Trying to set up SSL with Apache

[ShadowBlade]

I've tried following this and this (by changing the virtual host info to switch between them) and after trying both, I keep getting "Error code: ssl_error_rx_record_too_long"

My VirtualHosts line for the SSL site is
<VirtualHost _defualt_:443> (as per the results of a google search)

I'm guessing it's something stupid I'm doing wrong, so any help would be appreciated.

I'm running...
Ubuntu 8.04
Apache 2.2.8
mod_ssl 2.2.8
OpenSSL 0.9.8g
(according to the headers)

Edit: fixed links

 

[Crusty]

Check /var/log/apache/error.log for more detailed error messages.

 

[ShadowBlade]

[Wed Jan 21 22:27:16 2009] [error] [client 75.41.4.236] Invalid method in request \x16\x03\x01
Doesn't help me much.
I've also discovered by using telnet over port 443 that the server is responding with unencrypted HTML - I just don't know how to fix it.

 

[Red Squirrel]

Be sure your vhost has a unique IP. Each ssl vhost needs to be under it's own IP or it will use the wrong certificate. You also can't use the same IP as your main IP, or it will try to use the localhost.localdomain cert. At least from my experience. ex: shared1.iceteks.net resolves to 67.19.158.242 but secure.iceteks.net resolves to .244. If I make it resolve to 242 it wont work.

Mind you the errors you're getting are not what having under the same IP would cause, at least it's not what I remember getting when I first tried to set it up.

If it helps this is how my vhost entry looks like:



<virtualhost *:80>
servername secure.iceteks.net

RewriteEngine On
RewriteRule ^(.*) <a target=_blank class=ftalternatingbarlinklarge href="https://secure.iceteks.net/">https://secure.iceteks.net/</a>$1 [R,L]

</virtualhost>


NameVirtualHost *:443
#listen 67.19.158.242:443

<VirtualHost 67.19.158.244:443>
ServerAdmin webmaster@example.com
DocumentRoot /data/sysweb/secure
ServerName secure.iceteks.net

SSLEngine on
SSLCertificateFile /etc/httpd/certs/secure.crt
SSLCertificateKeyFile /etc/httpd/certs/secure.key

SSLCipherSuite HIGH:MEDIUM

alias /webmail "/data/sysweb/secure/webmail"
alias /cp "/data/sysweb/secure/cp

</virtualhost>

 

[ShadowBlade]

Anyone else? I know its not resolving different IP's for different ports.
In addition: If I request http://[url]:443, I get a 404 response. Hope that helps.

 

[Nothinman]

Are you sure mod_ssl is loaded and enabled for that VirtualHost?

 

[ShadowBlade]

It claims to have mod_ssl installed in the headers (reports a version number) and the mods-enabled folder has ssl.conf and ssl.load
My virtual hosts have:

NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin webmaster@localhost

SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
.....

and

NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin webmaster@localhost
...

 

[Crusty]

Name-Based Virtual Hosting is a very popular method of identifying different virtual hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server.

It comes as rather a shock to learn that it is impossible.

The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds, which matches the port and IP address specified.

You can, of course, use Name-Based Virtual Hosting to identify many non-SSL virtual hosts (all on port 80, for example) and then have a single SSL virtual host (on port 443). But if you do this, you must make sure to put the non-SSL port number on the NameVirtualHost directive, e.g.

NameVirtualHost 192.168.1.1:80

Other workaround solutions include:

Using separate IP addresses for different SSL hosts. Using different port numbers for different SSL hosts.

So basically, you need to specify an IP address for your VirtualHosts not * and then you need to identify your non-ssl host with the proper VirtualHost to match it's IP address.