I have an Apache server that serves my site fine if I just use http, but I can't connect to it over https. I've combed all error logs and found nothing. I've tried several things from other answers on this site, including allowing port 443 over my firewall and restarting iptables, and disabling SELinux. These haven't worked so I suspect there's a problem with my configuration.
Here are my virtual hosts:
Listen 80
Listen 443
NameVirtualHost *:80
<VirtualHost *:80>
ServerName myurl.com
Redirect permanent / https://myurl.com:443
</VirtualHost>
NameVirtualHost *:443
<VirtualHost *:443>
ServerName myurl.com
Alias /static /path/to/my/app/static
WSGIScriptAlias / /path/to/my/app/wsgi.py
<Directory /path/to/my/app>
Order deny,allow
Allow from all
</Directory>
SSLEngine on
SSLCertificateFile /etc/ssl/ssl.crt/myurl.com.crt
SSLCertificateChainFile /etc/ssl/ssl.crt/myurl.com.ca-bundle
SSLCertificateKeyFile /etc/ssl/ssl.key/myurl.com.key
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel debug
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Here's the output of netstat -ltpn
:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1122/rpcbind
tcp 0 0 0.0.0.0:42675 0.0.0.0:* LISTEN 5774/rpc.statd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 27100/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 5806/cupsd
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 12076/postmaster
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 6011/master
tcp 0 0 :::111 :::* LISTEN 1122/rpcbind
tcp 0 0 :::80 :::* LISTEN 5860/httpd
tcp 0 0 :::22 :::* LISTEN 27100/sshd
tcp 0 0 ::1:631 :::* LISTEN 5806/cupsd
tcp 0 0 ::1:5432 :::* LISTEN 12076/postmaster
tcp 0 0 ::1:25 :::* LISTEN 6011/master
tcp 0 0 :::443 :::* LISTEN 5860/httpd
tcp 0 0 :::40040 :::* LISTEN 5774/rpc.statd
And curl -v https://myurl.com
:
[admin@eusay ~]$ curl -v https://myurl.com
* About to connect() to eusay.eusa.ed.ac.uk port 443 (#0)
* Trying ::1... connected
* Connected to eusay.eusa.ed.ac.uk (::1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=eusay.eusa.ed.ac.uk,OU=Domain Control Validated
* start date: Jun 26 00:00:00 2014 GMT
* expire date: Jun 25 23:59:59 2017 GMT
* common name: eusay.eusa.ed.ac.uk
* issuer: CN=TERENA SSL CA,O=TERENA,C=NL
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: eusay.eusa.ed.ac.uk
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 15 Aug 2014 19:37:16 GMT
< Server: Apache/2.2.15 (CentOS)
< Vary: Cookie
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: sessionid=zi5oddwgqure8iwnkvd7evrjjt0qe3q8; expires=Fri, 29-Aug-2014 19:37:17 GMT; httponly; Max-Age=1209600; Path=/
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=utf-8
<
followed by the full HTML of the page.
Best Answer
tl;dr - Apache is just fine. It really is your firewall.
Correct the firewall issue, and all will be good.
Long Version
The problem:
Your testing with curl verifies that Apache itself is serving the site over HTTPS. That said, your testing with curl was done from the server itself.
When I tested with curl, on both 80 and 443, my results were different from yours. On 80, I got the HTTP 301 as expected. However, when I attempted to access the HTTPS version of your site, I received an ICMP HOST UNREACHEABLE.
In otherwords, your firewall is rejecting the packets that are destined for TCP 443 on your webserver.
The Solution:
Find why the TLS traffic from the outside is being blocked, and then fix it.
Run
iptables -L -v -n
to see what rules are actually in place. You may need to add a rule to explicitly allow the traffic, such as:iptables -A INPUT -p tcp --dport 443 -j ACCEPT
or remove a rule blocking it, or perhaps even both.
Supporting Evidence
output from
curl -v http://eusay.eusa.ed.ac.uk
Output of
curl -v https://eusay.eusa.ed.ac.uk