Jump to content
Froxlor Forum
  • 0

SSL error with Apache 2.4


Gamerboy59
 Share

Question

Hi,

I|m getting the following error on enabling SSL.

 * Restarting web server apache2                                         [fail]
 * The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 18 of /etc/apache2/sites-enabled/10_froxlor_ipandport_12.345.67.89.80.conf:
Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
The Apache error log may have more information.
How to enable SSL?
Link to comment
Share on other sites

Recommended Posts

  • 1

Could you also post your domain error log, please? And check if your key/cert match:

 

openssl x509 -noout -modulus -in /etc/ssl/froxlor-custom/my-domain.de.crt | openssl md5

openssl rsa -noout -modulus -in /etc/ssl/froxlor-custom/my-domain.de.key | openssl md5

Link to comment
Share on other sites

  • 0

Thanks. :)

 

I'm currently experiencing issues when adding a Domain. While using subdomians only everything works as expected but when I add a new tld an SSL-secured connection is no longer possible and the browser can't connect to the website. Unfortunately, apache is not giving any errors.

Link to comment
Share on other sites

  • 0

That's what inside the apache error.log:

[Wed Oct 22 12:59:08.550531 2014] [mpm_prefork:notice] [pid 29440] AH00169: caught SIGTERM, shutting down
[Wed Oct 22 12:59:09.619527 2014] [suexec:notice] [pid 29501] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Wed Oct 22 12:59:09.686132 2014] [:notice] [pid 29502] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
[Wed Oct 22 12:59:09.686167 2014] [:notice] [pid 29502] mod_python: using mutex_directory /tmp 
[Wed Oct 22 12:59:09.703342 2014] [mpm_prefork:notice] [pid 29502] AH00163: Apache/2.4.7 (Ubuntu) mod_fcgid/2.3.9 PHP/5.5.9-1ubuntu4.4 mod_python/3.3.1 Python/2.7.6 OpenSSL/1.0.1f mod_perl/2.0.8 Perl/v5.18.2 configured -- resuming normal operations
[Wed Oct 22 12:59:09.703417 2014] [core:notice] [pid 29502] AH00094: Command line: '/usr/sbin/apache2'
[Wed Oct 22 13:10:03.292418 2014] [mpm_prefork:notice] [pid 29502] AH00171: Graceful restart requested, doing restart
[Wed Oct 22 13:10:06.472955 2014] [:notice] [pid 29502] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
[Wed Oct 22 13:10:06.473029 2014] [:notice] [pid 29502] mod_python: using mutex_directory /tmp 
[Wed Oct 22 13:10:06.486445 2014] [mpm_prefork:notice] [pid 29502] AH00163: Apache/2.4.7 (Ubuntu) mod_fcgid/2.3.9 PHP/5.5.9-1ubuntu4.4 mod_python/3.3.1 Python/2.7.6 OpenSSL/1.0.1f mod_perl/2.0.8 Perl/v5.18.2 configured -- resuming normal operations
[Wed Oct 22 13:10:06.486487 2014] [core:notice] [pid 29502] AH00094: Command line: '/usr/sbin/apache2'
And that's the vHost config:

# 22_froxlor_ssl_vhost_my-domain_de.conf
# Created 22.10.2014 13:10
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.

# Domain ID: 9 (SSL) - CustomerID: 4 - CustomerLogin: mydomain
<VirtualHost 12.345.567.89:443>
  ServerName my-domain.de
  ServerAlias *.my-domain.de
  ServerAdmin email@my-domain.de
  SSLEngine On
  SSLHonorCipherOrder On
  SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
  SSLVerifyDepth 10
  SSLCertificateFile /etc/ssl/froxlor-custom/my-domain.de.crt
  SSLCertificateKeyFile /etc/ssl/froxlor-custom/my-domain.de.key
  DocumentRoot "/var/customers/webs/mydomain/"
  FcgidIdleTimeout 30
  SuexecUserGroup "mydomain" "mydomain"
  <Directory "/var/customers/webs/mydomain/">
    <FilesMatch "\.(php)$">
      SetHandler fcgid-script
      FcgidWrapper /var/www/php-fcgi-scripts/mydomain/my-domain.de/php-fcgi-starter .php
      Options +ExecCGI
    </FilesMatch>
    Require all granted
  </Directory>
  Alias /awstats "/var/customers/webs/mydomain/awstats/my-domain.de"
  Alias /awstats-icon "/usr/share/awstats/icon/"
  ErrorLog "/var/customers/logs/mydomain-error.log"
  CustomLog "/var/customers/logs/mydomain-access.log" combined
</VirtualHost>
Without SSL it works fine.
Link to comment
Share on other sites

  • 0

Just by chance: Are you sure it's a server error? Did you try a different browser? For some reason Firefox has a lot of problems with SSL connections. If your site is reachable on a public IP you may also have a look at one of the various SSL test sites (ssllabs for example) which could reveal additional info if there is a certificate error.

Link to comment
Share on other sites

  • 0

openssl s_client -connect my-domain.de:443
CONNECTED(00000003)
139989321152160:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
For localhost it works fine.

 

This is one debug message:

openssl s_client -connect my-domain:443 -state -nbio 2>&1 | grep "^SSL"
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL_connect:error in unknown state
SSL handshake has read 7 bytes and written 305 Bytes
And that's the Apache debug log:

[Fri Oct 24 20:25:06.334119 2014] [ssl:info] [pid 28048] AH01876: mod_ssl/2.4.7 compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
[Fri Oct 24 20:25:06.358567 2014] [mpm_prefork:notice] [pid 28048] AH00163: Apache/2.4.7 (Ubuntu) mod_fcgid/2.3.9 PHP/5.5.9-1ubuntu4.4 mod_python/3.3.1 Python/2.7.6 OpenSSL/1.0.1f mod_perl/2.0.8 Perl/v5.18.2 configured -- resuming normal operations
[Fri Oct 24 20:25:06.358607 2014] [mpm_prefork:info] [pid 28048] AH00164: Server built: Jul 22 2014 14:36:38
[Fri Oct 24 20:25:06.358623 2014] [core:notice] [pid 28048] AH00094: Command line: '/usr/sbin/apache2'
[Fri Oct 24 20:25:06.358628 2014] [mpm_prefork:debug] [pid 28048] prefork.c(995): AH00165: Accept mutex: fcntl (default: sysvsem)
[Fri Oct 24 20:26:31.303869 2014] [core:info] [pid 28056] [client 62.226.179.39:59685] AH00566: request failed: invalid characters in URI
[Fri Oct 24 20:26:31.340447 2014] [core:info] [pid 28053] [client 62.226.179.39:59686] AH00566: request failed: invalid characters in URI
[Fri Oct 24 20:26:31.377385 2014] [core:info] [pid 28054] [client 62.226.179.39:59687] AH00566: request failed: invalid characters in URI
Edit: Maybe this is interesting too:

 

[Fri Oct 24 20:36:38.652940 2014] [ssl:debug] [pid 28253] ssl_engine_pphrase.c(181): AH02199: SSL not enabled on vhost froxlor.my-domain.de:80, skipping SSL Setup
Edit2: It looks like the SSL_Modul is not enabled for some reason...
Link to comment
Share on other sites

  • 0

I don't think so, where to check?

 

This is my ports.conf:

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
	Listen 443
</IfModule>

<IfModule mod_gnutls.c>
	Listen 443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Link to comment
Share on other sites

  • 0

SSL not enabled on vhost froxlor.my-domain.de:80, skipping SSL Setup

 

AH00526: Syntax error on line 18 of /etc/apache2/sites-enabled/10_froxlor_ipandport_12.345.67.89.80.conf:

Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration

Obviously your config tries to enable it on port 80 but fails, your initial message clearly states there are SSL-commands in the definition for port 80. As already mentioned here: SSL/TLS/HTTPs is not supposed to reside on Port 80, usually its on 443, so there is something completely off with your config. Please revert to the last known good backup, start with a fresh install or try to find someone to fix (and preferably show you how) your configuration.

 

For everyone who used the search some basic steps to enable SSL in Froxlor (if your system is already able to handle SSL):

- IPs and Ports -> Add -> Same IP as HTTP, Port 443, enable SSL-Port and supply certificate details. Additional settings according to your configuration.

- Domains -> Edit Domain -> Tick the newly created SSL-IP

Link to comment
Share on other sites

  • 0

Thanks. However, the config for port 80 doesn't include the word 'SSL', so I don't know what's going wrong there.

I tried adding SSL-support like this:

  • IPs and Ports -> Add -> Same IP as HTTP, Port 443, enable SSL-Port and supply certificate details. Additional settings according to your configuration.
  • Domains -> Edit Domain -> Tick the newly created SSL-IP
  • Customer Portal -> Domain, Setting -> SSL-Domain Settings
Edit: Maybe this is connected with the use of CGI-FCGI?
Link to comment
Share on other sites

  • 0

Ok thanks, but this goes well?
 

1. IPs and Ports -> Add -> Same IP as HTTP, Port 443, enable SSL-Port and supply certificate details. Additional settings according to your configuration.
2. Domains -> Edit Domain -> Tick the newly created SSL-IP
3. Customer Portal -> Domain, Setting -> SSL-Domain Settings

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Similar Content

    • By logicbloke
      Hello,
      I seem to be getting this error when the cron runs:
      [debug] System certificate file "/etc/ssl/froxlor-custom/xxx.tld.crt" does not seem to exist. Disabling SSL-vhost for "xxx.tld"
      Froxlor VirtualHost is enabled, along with SSL generation but it seems like it's being generated on acme's folder and not copied over to /etc/ssl/froxlor-custom/, anyone has any clues?
       
      Many thanks,
    • By logicbloke
      Hi,
      I'm just wondering what the difference is between the following 2 folders:
      Why is froxlor installing acme.sh cron everytime it runs at 3am everyday especially since the 5-min let's encrypt froxlor cron is already in place? Also, all my db config points to /etc/ssl/froxlor-custom for the domains and all keys/certificates inside that folder have a different md5 from the ones under /root/.acme.sh/, so I'm wondering what's with the mismatch? Are we updating certificates for domains twice?
       
      If anyone can shed some more light on this, it will be very much appreciated.
       
      Many thanks!
    • By Michael Groß
      Hallo zusammen,
      ich kämpfe momentan mit der SSL Konfiguration von meinem Froxlor-Server.
      Bedauerlicherweise befindet sich der Webserver hinter einer Firewall und hat eine private IP Adresse zugewiesen bekommen. 
      Die Firewall leitet entsprechend den Traffic von außerhalb auf den Server weiter (HTTP ist das alles kein Problem).
      Nun habe ich vorhin SSL aktivieren wollen und hierzu kann ich leider keine private IP Adresse eintragen (lässt Froxlor nicht zu).
      Entsprechend habe ich die public IP eingetragen, was aber auch nicht funktioniert, da durch das NAT der Firewall die private IP angesprochen wird - somit funktioniert dies nicht.
      Habt ihr eine Idee, wie man das umbauen kann?
      An sich brauche ich nur die private IP Adresse als SSL Adresse eintragen - vermute aber, dass dadurch Let's Encrypt auch nicht mehr richtig laufen wird.
      Viele Grüße
      Michael
      PS: Ein 1:1 NAT wäre noch eine Möglichkeit, da ich die Public IP aber für diverse Server verwende, fällt das auch raus. Müsste dann eine neue Public IP kaufen, welche ich dann mit einem 1:1 NAT auf den Webserver laufen lasse (wäre noch eine Möglichkeit)
    • By nisamudeen97
      Hi,
      Our froxlor server is behiend NAT and it uses the local IP  192.168.73.40.  We have enabled letsencrypt module in froxlor and tried validating SSL for a domain in the server.  SSL generation is getting failed with 403 error.  See the debug log information.      Replaced domain name and main IP.    Can any one help me regarding the issue.
       
      [information] Updating Let's Encrypt certificates [information] Updating domain-name.com [information] Adding SAN entry: domain-name.com [information] Adding SAN entry: www.domain-name.com [information] letsencrypt-v2 Using 'https://acme-v02.api.letsencrypt.org' to generate certificate [information] letsencrypt-v2 Using existing account key [information] letsencrypt-v2 Starting certificate generation process for domains [information] letsencrypt-v2 Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-order [information] letsencrypt-v2 Requesting challenge for domain-name.com [information] letsencrypt-v2 Got challenge token for domain-name.com [information] letsencrypt-v2 Token for domain-name.com saved at /var/www/froxlor/.well-known/acme-challenge/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k and should be available at http://domain-name.com/.well-known/acme-challenge/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k [information] letsencrypt-v2 Sending request to challenge [information] letsencrypt-v2 Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/803008408/k46kFQ [information] letsencrypt-v2 Verification pending, sleeping 1s [information] letsencrypt-v2 Verification pending, sleeping 1s [error] Could not get Let's Encrypt certificate for domain-name.com: Verification ended with error: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from http:\/\/domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k [212.224.xxx.xxx]: \"<!DOCTYPE html>\\n<html lang=\\\"en-CA\\\" class=\\\"html_stretched responsive av-preloader-active av-preloader-enabled av-default-lightbox\"","status":403},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/803008408\/k46kFQ","token":"vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","validationRecord":[{"url":"http:\/\/www.domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","hostname":"www.domain-name.com","port":"80","addressesResolved":["212.224.xxx.xxx"],"addressUsed":"212.224.xxx.xxx"},{"url":"http:\/\/domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","hostname":"domain-name.com","port":"80","addressesResolved":["212.224.xxx.xxx"],"addressUsed":"212.224.xxx.xxx"}]} [information] Let's Encrypt certificates have been updated  
    • By peterpan
      Hi,
      I have a domain equipped with a certificate from LE. The cert is valid another 2 months. Now I added a domain as an alias of the existing domain, but the certificate isn't updated to have the new domain as its SAN.
      How do I trigger getting a new and updated certificate? Should I delete the existing one?
      Thanks for helping out.
       
      Peter
×
×
  • Create New...