PDA

View Full Version : [SOLVED] apache https and error 501 not implemented



assalane
13th March 2010, 02:10 PM
Hello every one.
I have a new problem that's driving me insane. I'm trying to set up a web server. well I already set it up before but for now 2 weeks, https gives me a
501 The requested method is not implemented by this server, when I try to acces it remotely.
you can try yourself : https://www.tradesult.com
Now the best part : when I access https with my openvpn connection, it works. same thing when I try from the lan (I have to put the ip in the web browser for it to work).

The only "error" that ssl_error_log gives is

RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
My certificate is self signed for the moment so that's normal right ?

I tried everything googled like mad but nowhere did I find a solution. Note that http works :
http://www.tradesult.com.

Why oh why did it stop working ? I tried every possible configuration, and went as far as modifying my entire web server structure. I think now I'm gonna cry. Please help.

jpollard
13th March 2010, 02:55 PM
Normally, you wouldn't use the CA certificate for a web server. Instead, you keep the
CA certificate hidden, and generate a server certificate.

In many cases there is no significant difference between a CA certificate and a server
certificate - but there ARE some usage bits that are different. The apache web
server doesn't support using certificates for "unauthorized" purposes.

All you have to do is generate a server certificate. (And unfortunately, I haven't done
this in several years, and my documentation on what to do isn't immediately available.)

assalane
13th March 2010, 10:36 PM
Thanks I will try that and come back to you

It still doesn't work. Can you or anyone check if you see anything that doesn't make sense in my config file ? I really can't understand why it doesn't work outside the lan/openvpn connection. maybe my named.conf and zone files are off ? My server is running fedora 11 for the record, and the problem just popped out 2 weeks ago, sometime after I acquired a static IP address.

---------- Post added at 01:36 PM CST ---------- Previous post was at 12:43 PM CST ----------

When I start the http server here are the contents of ssl_error_log

[Sat Mar 13 16:35:36 2010] [info] Loading certificate & private key of SSL-aware server
[Sat Mar 13 16:35:36 2010] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Sat Mar 13 16:35:36 2010] [info] Configuring server for SSL protocol
[Sat Mar 13 16:35:36 2010] [debug] ssl_engine_init.c(414): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Sat Mar 13 16:35:36 2010] [debug] ssl_engine_init.c(607): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW]
[Sat Mar 13 16:35:36 2010] [debug] ssl_engine_init.c(370): Configuring TLS extension handling
[Sat Mar 13 16:35:36 2010] [debug] ssl_engine_init.c(738): Configuring RSA server certificate
[Sat Mar 13 16:35:36 2010] [debug] ssl_engine_init.c(777): Configuring RSA server private key
[Sat Mar 13 16:35:37 2010] [info] Loading certificate & private key of SSL-aware server
[Sat Mar 13 16:35:37 2010] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Sat Mar 13 16:35:37 2010] [info] Configuring server for SSL protocol
[Sat Mar 13 16:35:37 2010] [debug] ssl_engine_init.c(414): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Sat Mar 13 16:35:37 2010] [debug] ssl_engine_init.c(607): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW]
[Sat Mar 13 16:35:37 2010] [debug] ssl_engine_init.c(370): Configuring TLS extension handling
[Sat Mar 13 16:35:37 2010] [debug] ssl_engine_init.c(738): Configuring RSA server certificate
[Sat Mar 13 16:35:37 2010] [debug] ssl_engine_init.c(777): Configuring RSA server private key:confused:

and error_log

[Sat Mar 13 16:35:36 2010] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Sat Mar 13 16:35:36 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Mar 13 16:35:37 2010] [notice] ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/) configured.
[Sat Mar 13 16:35:37 2010] [notice] Digest: generating secret for digest authentication ...
[Sat Mar 13 16:35:37 2010] [notice] Digest: done
[Sat Mar 13 16:35:38 2010] [notice] Apache/2.2.14 (Unix) DAV/2 PHP/5.2.12 mod_ssl/2.2.14 OpenSSL/0.9.8k-fips configured -- resuming normal operations

jpollard
13th March 2010, 10:53 PM
How are you using openvpn for the connection?

-- I tested using curl and get the same error... odd.
("curl --insecure https://www.tradesult.com/", which should retrieve the top level
page...)

It really isn't complaining about the certificate (other than being self signed...) so
unless the server really is confused over the usage flags of the certificate, I don't
see the error...other than it doesn't work.

hang on... This may not be right - I just noticed that your document root is
/var/www/html-secure, but you don't have a <Directory /var/www/html-secure>
section defined for it in your virtual host for access... Though that would be an
odd error message, but it may be that the GET method is disabled?

Which wouldn't explain why it works with openvpn...

assalane
13th March 2010, 11:06 PM
For openvpn I'm connecting on port 1358 and I've 10.8.0.6 IP adress. So I just need to do a https://10.8.0.1 to access my secure pages.

It's just recently that I changed the root document of my secure pages, and It wasn't working either when the root was the same as http (/var/www/html). But I'll try adding the directive and come back to you.

edit
nope still no go

<Directory "/var/www/html-secure">

Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all

</Directory>
Is now included in my virtual host *:443

assalane
16th March 2010, 08:49 AM
I found out something really strange (maybe it's normal and it's just because I'm a newbie). even when I stop the httpd server, The browsers still act as if there is something listening to port 443. I stopped the httpd server, can someone check for me there is still the 501 error ? https://www.tradesult.com

Maybe that's the problem no ?

jpollard
16th March 2010, 12:37 PM
If you had it stopped now, yes it is. ( just tried it)

Do a "fuser -n tcp 443" to identify the process(s) that have the ports.

I should have thought of that... good digging.

assalane
16th March 2010, 08:21 PM
Strange I just tried "fuser -n tcp 443", and it returns nothing... yesterday I did "lsof -i | grep 443" and "nmap -sT -O localhost | grep 443". and they returned nothing either...
Still my server is down, so there shouldn't be any negotiation with my certificate right ?

I will try closing the port 443 in my firewall.

You know ? now I feel really stupid. In my router firewall, the port 443 was not forwarded properly to my server. I mean in the forwarding table showed port TCP 443 -> local ip of server, but it was not enabled because I forgot to check the "enable"....

At least we are going somewhere. I still have the 501 error though... But my ssl_error_log became interesting :


[Tue Mar 16 12:28:09 2010] [info] Initial (No.1) HTTPS request received for child 0 (server www.tradesult.com:443)
[Tue Mar 16 12:28:24 2010] [debug] ssl_engine_io.c(1884): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f0b275f0cc0 [mem: 7f0b275f8390]
[Tue Mar 16 12:28:24 2010] [info] [client 65.94.247.42] (70007)The timeout specified has expired: SSL input filter read failed.
[Tue Mar 16 12:28:24 2010] [debug] ssl_engine_kernel.c(1879): OpenSSL: Write: SSL negotiation finished successfully
[Tue Mar 16 12:28:24 2010] [info] [client 65.94.247.42] Connection closed to child 0 with standard shutdown (server www.tradesult.com:443)

---------- Post added at 11:21 AM CDT ---------- Previous post was at 08:14 AM CDT ----------

Now it works. Thanks Jpollard, you helped me more than you would know. You permitted me to think outside the box :)