Apache und SSL

[deepinpowder]

Hallo,

ich suche einen "netten" Herren, oder auch Dame, die sich mal meine Apache und SSL Config ansehen können. Ich habe es jetzt schon so lange versucht, aber irgendwo ist dort der Wurm drin.

Vielen Dank

Gruß

[captaincrunch]

Ich würde sagen : hier in diesem Forum hast du genug Herren (von Damen weiß ich bisher nichts ), die diese Aufgabe für ganz umsonst übernehmen würden. Poste doch mal die interessanten Stellen aus der Config ...

[deepinpowder]

Hy,

1. Sorry, eingentlich wollte ich auf antworten clicken, kam aber auf neues Thema, sorry.

Ich fange am besten nochmals GANZ vorne an.

Das hab ich alles

Code: Select all

www1:/etc/httpd/modules # ls -l mod_ssl
-rw-r--r--    1 root     root          153 Aug 23  2001 mod_ssl

Code: Select all

:/usr/lib/apache # ls -l libssl*
-rwxr-xr-x    1 root     root       175000 Oct  9 16:27 libssl.so

Code: Select all

package mod_ssl-2.8.7-110 is  installed

Code: Select all

httpd -l
Compiled-in modules:
  http_core.c
  mod_so.c
suexec: enabled; valid wrapper /usr/sbin/suexec

Auszug aus der /etc/httpd/httpd.conf

Code: Select all

ServerRoot "/usr/local/httpd"

LockFile /var/lock/subsys/httpd/httpd.accept.lock

PidFile /var/run/httpd.pid
ScoreBoardFile /var/run/httpd.scoreboard
Timeout 300
KeepAlive On

MaxKeepAliveRequests 100

KeepAliveTimeout 15

MinSpareServers 1
MaxSpareServers 1

StartServers 1

MaxClients 150

MaxRequestsPerChild 0
LoadModule mmap_static_module /usr/lib/apache/mod_mmap_static.so
LoadModule vhost_alias_module /usr/lib/apache/mod_vhost_alias.so
LoadModule env_module         /usr/lib/apache/mod_env.so
LoadModule define_module      /usr/lib/apache/mod_define.so
LoadModule config_log_module  /usr/lib/apache/mod_log_config.so
LoadModule agent_log_module   /usr/lib/apache/mod_log_agent.so
LoadModule referer_log_module /usr/lib/apache/mod_log_referer.so
LoadModule mime_magic_module  /usr/lib/apache/mod_mime_magic.so
LoadModule mime_module        /usr/lib/apache/mod_mime.so
LoadModule negotiation_module /usr/lib/apache/mod_negotiation.so
LoadModule status_module      /usr/lib/apache/mod_status.so
LoadModule info_module        /usr/lib/apache/mod_info.so
LoadModule includes_module    /usr/lib/apache/mod_include.so
LoadModule autoindex_module   /usr/lib/apache/mod_autoindex.so
LoadModule dir_module         /usr/lib/apache/mod_dir.so
LoadModule cgi_module         /usr/lib/apache/mod_cgi.so
LoadModule asis_module        /usr/lib/apache/mod_asis.so
LoadModule imap_module        /usr/lib/apache/mod_imap.so
LoadModule action_module      /usr/lib/apache/mod_actions.so
LoadModule speling_module     /usr/lib/apache/mod_speling.so
# mod_userdir will be included below by SuSEconfig if HTTPD_SEC_PUBLIC_HTML=yes
LoadModule alias_module       /usr/lib/apache/mod_alias.so
LoadModule rewrite_module     /usr/lib/apache/mod_rewrite.so
LoadModule access_module      /usr/lib/apache/mod_access.so
LoadModule auth_module        /usr/lib/apache/mod_auth.so
LoadModule anon_auth_module   /usr/lib/apache/mod_auth_anon.so
LoadModule dbm_auth_module    /usr/lib/apache/mod_auth_dbm.so
LoadModule db_auth_module     /usr/lib/apache/mod_auth_db.so
LoadModule digest_module      /usr/lib/apache/mod_digest.so
LoadModule proxy_module       /usr/lib/apache/libproxy.so
LoadModule cern_meta_module   /usr/lib/apache/mod_cern_meta.so
LoadModule expires_module     /usr/lib/apache/mod_expires.so
LoadModule headers_module     /usr/lib/apache/mod_headers.so
LoadModule usertrack_module   /usr/lib/apache/mod_usertrack.so
LoadModule unique_id_module   /usr/lib/apache/mod_unique_id.so
LoadModule setenvif_module    /usr/lib/apache/mod_setenvif.so
#<IfDefine DUMMYSSL>
LoadModule ssl_module         /usr/lib/apache/libssl.so
#</IfDefine>

Include /etc/httpd/suse_loadmodule.conf

ClearModuleList 
AddModule mod_so.c
AddModule mod_mmap_static.c
AddModule mod_vhost_alias.c
AddModule mod_env.c
AddModule mod_define.c
AddModule mod_log_config.c
AddModule mod_log_agent.c
AddModule mod_log_referer.c
AddModule mod_mime_magic.c
AddModule mod_mime.c
AddModule mod_negotiation.c
AddModule mod_status.c
AddModule mod_info.c
AddModule mod_include.c
AddModule mod_autoindex.c
AddModule mod_dir.c
AddModule mod_cgi.c
AddModule mod_asis.c
AddModule mod_imap.c
AddModule mod_actions.c
# mod_userdir will be included below by SuSEconfig if HTTPD_SEC_PUBLIC_HTML=yes
AddModule mod_speling.c
AddModule mod_alias.c
AddModule mod_rewrite.c
AddModule mod_access.c
AddModule mod_auth.c
AddModule mod_auth_anon.c
AddModule mod_auth_dbm.c
AddModule mod_auth_db.c
AddModule mod_digest.c
AddModule mod_proxy.c
AddModule mod_cern_meta.c
AddModule mod_expires.c
AddModule mod_headers.c
AddModule mod_usertrack.c
AddModule mod_unique_id.c
AddModule mod_setenvif.c
<IfDefine DUMMYSSL>
AddModule mod_ssl.c
</IfDefine>

Include /etc/httpd/suse_addmodule.conf

ExtendedStatus On

<IfModule mod_dav.c>
DavLockDB /var/lock/DAVLock
</IfModule>
<IfModule mod_include.c>
XBitHack on
</IfModule>
Port 80

##
##  SSL Support
##
##  When we also provide SSL we have to listen to the 
##  standard HTTP port (see above) and to the HTTPS port
##
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>

User wwwrun
Group nogroup

DocumentRoot "/usr/local/httpd/htdocs"

<Directory />
#    AuthUserFile  /etc/httpd/passwd
#    AuthGroupFile /etc/httpd/group

#    Options -FollowSymLinks +Multiviews
    AllowOverride AuthConfig

</Directory>

<Directory "/usr/local/httpd/htdocs">

    Options Indexes -FollowSymLinks +Includes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all


	#
	# disable WebDAV by default for security reasons. 
	# 
	<IfModule mod_dav.c>
	DAV Off
	</IfModule>

<Files /usr/local/httpd/htdocs/index.htm*>
	Options -FollowSymLinks +Includes +MultiViews
</Files>
<Files test.php3>
	Order deny,allow
	deny from all
	allow from localhost
</Files>

</Directory>

<IfModule mod_dir.c>
    DirectoryIndex index.html index.php index.htm index.php4 index.php3
</IfModule>

AccessFileName .htaccess

<Files ~ "^.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

UseCanonicalName On

<IfModule mod_mime.c>
    TypesConfig /etc/httpd/mime.types
</IfModule>

DefaultType text/plain

<IfModule mod_mime_magic.c>
    MIMEMagicFile /etc/httpd/magic
</IfModule>

HostnameLookups Off

ErrorLog /var/log/httpd/error_log

LogLevel warn

LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%h %l %u %t "%r" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

CustomLog /var/log/httpd/access_log common

ServerSignature On

<Location /cgi-bin>
AllowOverride None
Options +ExecCGI -Includes
SetHandler cgi-script
</Location>

#
# If mod_perl is activated, load configuration information
#
<IfModule mod_perl.c>
Perlrequire /usr/include/apache/modules/perl/startup.perl
PerlModule Apache::Registry

#
# set Apache::Registry Mode for /perl Alias
#
<Location /perl>
SetHandler  perl-script
PerlHandler Apache::Registry
Options ExecCGI
PerlSendHeader On
</Location>

#
# set Apache::PerlRun Mode for /cgi-perl Alias
#
<Location /cgi-perl>
SetHandler  perl-script
PerlHandler Apache::PerlRun
Options ExecCGI
PerlSendHeader On
</Location>

</IfModule>


<IfModule mod_autoindex.c>

    #
    # FancyIndexing is whether you want fancy directory indexing or standard
    #
    IndexOptions FancyIndexing

    #
    # AddIcon* directives tell the server which icon to show for different
    # files or filename extensions.  These are only displayed for
    # FancyIndexed directories.
    #
    AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

    AddIconByType (TXT,/icons/text.gif) text/*
    AddIconByType (IMG,/icons/image2.gif) image/*
    AddIconByType (SND,/icons/sound2.gif) audio/*
    AddIconByType (VID,/icons/movie.gif) video/*

    AddIcon /icons/binary.gif .bin .exe
    AddIcon /icons/binhex.gif .hqx
    AddIcon /icons/tar.gif .tar
    AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
    AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
    AddIcon /icons/a.gif .ps .ai .eps
    AddIcon /icons/layout.gif .html .shtml .htm .pdf
    AddIcon /icons/text.gif .txt
    AddIcon /icons/c.gif .c
    AddIcon /icons/p.gif .pl .py
    AddIcon /icons/f.gif .for
    AddIcon /icons/dvi.gif .dvi
    AddIcon /icons/uuencoded.gif .uu
    AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
    AddIcon /icons/tex.gif .tex
    AddIcon /icons/bomb.gif core

    AddIcon /icons/back.gif ..
    AddIcon /icons/hand.right.gif README
    AddIcon /icons/folder.gif ^^DIRECTORY^^
    AddIcon /icons/blank.gif ^^BLANKICON^^

    #
    # DefaultIcon is which icon to show for files which do not have an icon
    # explicitly set.
    #
    DefaultIcon /icons/unknown.gif

    #
    # AddDescription allows you to place a short description after a file in
    # server-generated indexes.  These are only displayed for FancyIndexed
    # directories.
    # Format: AddDescription "description" filename
    #
    AddDescription "GZIP compressed document" .gz
    AddDescription "tar archive" .tar
    AddDescription "GZIP compressed tar archive" .tgz

    #
    # ReadmeName is the name of the README file the server will look for by
    # default, and append to directory listings.
    #
    # HeaderName is the name of a file which should be prepended to
    # directory indexes. 
    #
    # If MultiViews are amongst the Options in effect, the server will
    # first look for name.html and include it if found.  If name.html
    # doesn't exist, the server will then look for name.txt and include
    # it as plaintext if found.
    #
    ReadmeName README
    HeaderName HEADER

    #
    # IndexIgnore is a set of filenames which directory indexing should ignore
    # and not include in the listing.  Shell-style wildcarding is permitted.
    #
    IndexIgnore .??* *~ *#   RCS CVS *,v *,t

</IfModule>
    <IfModule mod_php3.c>
    AddType application/x-httpd-php3 .php3
    AddType application/x-httpd-php3-source .phps
    AddType application/x-httpd-php3 .phtml
    </IfModule>

    #
    # PHP 4.x:
    #
    <IfModule mod_php4.c>
    AddType application/x-httpd-php .php
    AddType application/x-httpd-php .php4
    AddType application/x-httpd-php-source .phps
    AddType application/x-httpd-php .php3
    </IfModule>
<IfModule mod_perl.c>
<Location /perl-status>
    SetHandler perl-script
    PerlHandler Apache::Status
    order deny,allow
    deny from all
    allow from localhost
</Location>
</IfModule>
</IfDefine>

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#
#   Some MIME-types for downloading Certificates and CRLs
#
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
</IfDefine>

<IfModule mod_ssl.c>

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
#SSLSessionCache        none
#SSLSessionCache        shmht:/var/run/ssl_scache(512000)
#SSLSessionCache        shmcb:/var/run/ssl_scache(512000)
SSLSessionCache         dbm:/var/run/ssl_scache
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization. 
SSLMutex  file:/var/run/ssl_mutex

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the 
#   SSL library. The seed data should be of good random quality.
#   WARNING! On some platforms /dev/random blocks if not enough entropy
#   is available. This means you then cannot use the /dev/random device
#   because it would lead to very long connection times (as long as
#   it requires to make more entropy available). But usually those
#   platforms additionally provide a /dev/urandom device which doesn't
#   block. So, if available, use this one instead. Read the mod_ssl User
#   Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#   Logging:
#   The home of the dedicated SSL protocol logfile. Errors are
#   additionally duplicated in the general error log file.  Put
#   this somewhere where it cannot be used for symlink attacks on
#   a real server (i.e. somewhere where only root can write).
#   Log levels are (ascending order: higher ones include lower ones):
#   none, error, warn, info, trace, debug.
SSLLog      /var/log/httpd/ssl_engine_log
SSLLogLevel info

</IfModule>

<IfDefine SSL>

##
## SSL Virtual Host Context
##

<VirtualHost [IP]:443>

#  General setup for the virtual host
DocumentRoot "/home/www/web1/html/"
ServerName 
ServerAdmin webmaster@
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again. A test
#   certificate can be generated with `make certificate' under
#   built time. Keep in mind that if you've both a RSA and a DSA
#   certificate you can configure both in parallel (to also allow
#   the use of DSA ciphers, etc.)
SSLCertificateFile /etc/httpd/ssl.crt/server.crt
#SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
#SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#   Note: Inside SSLCACertificatePath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/httpd/ssl.crt
#SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt

#   Certificate Revocation Lists (CRL):
#   Set the CA revocation path where to find CA CRLs for client
#   authentication or alternatively one huge file containing all
#   of them (file must be PEM encoded)
#   Note: Inside SSLCARevocationPath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/httpd/ssl.crl
#SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth  10

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ 
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." 
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} 
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) 
#           or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/
#</Location>

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `xxj31ZMTZzkVA'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o CompatEnvVars:
#     This exports obsolete environment variables for backward compatibility
#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
#     to provide compatibility to existing CGI scripts.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context. 
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ ".(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/httpd/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, i.e. no
#     SSL close notify alert is send or allowed to received.  This violates
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
#     this when you receive I/O errors because of the standard approach where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed, i.e. a
#     SSL close notify alert is send and mod_ssl waits for the close notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
#     practice often causes hanging connections with brain-dead browsers. Use
#     this only for browsers where you know that their SSL implementation
#     works correctly. 
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" 
         nokeepalive ssl-unclean-shutdown 
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/httpd/ssl_request_log 
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"

</VirtualHost>                                  

</IfDefine>

Include /etc/httpd/suse_include.conf
Include /etc/httpd/mydomains.conf

Code: Select all

rcapache restart
Shutting down httpd                                                  done
Starting httpd [ PERL PHP4 ]                                         done

Code: Select all

apachectl startssl
/usr/sbin/apachectl startssl: httpd could not be started

Das hab ich bis jetzt alles, wo könnte der Fehler sein.

Danke

Gruß

[deepinpowder]

Hy,

hier noch ein Auszug aus dem LOG

Code: Select all

[15/Jan/2003 15:47:54 03172] [info]  Server: Apache/1.3.23, Interface: mod_ssl/2.8.7, Library: OpenSSL/0.9.6c
[15/Jan/2003 15:47:54 03172] [info]  Init: 1st startup round (still not detached)
[15/Jan/2003 15:47:54 03172] [info]  Init: Initializing OpenSSL library
[15/Jan/2003 15:47:54 03172] [info]  Init: Loading certificate & private key of SSL-aware server www1.upmintra.net:443
[15/Jan/2003 15:47:54 03172] [error] Init: Unable to read server certificate from file /etc/httpd/ssl.crt/server.crt (OpenSSL library error follows)
[15/Jan/2003 15:47:54 03172] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence
[15/Jan/2003 15:47:58 03192] [info]  Server: Apache/1.3.23, Interface: mod_ssl/2.8.7, Library: OpenSSL/0.9.6c
[15/Jan/2003 15:47:58 03192] [info]  Init: 1st startup round (still not detached)
[15/Jan/2003 15:47:58 03192] [info]  Init: Initializing OpenSSL library
[15/Jan/2003 15:47:58 03192] [info]  Init: Loading certificate & private key of SSL-aware server www1.domain.net:443
[15/Jan/2003 15:47:58 03192] [error] Init: Unable to read server certificate from file /etc/httpd/ssl.crt/server.crt (OpenSSL library error follows)
[15/Jan/2003 15:47:58 03192] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence

Danke

gruß

[deepinpowder]

Und noch ein Log, nachdem ich die httpd.conf geändert habe

Code: Select all

[15/Jan/2003 15:49:19 03251] [info]  Server: Apache/1.3.23, Interface: mod_ssl/2.8.7, Library: OpenSSL/0.9.6c
[15/Jan/2003 15:49:19 03251] [info]  Init: 1st startup round (still not detached)
[15/Jan/2003 15:49:19 03251] [info]  Init: Initializing OpenSSL library
[15/Jan/2003 15:49:19 03251] [info]  Init: Seeding PRNG with 136 bytes of entropy
[15/Jan/2003 15:49:19 03251] [info]  Init: Generating temporary RSA private keys (512/1024 bits)
[15/Jan/2003 15:49:19 03251] [info]  Init: Configuring temporary DH parameters (512/1024 bits)
[15/Jan/2003 15:49:20 03252] [info]  Init: 2nd startup round (already detached)
[15/Jan/2003 15:49:20 03252] [info]  Init: Reinitializing OpenSSL library
[15/Jan/2003 15:49:20 03252] [info]  Init: Seeding PRNG with 136 bytes of entropy
[15/Jan/2003 15:49:20 03252] [info]  Init: Configuring temporary RSA private keys (512/1024 bits)
[15/Jan/2003 15:49:20 03252] [info]  Init: Configuring temporary DH parameters (512/1024 bits)
[15/Jan/2003 15:49:20 03252] [info]  Init: Initializing (virtual) servers for SSL
[15/Jan/2003 15:52:14 03356] [info]  Server: Apache/1.3.23, Interface: mod_ssl/2.8.7, Library: OpenSSL/0.9.6c
[15/Jan/2003 15:52:14 03356] [info]  Init: 1st startup round (still not detached)
[15/Jan/2003 15:52:14 03356] [info]  Init: Initializing OpenSSL library
[15/Jan/2003 15:52:14 03356] [info]  Init: Loading certificate & private key of SSL-aware server test.domain.net:443
[15/Jan/2003 15:52:14 03356] [error] Init: Server test.domain.net:443 should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]

[sascha]

Hi,

ich hab dir hier mal meine (gekürzte) httpd.conf hochgeladen. Den SSL Part solltest du mit deinem vergleichen. Außerdem könnte es helfen mal ein anderes Zertifikat zu erstellen. Eine Anleitung dazu gibt es in unseren FAQs.

http://217.160.92.19/~rootforum/stuff/httpd.conf

[deepinpowder]

Hy,

Danke für die Hilfe.

Also, im ssl_engine_log habe ich jetzt keinen Fehler mehr

Code: Select all

[16/Jan/2003 13:40:56 10123] [info]  Server: Apache/1.3.23, Interface: mod_ssl/2.8.7, Library: OpenSSL/0.9.6c
[16/Jan/2003 13:40:56 10123] [info]  Init: 1st startup round (still not detached)
[16/Jan/2003 13:40:56 10123] [info]  Init: Initializing OpenSSL library
[16/Jan/2003 13:40:56 10123] [info]  Init: Loading certificate & private key of SSL-aware server test.domain.net:443
[16/Jan/2003 13:40:56 10123] [info]  Init: Seeding PRNG with 136 bytes of entropy
[16/Jan/2003 13:40:56 10123] [info]  Init: Generating temporary RSA private keys (512/1024 bits)
[16/Jan/2003 13:40:56 10123] [info]  Init: Configuring temporary DH parameters (512/1024 bits)
[16/Jan/2003 13:40:57 10124] [info]  Init: 2nd startup round (already detached)
[16/Jan/2003 13:40:57 10124] [info]  Init: Reinitializing OpenSSL library
[16/Jan/2003 13:40:57 10124] [info]  Init: Seeding PRNG with 136 bytes of entropy
[16/Jan/2003 13:40:57 10124] [info]  Init: Configuring temporary RSA private keys (512/1024 bits)
[16/Jan/2003 13:40:57 10124] [info]  Init: Configuring temporary DH parameters (512/1024 bits)
[16/Jan/2003 13:40:57 10124] [info]  Init: Initializing (virtual) servers for SSL
[16/Jan/2003 13:40:57 10124] [info]  Init: Configuring server test.domain.net:443 for SSL protocol

Das hier steht im error Log

Code: Select all

[Thu Jan 16 13:39:32 2003] [notice] Apache/1.3.23 (Unix) PHP/4.1.0 mod_perl/1.26 mod_ssl/2.8.7 OpenSSL/0.9.6c configured -- resuming normal operations
[Thu Jan 16 13:39:32 2003] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Jan 16 13:39:32 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Thu Jan 16 13:40:08 2003] [notice] caught SIGTERM, shutting down
[Thu Jan 16 13:40:15 2003] [notice] Apache/1.3.23 (Unix) PHP/4.1.0 mod_perl/1.26 mod_ssl/2.8.7 OpenSSL/0.9.6c configured -- resuming normal operations
[Thu Jan 16 13:40:15 2003] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Jan 16 13:40:15 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Thu Jan 16 13:40:52 2003] [notice] caught SIGTERM, shutting down
[Thu Jan 16 13:40:58 2003] [notice] Apache/1.3.23 (Unix) PHP/4.1.0 mod_perl/1.26 mod_ssl/2.8.7 OpenSSL/0.9.6c configured -- resuming normal operations
[Thu Jan 16 13:40:58 2003] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Jan 16 13:40:58 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)

und so sieht die httpd.conf aus

Code: Select all

<VirtualHost test.domain.net:443>
DocumentRoot /home/www/web1/html/phpmyadmin
ServerName test.domain.net
SSLEngine on
SSLVerifyClient none
SSLCertificateFile /etc/httpd/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
</VirtualHost>
www1:/var/log/httpd # httpd -t
Syntax OK

Vielleicht kann ja einer mit den o.a. Daten was anfangen !

Würde mir sehr helfen.

Vielen Dank

[sascha]

Erstelle doch mal wie schon geschrieben ein neues SSL-Zertifikat.

[deepinpowder]

Hy,

neues erstellt.

Code: Select all

[16/Jan/2003 14:17:11 10519] [info]  Init: Wiped out the queried pass phrases from memory
[16/Jan/2003 14:17:11 10519] [info]  Init: Seeding PRNG with 136 bytes of entropy
[16/Jan/2003 14:17:11 10519] [info]  Init: Generating temporary RSA private keys (512/1024 bits)
[16/Jan/2003 14:17:11 10519] [info]  Init: Configuring temporary DH parameters (512/1024 bits)
[16/Jan/2003 14:17:12 10520] [info]  Init: 2nd startup round (already detached)
[16/Jan/2003 14:17:12 10520] [info]  Init: Reinitializing OpenSSL library
[16/Jan/2003 14:17:12 10520] [info]  Init: Seeding PRNG with 136 bytes of entropy
[16/Jan/2003 14:17:12 10520] [info]  Init: Configuring temporary RSA private keys (512/1024 bits)
[16/Jan/2003 14:17:12 10520] [info]  Init: Configuring temporary DH parameters (512/1024 bits)
[16/Jan/2003 14:17:12 10520] [info]  Init: Initializing (virtual) servers for SSL
[16/Jan/2003 14:17:12 10520] [info]  Init: Configuring server test.domain.net:443 for SSL protocol

Code: Select all

<VirtualHost 195.xxx.xxx.xxx:443>
DocumentRoot /home/www/web1/html/phpmyadmin/
ServerName test.domain.net
SSLEngine on
SSLVerifyClient none
SSLCertificateFile /work/ssl/server.crt
SSLCertificateKeyFile /work/ssl/server.key
</VirtualHost>

und es geht nicht !

https://test.domain.net

Ich flippe aus !

[deepinpowder]

Hy,

ändere ich aber in der httpd.conf

Code: Select all

<IfDefine SSL>
Listen 80
Lsiten 443
</IfDefine SSL>

in

Code: Select all

#<IfDefine SSL>
Listen 80
Lsiten 443
#</IfDefine SSL>

wie
http://www.rootforum.de/forum/viewtopic.php?t=5592 hier beschrieben, wird das Zertifikat angezeit, aber der "Schlüssel" unten im IE fehlt !