Unable to Create SSL site

Hi, As per my other ticket - after upgrading PHP to new bleeding edge one (required for Roundcube email etc), I am unable to add a SSL site to any virtual host.

I click - edit virtual server - enabled features - check SSL website - click ok - Webmin runs through the routine, but then fails to start httpd.

The only way to restart httpd is to remove the SSL back again from that Virtual Server.

The last lines of the /var/log/httpd/error_log are:

[Tue Sep 29 12:55:03 2009] [notice] mod_fcgid: call /home/rets/public_html/index.php with wrapper /home/rets/fcgi-bin/php5.fcgi [Tue Sep 29 13:10:14 2009] [notice] caught SIGTERM, shutting down [Tue Sep 29 13:10:14 2009] [notice] mod_fcgid: process /home/rets/public_html/index.php(32188) exit(shutting down), terminated by calling exit(), return code: 0 [Tue Sep 29 13:10:20 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Sep 29 13:10:56 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Sep 29 13:10:56 2009] [notice] Digest: generating secret for digest authentication ... [Tue Sep 29 13:10:56 2009] [notice] Digest: done [Tue Sep 29 13:10:56 2009] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Tue Sep 29 13:10:56 2009] [notice] mod_python: using mutex_directory /tmp [Tue Sep 29 13:10:56 2009] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations

Status: 
Active

Comments

I'm not seeing any error in the log entries above ... but check the logs/error_log file under the domain's home directory. It is possible that a virtual server specific error is logged there.

thank you for the reply. I have checked under the virtual website that I was trying to create the ssl - and there is nothing in the logs out of the ordinary - just some missing image files (long time problem) - but nothing referring to the creation/removal of SSL. Where else should I check please Jamie?

Could you attach the last 100 lines of /var/log/httpd/error_log to this bug report? I'd like to see what other messages are logged there ..

Here you go:

[root@hosting logs]# tail -100 /var/log/httpd//error_log [Tue Sep 29 11:28:03 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 11:31:50 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 11:35:48 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 11:39:14 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 11:42:53 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 11:46:37 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 11:51:20 2009] [error] [client 88.80.7.248] File does not exist: /var/www/html/pp [Tue Sep 29 11:51:20 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 11:55:11 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 11:55:28 2009] [error] [client 65.55.106.187] Invalid method in request \x16\x03\x01 [Tue Sep 29 11:55:31 2009] [error] [client 65.55.106.186] Invalid method in request \x16\x03\x01 [Tue Sep 29 11:55:33 2009] [error] [client 65.55.207.97] Invalid method in request \x16\x03\x01 [Tue Sep 29 11:58:41 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 12:02:01 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 12:05:09 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 12:08:12 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 12:11:53 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 12:22:54 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 12:28:11 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 12:28:49 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 12:29:58 2009] [error] [client 65.55.106.186] Invalid method in request \x16\x03\x01 [Tue Sep 29 12:30:10 2009] [error] [client 65.55.207.97] Invalid method in request \x16\x03\x01 [Tue Sep 29 12:30:11 2009] [error] [client 65.55.106.187] Invalid method in request \x16\x03\x01 [Tue Sep 29 12:34:39 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 12:52:53 2009] [notice] caught SIGTERM, shutting down [Tue Sep 29 12:52:55 2009] [notice] mod_fcgid: process /home/rets/public_html/index.php(22967) exit(shutting down), terminated by calling exit(), return code: 0 [Tue Sep 29 12:53:06 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Sep 29 12:53:06 2009] [notice] Digest: generating secret for digest authentication ... [Tue Sep 29 12:53:06 2009] [notice] Digest: done PHP Warning: PHP Startup: readline: Unable to initialize module\nModule compiled with module API=20050922, debug=0, thread-safety=0\nPHP compiled with module API=20060613, debug=0, thread-safety=0\nThese options need to match\n in Unknown on line 0 [Tue Sep 29 12:53:06 2009] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Tue Sep 29 12:53:06 2009] [notice] mod_python: using mutex_directory /tmp [Tue Sep 29 12:53:06 2009] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations [Tue Sep 29 12:54:14 2009] [notice] caught SIGTERM, shutting down [Tue Sep 29 12:54:25 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Sep 29 12:54:26 2009] [notice] Digest: generating secret for digest authentication ... [Tue Sep 29 12:54:26 2009] [notice] Digest: done [Tue Sep 29 12:54:26 2009] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Tue Sep 29 12:54:26 2009] [notice] mod_python: using mutex_directory /tmp [Tue Sep 29 12:54:26 2009] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations [Tue Sep 29 12:55:03 2009] [notice] mod_fcgid: call /home/rets/public_html/index.php with wrapper /home/rets/fcgi-bin/php5.fcgi [Tue Sep 29 13:10:14 2009] [notice] caught SIGTERM, shutting down [Tue Sep 29 13:10:14 2009] [notice] mod_fcgid: process /home/rets/public_html/index.php(32188) exit(shutting down), terminated by calling exit(), return code: 0 [Tue Sep 29 13:10:20 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Sep 29 13:10:56 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Sep 29 13:10:56 2009] [notice] Digest: generating secret for digest authentication ... [Tue Sep 29 13:10:56 2009] [notice] Digest: done [Tue Sep 29 13:10:56 2009] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Tue Sep 29 13:10:56 2009] [notice] mod_python: using mutex_directory /tmp [Tue Sep 29 13:10:56 2009] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations [Tue Sep 29 13:12:41 2009] [error] [client 65.55.106.186] Invalid method in request \x16\x03\x01 [Tue Sep 29 13:12:42 2009] [error] [client 65.55.207.97] Invalid method in request \x16\x03\x01 [Tue Sep 29 13:12:51 2009] [error] [client 65.55.106.187] Invalid method in request \x16\x03\x01 [Tue Sep 29 13:15:03 2009] [notice] mod_fcgid: call /home/rets/public_html/index.php with wrapper /home/rets/fcgi-bin/php5.fcgi [Tue Sep 29 13:30:10 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 13:50:11 2009] [error] [client 66.249.65.119] Invalid method in request \x80%\x01\x03\x01 [Tue Sep 29 13:55:53 2009] [error] [client 65.55.207.97] Invalid method in request \x16\x03\x01 [Tue Sep 29 13:55:58 2009] [error] [client 65.55.106.186] Invalid method in request \x16\x03\x01 [Tue Sep 29 13:56:01 2009] [error] [client 65.55.106.187] Invalid method in request \x16\x03\x01 [Tue Sep 29 14:03:47 2009] [error] [client 65.55.207.97] Invalid method in request \x16\x03\x01 [Tue Sep 29 14:03:58 2009] [error] [client 65.55.106.187] Invalid method in request \x16\x03\x01 [Tue Sep 29 14:04:01 2009] [error] [client 65.55.106.186] Invalid method in request \x16\x03\x01 [Tue Sep 29 14:16:08 2009] [error] [client 65.55.207.97] Invalid method in request \x16\x03\x01 [Tue Sep 29 14:16:17 2009] [error] [client 65.55.106.187] Invalid method in request \x16\x03\x01 [Tue Sep 29 14:16:19 2009] [error] [client 65.55.106.186] Invalid method in request \x16\x03\x01 [Tue Sep 29 14:33:16 2009] [error] [client 65.55.106.186] Invalid method in request \x16\x03\x01 [Tue Sep 29 14:33:17 2009] [error] [client 65.55.106.187] Invalid method in request \x16\x03\x01 [Tue Sep 29 14:33:29 2009] [error] [client 65.55.207.97] Invalid method in request \x16\x03\x01 [Tue Sep 29 14:53:02 2009] [error] [client 65.55.106.187] Invalid method in request \x16\x03\x01 [Tue Sep 29 14:53:03 2009] [error] [client 65.55.207.97] Invalid method in request \x16\x03\x01 [Tue Sep 29 14:53:05 2009] [error] [client 65.55.106.186] Invalid method in request \x16\x03\x01 [Tue Sep 29 14:55:36 2009] [error] [client 65.55.115.175] Invalid method in request \x16\x03\x01 [Tue Sep 29 15:12:22 2009] [error] [client 65.55.115.175] Invalid method in request \x16\x03\x01 [Tue Sep 29 15:15:09 2009] [error] [client 65.55.207.97] Invalid method in request \x16\x03\x01 [Tue Sep 29 15:15:10 2009] [error] [client 65.55.106.187] Invalid method in request \x16\x03\x01 [Tue Sep 29 15:15:12 2009] [error] [client 65.55.106.186] Invalid method in request \x16\x03\x01 [Tue Sep 29 15:25:27 2009] [error] [client 65.55.115.175] Invalid method in request \x16\x03\x01 [Tue Sep 29 15:38:37 2009] [error] [client 65.55.115.175] Invalid method in request \x16\x03\x01 [Tue Sep 29 15:41:39 2009] [error] [client 65.55.207.97] Invalid method in request \x16\x03\x01 [Tue Sep 29 15:41:48 2009] [error] [client 65.55.106.187] Invalid method in request \x16\x03\x01 [Tue Sep 29 15:41:54 2009] [error] [client 65.55.106.186] Invalid method in request \x16\x03\x01 [Tue Sep 29 15:51:31 2009] [error] [client 65.55.115.175] Invalid method in request \x16\x03\x01 [Tue Sep 29 15:51:53 2009] [notice] caught SIGTERM, shutting down [Tue Sep 29 15:51:54 2009] [notice] mod_fcgid: process /home/rets/public_html/index.php(3395) exit(shutting down), terminated by calling exit(), return code: 0 [Tue Sep 29 15:52:06 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Sep 29 15:52:07 2009] [notice] Digest: generating secret for digest authentication ... [Tue Sep 29 15:52:07 2009] [notice] Digest: done [Tue Sep 29 15:52:07 2009] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Tue Sep 29 15:52:07 2009] [notice] mod_python: using mutex_directory /tmp [Tue Sep 29 15:52:07 2009] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations [Tue Sep 29 15:55:05 2009] [notice] mod_fcgid: call /home/rets/public_html/index.php with wrapper /home/rets/fcgi-bin/php5.fcgi [Tue Sep 29 16:03:43 2009] [error] [client 65.55.115.175] Invalid method in request \x16\x03\x01 [Tue Sep 29 16:12:15 2009] [error] [client 65.55.207.97] Invalid method in request \x16\x03\x01 [Tue Sep 29 16:12:24 2009] [error] [client 65.55.106.187] Invalid method in request \x16\x03\x01 [Tue Sep 29 16:12:53 2009] [error] [client 65.55.106.186] Invalid method in request \x16\x03\x01 [Tue Sep 29 16:15:47 2009] [error] [client 65.55.115.175] Invalid method in request \x16\x03\x01 [Tue Sep 29 16:24:04 2009] [error] [client 208.80.193.30] Directory index forbidden by Options directive: /var/www/html/ [Tue Sep 29 16:46:57 2009] [error] [client 65.55.106.186] Invalid method in request \x16\x03\x01 [Tue Sep 29 16:46:59 2009] [error] [client 65.55.106.187] Invalid method in request \x16\x03\x01 [Tue Sep 29 16:47:00 2009] [error] [client 65.55.207.97] Invalid method in request \x16\x03\x01

I'm not seeing any error message about Apache failing to start in there at all, sorry ..

Are you sure it really doesn't get started? Is there any httpd process running after you try to start it?

Hi, It is only when I add a SSL to an existing host - it fails to start. The only way to then get httpd started again is to remove it again - then it works.

So, I select an existing Virtual Server - click Edit Virtual Server - check the SSL website enabled? box - then save - i then get:

Changing IP address of virtual website .. .. done

Adding new SSL virtual website .. .. done

Creating status monitor for website .. .. done

Updating Webmin user .. .. done

Updating Webmin user .. .. done

Saving server details .. .. done

Stopping and re-starting web server .. .. done

Re-loading Webmin .. .. done

However, when I check - httpd is now not running

[root@hosting logs]# /etc/init.d/httpd status httpd is stopped [root@hosting logs]#

so, I undo what I did - and i get:

Changing IP address of virtual website .. .. done

Deleting SSL virtual website .. .. done

Removing status monitor for SSL website .. .. done

Updating Webmin user .. .. done

Updating Webmin user .. .. done

Saving server details .. .. done

Stopping and re-starting web server .. .. not running!

Re-loading Webmin .. .. done

restart httpd and it works.

output is:

[root@hosting logs]# /etc/init.d/httpd restart
Stopping httpd:                                            [FAILED]
Starting httpd: [Tue Sep 29 17:58:37 2009] [warn] The Alias directive in /etc/httpd/conf/httpd.conf at line 1677 will probably never match because it overlaps an earlier Alias.
[Tue Sep 29 17:58:37 2009] [warn] The Alias directive in /etc/httpd/conf/httpd.conf at line 1678 will probably never match because it overlaps an earlier Alias.
[Tue Sep 29 17:58:37 2009] [warn] The Alias directive in /etc/httpd/conf/httpd.conf at line 1885 will probably never match because it overlaps an earlier Alias.
[Tue Sep 29 17:58:37 2009] [warn] The Alias directive in /etc/httpd/conf/httpd.conf at line 1972 will probably never match because it overlaps an earlier Alias.
[Tue Sep 29 17:58:37 2009] [warn] The Alias directive in /etc/httpd/conf/httpd.conf at line 2014 will probably never match because it overlaps an earlier Alias.
[Tue Sep 29 17:58:37 2009] [warn] The Alias directive in /etc/httpd/conf/httpd.conf at line 2175 will probably never match because it overlaps an earlier Alias.
[Tue Sep 29 17:58:37 2009] [warn] The Alias directive in /etc/httpd/conf/httpd.conf at line 2297 will probably never match because it overlaps an earlier Alias.
[Tue Sep 29 17:58:37 2009] [warn] The Alias directive in /etc/httpd/conf/httpd.conf at line 2341 will probably never match because it overlaps an earlier Alias.
[Tue Sep 29 17:58:37 2009] [warn] The Alias directive in /etc/httpd/conf/httpd.conf at line 2751 will probably never match because it overlaps an earlier Alias.
[Tue Sep 29 17:58:37 2009] [warn] The Alias directive in /etc/httpd/conf/httpd.conf at line 2752 will probably never match because it overlaps an earlier Alias.
[Tue Sep 29 17:58:37 2009] [warn] NameVirtualHost 202.60.94.113:443 has no VirtualHosts

then: [root@hosting logs]# /etc/init.d/httpd status httpd (pid 16836 16835 16834 16833 16832 16831 16830 16829 16828 16826) is running... [root@hosting logs]#

does that make sense now please?

I think to debug this further, I would need to actually SSH into your system myself as root and see why Apache is failing. If this is possible, please email me directly at jcameron@virtualmin.com , or use the "Remote Login Privileges" feature in Virtualmin.

Thank you - have emailed you now.

Ok, I tried enabling SSL for the domain itginternet.net.au , which I assume was the one you were trying.

Apache failed to start , and I found the following in ~itginternet/logs/error_log :

[Wed Sep 30 08:07:15 2009] [error] Unable to configure RSA server private key
[Wed Sep 30 08:07:15 2009] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Wed Sep 30 08:07:26 2009] [warn] RSA server certificate CommonName (CN) `www.itginternet.net.au' does NOT match server name!?
[Wed Sep 30 08:07:26 2009] [error] Unable to configure RSA server private key
[Wed Sep 30 08:07:26 2009] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Looks like the SSL cert you uploaded for this domain is invalid? You can force Virtualmin to generate a new self-signed cert by deleting the ssl.* files in the domain's home directory..

thank you for the reply. I have moved the SSL* files and went through the process again - however, it still fails as per previous. Please advise

now I think the keys or SSL are mixed up?

Syntax error on line 3796 of /etc/httpd/conf/httpd.conf: SSLCACertificateFile: file '/home/itginternet/ssl.ca' does not exist or is empty

I wanted (if possible) to be able to use the proper SSL certificate as if I just use a virtualmin/webmin one - most browsers reject it. The other one was a paid certificate. I don't know why it might now be broken?

Did you try turning off the SSL feature for the domain, removing the ssl.* files, then re-enabling the SSL feature?

Hi, yes. The procedure i followed was:

rename SSL* files in the home directory (OLDSSL.ca, OLDSSL.cert and OLDSSL.key) In Webmin - vituralmin - itginternet.net.au - edit server - enable features - ticked SSL box - save

error as per previous. Logs show issue with SSL as above.

Reverse above procedure - save - http does not start - missing .ca file. Rename BACK the OLD * files - restart httpd - works again.

My mistake, removing that .ca file wasn't actually needed. I have fixed this now, and SSL seems to be working fine..

Thank you - appreciated. One final thing if you don't mind? The SSL sites (in Firefox) comes up: This Connection is Untrusted

You have asked Firefox to connect securely to www.itginternet.net.au, but we can't confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.

How do I change this so that the browser does not bomb out with warnings like this? Install a different SSL certificate I assume? thanks.

Yes, to avoid that you have the purchase a real SSL certificate for that domain. The involves generating a CSR (which you can do within Virtualmin), sending it to your certificate authority, then installing the signed cert that they send back (also do-able within Virtualmin).