I have installed a self-signed SSL certificate for the website I am running on localhost. It seems that the data reaching the browser is complete and correct for both the SSL and non-SSL versions, but I am getting a lot of apache error output which seems to indicate otherwise.
When I hit refresh, I immediately get a couple of these lines in the log
AH01964: Connection to child 0 established
Also child 2, 6, 4, etc may appear, in no particular order.
Over the next few seconds I get several of these
(70014)End of file found: [client 127.0.0.1:32839] AH01991: SSL input filter read failed.
[client 127.0.0.1:32840] AH01382: Request header read timeout
I assume the multiplicity of these lines is due to scripts, css, etc because if I go to 'View Source' and refresh that window, I get one of these
AH01964: Connection to child 4 established
…and nothing else. All this happens for https connections only. The log for http is silent.
Is anything actually wrong? I repeat, the content seems to be completely and correctly served, which seems to contradict the "read failed" and "timeout" language in the log. Are these errors just noise or do I have to fix something?
If they're just harmless noise, how do I turn them off?
Here is how I set everything up. (I got this process piecewise from various tutorials without fully understanding it.)
In /etc/hosts I have
127.0.0.1 x.com
I created a self-signed ssl certificate via the following script
openssl genrsa -des3 -out x.com.key 2048
openssl req -new -key x.com.key -out x.com.csr
cp x.com.key x.com.key.org
openssl rsa -in x.com.key.org -out x.com.key
openssl x509 -req -days 3650 -in x.com.csr -signkey x.com.key -out x.com.crt
chmod 400 x.com.{key,crt,csr}
sudo chown www-data x.com.{key,crt,csr}
sudo mv x.com.{key,crt,csr} /path/to/website/
During this process I input
Common Name (e.g. server FQDN or YOUR name) []:x.com
I have both a <VirtualHost x.com:80> and a <VirtualHost x.com:443> set up in sites-enabled/000-default.conf and the difference between them is this section:
SSLEngine on
SSLCertificateFile /path/to/website/x.com.crt
SSLCertificateKeyFile /path/to/website/x.com.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog ${APACHE_LOG_DIR}/x.com.ssl.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
And they have this in common:
LogLevel info
Best Answer
This question appears to be the same as this one, which obviously I found while diagnosing the same thing.
The issue is caused by setting a name based (or wildcard catchall) to a VirtualHost instead of an IP address. The problem is that the domain name is only passed to a web server once the connection is established, by which stage the SSL/TLS connection must already be active, so the server needs to select the correct SSL key based on the minimum information available and that is the IP address for that virtual host.
There is greater detail and sample configuration information on the Apache website, but basically you want to change the
<VirtualHost x.com:443>to<VirtualHost 1.2.3.4:443>where that uses the IP address for that host/interface.