Apache failed to start (no errors) after first time SSL config. Do I need different command/passcode?

2

I'm setting up SSL for the first time.

I edited my config files in sites-enabled and ran apache2ctl configtest. Got back Syntax OK.

I then ran apache2ctl graceful. There weren't any errors or anything, and I was returned to the prompt. However the site was down after running this, so I quickly put back the old config files and restarted.

If my syntax was okay, why didn't Apache restart? Do I need to do apache2ctl stop/ apache2ctl start instead of the graceful command? Will I be asked to enter the passphrase for my key file?

Configuration changes made:

  • Changed NameVirtualHost * to NameVirtualHost *:80 and added line for NameVirtualHost *:443

  • Changed all VirtualHost * lines to VirtualHost *:80

  • Added VirtualHost section for the site that I want to have SSL available and made that section VirtualHost *:443

  • Added these lines to the new VirtualHost:

    SSLEngine On
SSLCertificateFile pathtocert
SSLCertificateKeyFile pathtokey
SSLCertificateChainFile pathtochainfile

UPDATE 8th July: After checking additional log files I finally found a smoking gun:

SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

So at least something else to go on.

Fraggle

Posted 2011-07-07T19:29:05.560

Reputation: 41

Note that "NameVirtualHost *:443" is deceptive. That doesn't ACTUALLY work. It seems to, but it doesn't. The hostname is encrypted with the HTTP traffic, so Apache can't know what ssl certs to apply to correct decrypt virtual host traffic on a single IP over ssl. As for your specific problem, I dunno, I've had this before, solved it by reading docs, don't recall a particularly helpful suggestion. – James T Snell – 2011-07-07T20:53:12.367

@ThouArtNotDoc: What you're saying was correct several years ago, but nowadays major web browsers support TLS SNI allowing to use virtual hosts over SSL.

– user1686 – 2011-07-07T21:14:54.680

@grawity - sadly, we still get some traffic on IE6. I know.. I know.. It should be punished by mandatory rides through a woodchipper.. Anyway, thanks for pointing that out.. I recently learned about Google Chrome Frame, which may be a good enough fix for me to finally adopt TLS SNI. Much thanks. – James T Snell – 2011-07-07T21:37:31.330

@ThouArtNotDoc: You could point users to BrowseHappy or this official MS page... not that it would help much.

– user1686 – 2011-07-07T21:59:26.513

Answers

2

Ok, found the answer. All my fault.

Turns out I had created a key file a few months ago and never used it. But then mistakenly copied that one to be used by the web server. So basically had the wrong file. Dumb dumb.

Also missed the original error (see my Update above) in one of my log files which would have put me on the right track to begin with.

Server is up now and ssl is working.

Fraggle

Posted 2011-07-07T19:29:05.560

Reputation: 41

Asked: 2011-07-07T19:29:05.560

Viewed: 10 801 times

Active: 2013-10-14T11:21:48.943