I am trying to enable SSL for my webserver. However, when I enable ssl, http stops working and https does not start working. I have followed the following guide:
There is no firewall activated on the server. This is the default-ssl.conf file:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@MyWebSit.com
ServerName MyWebSite.com
ServerAlias www.MyWebSite.com
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/apache2/ssl/MyWebSite_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/MyWebSite_com.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
# BrowserMatch "MSIE [2-6]" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
apache -S gives me:
AH00111: Config variable ${APACHE_RUN_DIR} is not defined apache2: Syntax error on line 80 of /etc/apache2/apache2.conf: DefaultRuntimeDir must be a valid directory, absolute or relative to ServerRoot
and apachectl -S gives me:
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.178.24. Set the 'ServerName' directive globally to suppress this message VirtualHost configuration: *:80 192.168.178.24 (/etc/apache2/sites-enabled/000-default.conf:1) *:443 MyWebSite.com (/etc/apache2/sites-enabled/default-ssl.conf:2) ServerRoot: "/etc/apache2" Main DocumentRoot: "/var/www/html" Main ErrorLog: "/var/log/apache2/error.log" Mutex watchdog-callback: using_defaults Mutex ssl-stapling-refresh: using_defaults Mutex ssl-stapling: using_defaults Mutex ssl-cache: using_defaults Mutex default: dir="/var/run/apache2/" mechanism=default Mutex mpm-accept: using_defaults PidFile: "/var/run/apache2/apache2.pid" Define: DUMP_VHOSTS Define: DUMP_RUN_CFG User: name="www-data" id=33 Group: name="www-data" id=33
disabling ssl immediately gets http back up. (after a restart of Apache)
Unfortunately, I no longer know what I can try to do. any assistance here would be greatly appreciated!
Thank you in advance!
EDIT: As it is clear the information I've provided does not fully explain my issue, I am adding additional details here:
sudo service apache2 restart
Gives the following result:
Warning: The unit file, source configuration file or drop-ins of apache2.service changed on disk. Run 'systemctl daemon-reload' to reload units. Job for apache2.service failed because the control process exited with error code. See "systemctl status apache2.service" and "journalctl -xe" for details
systemctl daemon-reload
Runs successfully, but I still get the Job failed response when running the restart command again. Below is the response for "systemctl status apache2.service"
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: failed (Result: exit-code) since Mon 2019-12-02 11:08:57 CET; 3h 28min ago
Process: 4557 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
Main PID: 1413 (code=exited, status=0/SUCCESS)
Dec 02 11:08:57 ubuntu systemd[1]: Starting The Apache HTTP Server...
Dec 02 11:08:57 ubuntu apachectl[4557]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.178.24. Set the 'ServerNa
Dec 02 11:08:57 ubuntu apachectl[4557]: Action 'start' failed.
Dec 02 11:08:57 ubuntu apachectl[4557]: The Apache error log may have more information.
Dec 02 11:08:57 ubuntu systemd[1]: apache2.service: Control process exited, code=exited status=1
Dec 02 11:08:57 ubuntu systemd[1]: apache2.service: Failed with result 'exit-code'.
Dec 02 11:08:57 ubuntu systemd[1]: Failed to start The Apache HTTP Server.
And below is the result for journalctl -xe
--
-- Unit motd-news.service has begun starting up.
Dec 02 13:56:00 ubuntu 50-motd-news[5122]: * Overheard at KubeCon: "microk8s.status just blew my mind".
Dec 02 13:56:00 ubuntu 50-motd-news[5122]: https://microk8s.io/docs/commands#microk8s.status
Dec 02 13:56:00 ubuntu systemd[1]: Started Message of the Day.
-- Subject: Unit motd-news.service has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit motd-news.service has finished starting up.
--
-- The start-up result is RESULT.
Dec 02 14:09:02 ubuntu CRON[5169]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 02 14:09:02 ubuntu CRON[5170]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Dec 02 14:09:02 ubuntu CRON[5169]: pam_unix(cron:session): session closed for user root
Dec 02 14:09:44 ubuntu systemd[1]: Starting Clean php session files...
-- Subject: Unit phpsessionclean.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit phpsessionclean.service has begun starting up.
Dec 02 14:09:44 ubuntu sessionclean[5171]: PHP Warning: PHP Startup: Unable to load dynamic library 'mysqli' (tried: /usr/lib/php/20170718/mysqli (/usr/lib/php/2017071
Dec 02 14:09:44 ubuntu systemd[1]: Started Clean php session files.
-- Subject: Unit phpsessionclean.service has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit phpsessionclean.service has finished starting up.
--
-- The start-up result is RESULT.
Dec 02 14:17:01 ubuntu CRON[5220]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 02 14:17:01 ubuntu CRON[5221]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Dec 02 14:17:01 ubuntu CRON[5220]: pam_unix(cron:session): session closed for user root
Dec 02 14:18:00 ubuntu systemd-timesyncd[1097]: Network configuration changed, trying to establish connection.
Dec 02 14:18:00 ubuntu systemd-timesyncd[1097]: Synchronized to time server 91.189.89.198:123 (ntp.ubuntu.com).
Dec 02 14:39:01 ubuntu CRON[5241]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 02 14:39:01 ubuntu CRON[5242]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Dec 02 14:39:01 ubuntu CRON[5241]: pam_unix(cron:session): session closed for user root
Dec 02 14:39:44 ubuntu systemd[1]: Starting Clean php session files...
-- Subject: Unit phpsessionclean.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit phpsessionclean.service has begun starting up.
Dec 02 14:39:44 ubuntu sessionclean[5244]: PHP Warning: PHP Startup: Unable to load dynamic library 'mysqli' (tried: /usr/lib/php/20170718/mysqli (/usr/lib/php/2017071
Dec 02 14:39:44 ubuntu systemd[1]: Started Clean php session files.
-- Subject: Unit phpsessionclean.service has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit phpsessionclean.service has finished starting up.
--
-- The start-up result is RESULT.
Dec 02 14:47:59 ubuntu systemd-timesyncd[1097]: Network configuration changed, trying to establish connection.
Dec 02 14:47:59 ubuntu systemd-timesyncd[1097]: Synchronized to time server 91.189.89.198:123 (ntp.ubuntu.com).
After a lot of searching I found out that it was due to my key being corrupt.
I was able to determine this by checking the apache error log:
sudo nano /var/log/apache2/error.log
[Mon Dec 02 11:08:57.784521 2019] [ssl:error] [pid 4560] AH02579: Init: Private key not found
[Mon Dec 02 11:08:57.784840 2019] [ssl:error] [pid 4560] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Mon Dec 02 11:08:57.784922 2019] [ssl:error] [pid 4560] SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
[Mon Dec 02 11:08:57.784990 2019] [ssl:error] [pid 4560] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Mon Dec 02 11:08:57.785061 2019] [ssl:error] [pid 4560] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSAPrivat$
[Mon Dec 02 11:08:57.785135 2019] [ssl:error] [pid 4560] SSL Library Error: error:04093004:rsa routines:old_rsa_priv_decode:RSA lib
[Mon Dec 02 11:08:57.785200 2019] [ssl:error] [pid 4560] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Mon Dec 02 11:08:57.785269 2019] [ssl:error] [pid 4560] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRI$
[Mon Dec 02 11:08:57.785434 2019] [ssl:emerg] [pid 4560] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
[Mon Dec 02 11:08:57.785469 2019] [ssl:emerg] [pid 4560] AH02564: Failed to configure encrypted (?) private key MyWebSite.com:443:0, check /etc/apache2/ssl/MyWebSite$
AH00016: Configuration Failed
As displayed, "Private key not found" was not referring to the path of the key, but rather the key being corrupt. I checked this by opening the key with:
sudo nano MyWebSite.key
If the key is correct, it will have the text
----- BEGIN PRIVATE KEY -----
at the top of the key. The solution was then to regenerate the certificate request, have the certificate re-issued and install the new certificate. I hope this helps you if you're in the same situation as I was.