2
I'm setting up SSL for the first time.
I edited my config files in sites-enabled and ran apache2ctl configtest
. Got back Syntax OK.
I then ran apache2ctl graceful
. There weren't any errors or anything, and I was returned to the prompt. However the site was down after running this, so I quickly put back the old config files and restarted.
If my syntax was okay, why didn't Apache restart? Do I need to do apache2ctl stop
/ apache2ctl start
instead of the graceful command? Will I be asked to enter the passphrase for my key file?
Configuration changes made:
Changed
NameVirtualHost *
toNameVirtualHost *:80
and added line forNameVirtualHost *:443
Changed all
VirtualHost *
lines toVirtualHost *:80
Added
VirtualHost
section for the site that I want to have SSL available and made that sectionVirtualHost *:443
Added these lines to the new VirtualHost:
SSLEngine On SSLCertificateFile pathtocert SSLCertificateKeyFile pathtokey SSLCertificateChainFile pathtochainfile
UPDATE 8th July: After checking additional log files I finally found a smoking gun:
SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
So at least something else to go on.
Note that "NameVirtualHost *:443" is deceptive. That doesn't ACTUALLY work. It seems to, but it doesn't. The hostname is encrypted with the HTTP traffic, so Apache can't know what ssl certs to apply to correct decrypt virtual host traffic on a single IP over ssl. As for your specific problem, I dunno, I've had this before, solved it by reading docs, don't recall a particularly helpful suggestion. – James T Snell – 2011-07-07T20:53:12.367
@ThouArtNotDoc: What you're saying was correct several years ago, but nowadays major web browsers support TLS SNI allowing to use virtual hosts over SSL.
– user1686 – 2011-07-07T21:14:54.680@grawity - sadly, we still get some traffic on IE6. I know.. I know.. It should be punished by mandatory rides through a woodchipper.. Anyway, thanks for pointing that out.. I recently learned about Google Chrome Frame, which may be a good enough fix for me to finally adopt TLS SNI. Much thanks. – James T Snell – 2011-07-07T21:37:31.330
@ThouArtNotDoc: You could point users to BrowseHappy or this official MS page... not that it would help much.
– user1686 – 2011-07-07T21:59:26.513