Hi everyone. I hope someone can help me out with this. I tried to create ssl for one of my web folders located in /var/www/html but now my server wont restart. I'll go through the process that I followed so hopefully you can see what I did wrong.

First, I navigated to the conf folder and created my key.
cd /etc/httpd/conf
openssl genrsa -des3 -out filename.key 1024
I was then asked to set my pass phrase.

Next I created my certificate and entered my info.
openssl req -new -key filename.key -x509 -days 1000 -out filename.crt
For the "Common Name" field I simply put my host name. hostname.dyndns.org

Next I put my .key and .crt files in the proper folders located in /etc/httpd/conf.
filename.key goes in the ssl.key folder.
filename.crt goes in the ssl.crt folder.

Next I edited the ssl.conf file located in /etc/httpd/conf.d.
I changed the SSLCertificateFile directive and the SSLCerificateKeyFile directive to point them at my new key and cert.
SSLCertificateFile /etc/httpd/conf/ssl.crt/filename.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/filename.key

Next I was following a pretty vague guide and I added this line to the ssl.conf file between the <VirtualHost_default_:443> and </VirtualHost> tags.
<Directory "/var/www/html/site/folder">
SSLRequireSSL
</Directory>

Now I save the ssl.conf file and restart the server.
/etc/rc.d/init.d/httpd restart
The server will not restart, it says "Starting httpd: [FAILED]. I'm guessing it's because I need to restart using the pass phrase? Any help would be greatly appreciated.

Wild guess, is your port 443 open?

Compare with mine. Between the virgin ssl.conf.original(copy of original before I changed it).

[root@kiriyamablevins conf.d]# diff ssl.conf.original ssl.conf
112c112,113
< SSLCertificateFile /etc/pki/tls/certs/localhost.crt
---
> #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> SSLCertificateFile /etc/pki/tls/certs/kiriyamablevins.dyndns.org.cert
119c120,121
< SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
---
> #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
> SSLCertificateKeyFile /etc/pki/tls/private/kiriyamablevins.dyndns.org.key
[root@kiriyamablevins conf.d]#

This is what I get when running:
https://kiriyamablevins.dyndns.org

Secure Connection Failed
kiriyamablevins.dyndns.org uses an invalid security certificate.
The certificate is not trusted because it is self signed.
(Error code: sec_error_untrusted_issuer)
* This could be a problem with the server's configuration, or it could be someone trying to impersonate the server.
* If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.
Or you can add an exception…

If you see this:
The certificate is not trusted because it is self signed.
Its working, which I don't use anyway. I use Apache htaccess password thingy.

Thanks for the replies. I can now restart my server using httpd -k restart and my pass phrase is working. I compared to yours and moved my key and cert files to the /etc/pki/tls/certs and /etc/pki/tls/private but for some reason the certificate just wont kick in when I check my root html files(located in /var/www/html with mozilla. Here's my ssl.conf file. Everything I changed or added are in bold. Sorry if the text is long I wasn't sure what I should keep in the post. I'm using fedora core 7 btw.


<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html"
ServerName host.dyndns.org

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/httpd/conf/ssl.crt/myssl.crt
SSLCertificateFile /etc/pki/tls/certs/myssl.crt

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/myssl.key
SSLCertificateKeyFile /etc/pki/tls/private/myssl.key

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10

# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

<Directory "/var/www/html">
SSLRequireSSL
</Directory>

Interesting, mine was only two line changes, you have more. Red is what I have in mine and blue is what don't have in mine listed, maybe cause of I'm using Fedora 9.

<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html"
ServerName host.dyndns.org
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/httpd/conf/ssl.crt/myssl.crt
SSLCertificateFile /etc/pki/tls/certs/myssl.crt
SSLCertificateFile /etc/pki/tls/certs/kiriyamablevins.dyndns.org.cert

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/myssl.key
SSLCertificateKeyFile /etc/pki/tls/private/myssl.key
SSLCertificateKeyFile /etc/pki/tls/private/kiriyamablevins.dyndns.org.key

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10

# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

<Directory "/var/www/html">
SSLRequireSSL
</Directory>