] AH01914: Configuring server 192.168.9.128:443 for SSL protocol
[Wed Jun 04 00:29:27.995863 2014] [ssl:debug] [pid 24021:tid 139640404293376] ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
[Wed Jun 04 00:29:27.996111 2014] [ssl:debug] [pid 24021:tid 139640404293376] ssl_util_ssl.c(343): AH02412: [192.168.9.128:443] Cert matches for name '192.168.9.128' [subject: CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / issuer: CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / serial: AF04AF31799B7695 / notbefore: Jun  3 22:26:45 2014 GMT / notafter: Jun  3 22:26:45 2015 GMT]
[Wed Jun 04 00:29:27.996122 2014] [ssl:info] [pid 24021:tid 139640404293376] AH02568: Certificate and private key 192.168.9.128:443:0 configured from /usr/local/apache2/conf/server.crt and /usr/local/apache2/conf/server.key
[Wed Jun 04 00:29:27.996209 2014] [ssl:info] [pid 24021:tid 139640404293376] AH01914: Configuring server 192.168.9.128:443 for SSL protocol
[Wed Jun 04 00:29:27.996280 2014] [ssl:debug] [pid 24021:tid 139640404293376] ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
[Wed Jun 04 00:29:27.996295 2014] [ssl:emerg] [pid 24021:tid 139640404293376] AH02572: Failed to configure at least one certificate and key for 192.168.9.128:443
[Wed Jun 04 00:29:27.996303 2014] [ssl:emerg] [pid 24021:tid 139640404293376] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Wed Jun 04 00:29:27.996308 2014] [ssl:emerg] [pid 24021:tid 139640404293376] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Wed Jun 04 00:29:27.996318 2014] [ssl:emerg] [pid 24021:tid 139640404293376] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Wed Jun 04 00:29:27.996321 2014] [ssl:emerg] [pid 24021:tid 139640404293376] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed

    I then try to generate missing DH PARAMETERS and EC PARAMETERS:

    openssl dhparam -outform PEM -out dhparam.pem 2048
openssl ecparam -out ec_param.pem -name prime256v1
cat dhparam.pem ec_param.pem >> /usr/local/apache2/conf/server.crt

    And it mitigates the error but the next comes out:

    [Wed Jun 04 00:34:05.021438 2014] [ssl:info] [pid 24089:tid 140719371077376] AH01887: Init: Initializing (virtual) servers for SSL
[Wed Jun 04 00:34:05.021487 2014] [ssl:info] [pid 24089:tid 140719371077376] AH01914: Configuring server 192.168.9.128:443 for SSL protocol
[Wed Jun 04 00:34:05.021874 2014] [ssl:debug] [pid 24089:tid 140719371077376] ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
[Wed Jun 04 00:34:05.022050 2014] [ssl:debug] [pid 24089:tid 140719371077376] ssl_util_ssl.c(343): AH02412: [192.168.9.128:443] Cert matches for name '192.168.9.128' [subject: CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / issuer: CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / serial: AF04AF31799B7695 / notbefore: Jun  3 22:26:45 2014 GMT / notafter: Jun  3 22:26:45 2015 GMT]
[Wed Jun 04 00:34:05.022066 2014] [ssl:info] [pid 24089:tid 140719371077376] AH02568: Certificate and private key 192.168.9.128:443:0 configured from /usr/local/apache2/conf/server.crt and /usr/local/apache2/conf/server.key
[Wed Jun 04 00:34:05.022285 2014] [ssl:debug] [pid 24089:tid 140719371077376] ssl_engine_init.c(1016): AH02540: Custom DH parameters (2048 bits) for 192.168.9.128:443 loaded from /usr/local/apache2/conf/server.crt
[Wed Jun 04 00:34:05.022389 2014] [ssl:debug] [pid 24089:tid 140719371077376] ssl_engine_init.c(1030): AH02541: ECDH curve prime256v1 for 192.168.9.128:443 specified in /usr/local/apache2/conf/server.crt
[Wed Jun 04 00:34:05.022397 2014] [ssl:info] [pid 24089:tid 140719371077376] AH01914: Configuring server 192.168.9.128:443 for SSL protocol
[Wed Jun 04 00:34:05.022464 2014] [ssl:debug] [pid 24089:tid 140719371077376] ssl_engine_init.c(312): AH01893: Configuring TLS extension handling
[Wed Jun 04 00:34:05.022478 2014] [ssl:emerg] [pid 24089:tid 140719371077376] AH02572: Failed to configure at least one certificate and key for 192.168.9.128:443
[Wed Jun 04 00:34:05.022488 2014] [ssl:emerg] [pid 24089:tid 140719371077376] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Wed Jun 04 00:34:05.022491 2014] [ssl:emerg] [pid 24089:tid 140719371077376] AH02312: Fatal error initialising mod_ssl, exiting.

    AH00016: Configuration Failed

    I have tried to generate the simple certificate/key pair exactly as described in the httpd docs Unfortunately, I still get exact same errors as above.

    I've seen a bug report with the similar issue: https://issues.apache.org/bugzilla/show_bug.cgi?id=56410 But the openssl version I have is reported as working there. I've also tried to apply the patch from the report as well as build the latest 2.4.x branch with no success, I get the same errors as above.

    I have also tried to create a short chain of certificates and set the root CA certificate using SSLCertificateChainFile directive. That didn't help either, I get exact same errors as above.

    I'm not interested in setting up hardened security, etc. The only thing I need is to start httpd with the simplest SSL config possible to continue testing proxy config for the mod_proxy_wstunnel

    Had anybody encountered and solved this issue?

    Is my sequence for creating a self-signed certificate incorrect?

    I'd appreciate any help very much!

    PS: Updated the initial http-ssl.conf to reflect the correct state as I was testing.

  • Sergey Shcherbakov
    Sergey Shcherbakov about 10 years
    Thank you for the advise! Unfortunately, 'm seeing exactly same errors (missing DH/EC parameters first, "no certificate assigned" after parameters are appended to the server.crt)
  • Sergey Shcherbakov
    Sergey Shcherbakov about 10 years
    I think I've migigated that by using the 'yum update'. The "real" openssl version on my system is now openssl-1.0.1e-16.el6_5.7.x86_64 which is a patched version against heart-bleed.
  • Sergey Shcherbakov
    Sergey Shcherbakov about 10 years
    Thanks for your comments! The SSLPassPhraseDialog is present in my config (see the original message). I've followed the steps in your article and still get the same errors as above. I don't think that your steps are much different than those specified on CentOs HowTo and httpd docs pages (except that there is a shorter way to generate a passwordless certificate and a key: openssl req -new -x509 -nodes -out server.crt -keyout server.key -days 365. I've also tried to use the password protected key. The httpd asks for it on startup as expected and fails with the same error afterwards :(

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Apache: SSLCertificateFile: file does not exist or is empty
How to check apache for SNI (Server Name Indication ) availability?
How to Install mod_ssl on RHEL7 when it's missing from yum
How force that all connections to my Apache use TLSv1.1 or TLSv1.2?
Ubuntu 14.04 mod_ssl not available
Request Entity Too Large mod_jk
What modules can be enable/disable in a default Apache 2.4 setup?
Can't Restart HTTPD on CentOS 7
Upgrade OpenSSL (mod_ssl) on WIndows Apache 2.2.18 to v1.1.0b
AH00027: No authentication done error after upgrading from Apache 2.2 to 2.4