6

I have an apache server set up on CentOS. I am trying to add SSL. I was able to create the certificate and keys and then updated /etc/httpd/conf.d/ssl.conf to have the following configurations:

/etc/httpd/conf.d/ssl.conf

#Where I put my cert
SSLCertificateFile /etc/pki/tls/certs/ca.crt

#where I put my key
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

Then I updated /etc/httpd/conf/httpd.conf:

/etc/httpd/conf/httpd.conf

Listen 443
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

Then I ran service httpd restart and I get the error:

Stopping httpd:          [OK]
Starting httpd:          (98)Address already in use: make_sock: could not bind to address [::]:443
                         [OK]

What do I need to do to enable SSL?

Don Rhummy
  • 403
  • 4
  • 8
  • 16
  • 1
    It looks like Apache's complaining that another service is already listening on 443; what's the output of `sudo netstat -lnp`? Also verify that there isn't another directive elsewhere in your Apache config that has it listening on that port. – Kromey Apr 12 '14 at 00:59
  • @Kromey yes, I discovered that the ssl.conf file had a `Listen 443` directive. thanks! – Don Rhummy Apr 12 '14 at 01:00
  • are you sure the setting in httpd.conf will always override ssl.conf? previously i added SSL allowed protocol to excludes TLS1 at httpd.conf, but it doesnt work until i do the same in the ssl.conf. it looks like ssl.conf somehow affected httpd.conf instead of ssl.conf is always overrided by httpd.conf – SKLTFZ Mar 08 '19 at 04:27
  • @SKLTFZ you read my comment backwards. i said ssl.conf is the one that wins – Don Rhummy Mar 09 '19 at 19:02

3 Answers3

7

By default, in CentOS, there is a file used by Apache/httpd located at /etc/httpd/conf.d/ssl.conf. This file is read in as a configuration by Apache along with the "httpd.conf" file and anything in it takes precedence over settings in httpd.conf.

That file (again by default) contains a Listen 443 directive. You cannot call that directive twice (as it will say it's already been bound to that port), so that caused the conflict. After removing that, it works.

Don Rhummy
  • 403
  • 4
  • 8
  • 16
  • @krisFR I explained it as fully as I can. Please remove your downvote if it answers your questions. – Don Rhummy Apr 12 '14 at 02:14
  • Will remove my comment (done), will not remove downvote as it is not from me...But +1 for your effort :) – krisFR Apr 12 '14 at 02:37
1

In case anybody stumbles over this question in 2017...

There is no need to edit httpd.conf since ssl.conf contains all the directives we need:

# When we also provide SSL we have to listen to the 
# the HTTPS port in addition.
#
Listen 443 https

...

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

And of course the paths to the certs:

SSLCertificateFile /etc/pki/tls/certs/<mycert>.crt

SSLCertificateKeyFile /etc/pki/tls/private/<mykey>.key

In other words, it is enough to add the information in ssl.conf and the restart the httpd service. Of course, this only works if this (the last) line:

# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf

...is uncommented as per above in the file httpd.conf, which it is in a default installation.

System info:

cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)
maulinglawns
  • 111
  • 4
0

On Debian bases Systems or usually on generally other

Create

  • /etc/apache2/conf-available/default-ssl.conf

    <IfModule mod_ssl.c>
              SSLEngine on
              SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
              SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
              Listen 443

</IfModule>

This Works out of the Box, in case you want to use the default page i.e. for Reverse-Proxy with NGINX or Other.

Its not limited to a VHOST.

Additional Information

It will not Produce an error due the fact, it only works when Mod-SSL is enabled.

bash:# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  systemctl restart apache2

Remind to restart Apache

Bash:# lsof -i :443
COMMAND   PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
apache2 1337       root    6u  IPv6 488893      0t0  TCP *:443 (LISTEN)
apache2 13337  www-data    6u  IPv6 488893      0t0  TCP *:443 (LISTEN)
apache2 133337 www-data    6u  IPv4 488893      0t0  TCP *:443 (LISTEN)

This works for me since ages.

djdomi
  • 1,599
  • 3
  • 12
  • 19