3

I have installed apache2 and OpenSSL

I installed OpenSSL this way:

sudo a2enmod ssl

sudo mkdir /etc/apache2/ssl

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

sudo chmod 600 /etc/apache2/ssl/*

sudo nano /etc/apache2/sites-enabled/***.ru.conf

After configuring the file

File: /etc/apache2/sites-enabled/***.ru.conf

<VirtualHost *:80>

    ServerAdmin office@***.eu
    ServerName ***.ru
    ServerAlias www.***.ru
    DocumentRoot /var/www/***.ru/public_html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
<VirtualHost *:443>

    ServerAdmin office@***.eu
    ServerName ***.ru:443
    ServerAlias www.***.ru
    DocumentRoot /var/www/***.ru/public_html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLCertificateFile "/etc/apache2/ssl/apache.crt"
    SSLCertificateKeyFile "/etc/apache2/ssl/apache.key"

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

and a restart with 

sudo /etc/init.d/apache2 restart

I can call the domain with http successfully. But with https I get "connection refused"

What can I do?

Update 1:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      21766/apache2
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      12556/rpcbind
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      21766/apache2
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      402/sshd
tcp6       0      0 :::111                  :::*                    LISTEN      12556/rpcbind
udp        0      0 0.0.0.0:859             0.0.0.0:*                           12556/rpcbind
udp        0      0 0.0.0.0:111             0.0.0.0:*                           12556/rpcbind
udp6       0      0 :::859                  :::*                                12556/rpcbind
udp6       0      0 :::111                  :::*                                12556/rpcbind

Update 2:

● apache2.service - LSB: Apache2 web server
   Loaded: loaded (/etc/init.d/apache2)
  Drop-In: /lib/systemd/system/apache2.service.d
           └─forking.conf
   Active: active (running) since Mon 2017-09-04 22:21:51 CEST; 32min ago
  Process: 21728 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS)
  Process: 21752 ExecStart=/etc/init.d/apache2 start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/apache2.service
           ├─21766 /usr/sbin/apache2 -k start
           ├─21769 /usr/sbin/apache2 -k start
           ├─21794 /usr/sbin/apache2 -k start
           └─21795 /usr/sbin/apache2 -k start

Sep 04 22:21:50 86piub systemd[1]: Starting LSB: Apache2 web server...
Sep 04 22:21:51 86piub apache2[21752]: Starting web server: apache2.
Sep 04 22:21:51 86piub systemd[1]: Started LSB: Apache2 web server.

Update 3:

[Mon Sep 04 21:06:04.445632 2017] [mpm_prefork:notice] [pid 20572] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Sep 04 21:06:04.445676 2017] [core:notice] [pid 20572] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:16:36.199232 2017] [mpm_prefork:notice] [pid 20572] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:16:37.326606 2017] [mpm_prefork:notice] [pid 20736] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Sep 04 21:16:37.326652 2017] [core:notice] [pid 20736] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:19:56.402621 2017] [mpm_prefork:notice] [pid 20736] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:19:57.547091 2017] [mpm_prefork:notice] [pid 20815] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:19:57.547136 2017] [core:notice] [pid 20815] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:28:37.135554 2017] [mpm_prefork:notice] [pid 20815] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:36:24.963288 2017] [ssl:warn] [pid 21088] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:36:24.992551 2017] [ssl:warn] [pid 21089] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:36:24.993230 2017] [mpm_prefork:notice] [pid 21089] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:36:24.993245 2017] [core:notice] [pid 21089] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:36:42.013201 2017] [mpm_prefork:notice] [pid 21089] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:36:43.125758 2017] [ssl:warn] [pid 21140] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:36:43.150716 2017] [ssl:warn] [pid 21141] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:36:43.151416 2017] [mpm_prefork:notice] [pid 21141] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:36:43.151450 2017] [core:notice] [pid 21141] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:37:42.229356 2017] [mpm_prefork:notice] [pid 21141] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:37:43.345401 2017] [ssl:warn] [pid 21195] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:37:43.371558 2017] [ssl:warn] [pid 21196] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:37:43.372641 2017] [mpm_prefork:notice] [pid 21196] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:37:43.372667 2017] [core:notice] [pid 21196] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:40:15.942263 2017] [mpm_prefork:notice] [pid 21196] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:40:17.047285 2017] [ssl:warn] [pid 21288] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:40:17.071700 2017] [ssl:warn] [pid 21289] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:40:17.072403 2017] [mpm_prefork:notice] [pid 21289] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:40:17.072419 2017] [core:notice] [pid 21289] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:51:43.059740 2017] [mpm_prefork:notice] [pid 21289] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:51:44.171087 2017] [ssl:warn] [pid 21424] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:51:44.198683 2017] [ssl:warn] [pid 21425] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:51:44.199380 2017] [mpm_prefork:notice] [pid 21425] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:51:44.199404 2017] [core:notice] [pid 21425] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 22:13:38.102014 2017] [mpm_prefork:notice] [pid 21425] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 22:13:39.213574 2017] [ssl:warn] [pid 21646] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 22:13:39.240219 2017] [ssl:warn] [pid 21647] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 22:13:39.240929 2017] [mpm_prefork:notice] [pid 21647] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 22:13:39.240948 2017] [core:notice] [pid 21647] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 22:21:49.629640 2017] [mpm_prefork:notice] [pid 21647] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 22:21:50.728557 2017] [ssl:warn] [pid 21765] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 22:21:50.751995 2017] [ssl:warn] [pid 21766] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 22:21:50.752633 2017] [mpm_prefork:notice] [pid 21766] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 22:21:50.752650 2017] [core:notice] [pid 21766] AH00094: Command line: '/usr/sbin/apache2'

Update 4:

openssl s_client -connect ***.ru:443 -tls1 -servername ***.ru | openssl x509 -text -noout

tells me

connect: Connection refused
connect:errno=111
unable to load certificate
140019880523408:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
Bernhard
  • 141
  • 1
  • 9
  • Can you check with `netstat -tulpn` (`sudo` if necessary) if apache is listening on port 443 at all, or just 80? – ConnorJC Sep 04 '17 at 20:39
  • Hello, I did what you say (see Update 1). It seems that it is listening on 443. Can you identify a Problem? – Bernhard Sep 04 '17 at 20:42
  • What is the output of `systemctl status apache2`? – ConnorJC Sep 04 '17 at 20:53
  • Since you're getting connection refused and not unable to establish connection. See if your apache error log is logging the attempt to connect. – Grumpy Sep 04 '17 at 21:01
  • See Update 3 please. – Bernhard Sep 04 '17 at 21:11
  • Well, it seems to recognize the attempt to connect. The best Answer here says that "caught SIGTERM, shutting down" can be normal: https://serverfault.com/questions/607873/apache-is-ok-but-what-is-this-in-error-log-mpm-preforknotice – Bernhard Sep 04 '17 at 22:17
  • Update 4 tells me it is unable to load the certificate – Bernhard Sep 04 '17 at 22:44
  • Update 4 is failing because openssl doesn't automatically have a list of trusted certificate. You need to add it to trust manually for self-signed certificates. For commercial certificates, there's usually a directory of trusted like `/etc/pki/tls/certs` for redhat. Then you can add `-CApath /etc/pki/tls/certs` to the command. – Grumpy Sep 04 '17 at 23:04
  • What makes you think it 'recognizes the attempt to connect'? Nothing you showed indicates that, and TCP-level 'refused' cannot occur if the connection attempt reaches the server process. Does the server have iptables (or any firewall that uses iptables) enabled? @Grumpy: update 4 fails because it is trying to read a cert from the output of `s_client` -- which does output the PEM cert if handshake succeeds, but not for a TCP connection failure. No trust issue or trust store is involved in this error. – dave_thompson_085 Sep 05 '17 at 07:14

1 Answers1

3

So your problem is that your SSL cert is being interpreted as a CA cert, rather than one to be used as a server. Easy solution to this is to generate a CA cert and use that to create your server's certificate:

openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/CN=IP-OR-DOMAIN-HERE" -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -out server.crt -days 10000

Then you can use the generated server.crt and server.key for Apache.

However, be aware that you are using a self signed certificate. Considering that it's possible to get a trusted certificate for free nowadays, I'd highly recommend looking into something like Certbot.

ConnorJC
  • 939
  • 1
  • 8
  • 20