As Bruce pointed out, you'll need to bind to an externally facing address, not just localhost. Localhost is an interface without a physical interface - it is only accessible from the local host. You could try binding to *, or to a specific IP address which is externally accessible (even if it's through some sort of NAT).<div>
<br></div><div>Also, SSL and Named Virtual Hosts don't work really well together, as Apache needs to know the name in the HTTP request before it knows which Virtual Host to serve, but the SSL handshake happens before this. Hence, there can be no more than one SSL certificate on each IP address.<div>
<br></div><div>ie the sequence is:</div><div><br></div><div>DNS lookup for <a href="http://name.com">name.com</a>, finds IP address</div><div>Connect over TCP to IP address</div><div>SSL handshake (certificate for <a href="http://name.com">name.com</a> presented)</div>
<div>HTTP conversation - request data for <a href="http://name.com">name.com</a></div><div><br></div><div>Does that make sense?</div><div><br></div><div>So, I would rebind to an external port, then try the same steps again. To troubleshoot effectively, perhaps try it on HTTP first - get one thing working at a time, then slowly add complexity like you're baking a cake (<span class="Apple-style-span" style="font-family: Helvetica; font-size: 12px; "><a href="http://uk.youtube.com/watch?v=S7GGkKpBR-g">http://uk.youtube.com/watch?v=S7GGkKpBR-g</a>).</span></div>
<div><span class="Apple-style-span" style="font-family: Helvetica; font-size: 12px;"><br></span></div><div><span class="Apple-style-span" style="font-family: Helvetica; font-size: 12px;">Also, when testing with openssl, you probably want to use something like:</span></div>
<div><br></div><div>openssl s_client -connect host:443</div><div><br></div><div>...and you should see the certificate chain. There's heaps of options - h<span class="Apple-style-span" style="font-family: Helvetica; font-size: 12px; ">ttp://<a href="http://www.madboa.com/geek/openssl">www.madboa.com/geek/openssl</a> is a good reference...</span></div>
<div><br></div><div>Richard<br></div><div><br></div><div><br></div><div><br><div class="gmail_quote">On Tue, May 13, 2008 at 4:16 PM, Avi Greenbury <<a href="mailto:avismailinglistaccount@googlemail.com">avismailinglistaccount@googlemail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">On Fri, 9 May 2008 16:19:55 +0100<br>
"Richard Russell" <<a href="mailto:richard.a.russell@gmail.com">richard.a.russell@gmail.com</a>> wrote:<br>
<br>
> 1. Check that your server is binding to the right port with lsof or<br>
<div class="Ih2E3d">> netstat or similar (can't remember the latest tool for this job).<br>
<br>
</div>Looks right to my untrained eye:<br>
<br>
shrek:/home/avi# lsof -i | grep https<br>
apache2 8798 dtc 5u IPv4 6877453 TCP localhost:https (LISTEN)<br>
apache2 8804 dtc 5u IPv4 6877453 TCP localhost:https (LISTEN)<br>
apache2 10585 dtc 5u IPv4 6877453 TCP localhost:https (LISTEN)<br>
apache2 10586 dtc 5u IPv4 6877453 TCP localhost:https (LISTEN)<br>
apache2 12482 dtc 5u IPv4 6877453 TCP localhost:https (LISTEN)<br>
apache2 13942 dtc 5u IPv4 6877453 TCP localhost:https (LISTEN)<br>
apache2 13944 dtc 5u IPv4 6877453 TCP localhost:https (LISTEN)<br>
apache2 31490 root 5u IPv4 6877453 TCP localhost:https (LISTEN)<br>
apache2 31500 dtc 5u IPv4 6877453 TCP localhost:https (LISTEN)<br>
apache2 31502 dtc 5u IPv4 6877453 TCP localhost:https (LISTEN)<br>
apache2 31508 dtc 5u IPv4 6877453 TCP localhost:https (LISTEN)<br>
<br>
> 2. Telnet to the port from the server.<br>
<br>
I can get a connection, and a response. Not entirely sure what the HTTP400 relates to, though.<br>
<br>
shrek:~$ telnet localhost 443<br>
Trying 127.0.0.1...<br>
Connected to localhost.<br>
Escape character is '^]'.<br>
HEAD / HTTP/1.1<br>
<br>
HTTP/1.1 400 Bad Request<br>
Date: Tue, 13 May 2008 10:25:38 GMT<br>
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch10 mod_ssl/2.2.3 OpenSSL/0.9.8c<br>
Connection: close<br>
Content-Type: text/html; charset=iso-8859-1<br>
<br>
Connection closed by foreign host.<br>
<br>
> 3. Use openssl commandline tool to see if you can see the certificate on<br>
<div class="Ih2E3d">> that port from the server.<br>
<br>
</div>In trying this, I found that Apache had no certificates (which in hindsight is to be expected, since I don't remember creating any). I used mod-ssl-makecert (as suggested in, I think a <a href="http://debian-administration.co.uk" target="_blank">debian-administration.co.uk</a> article).<br>
<br>
So, having made one, I get this (is this what you meant?):<br>
<br>
shrek:~$ openssl s_server -cert /etc/apache/ssl.crt/server.crt -key /etc/apache/ssl.key/server.key<br>
Enter pass phrase for /etc/apache/ssl.key/server.key:<br>
Using default temp DH parameters<br>
Using default temp ECDH parameters<br>
ACCEPT<br>
<br>
> 4. Use a browser on the server to see if you can connect to the server<br>
> locally.<br>
<br>
I can now (couldn't before I did the SSL certificate above). But I can't get at it from the internet.<br>
If I connect via clear http, I get an error telling me to use https (though lynx apparently doesn't renegotiate).<br>
<br>
Could this be because I've put the SSL-related directives in the definition of NameVirtualHost * ? I figured that'd give me the broadest application of https, and I'm not exactly sure how htc sets up its own vhosts.<br>
<br>
> 5. Check the serverlogs and the errorlogs to see what's going on. IIRC<br>
<div class="Ih2E3d">> there's some form of ssl log on many setups - you may be able to configure<br>
> this somewhere also.<br>
<br>
</div>I've been looking for the log, but can't find it. I've got the mod_ssl docs downloaded, though, for a perusal this evening...<br>
<div class="Ih2E3d"><br>
><br>
> Then try the last four from another machine on the same subnet, and then on<br>
> other networks.<br>
><br>
<br>
</div>Unfortunately, this is a box in a datacenter in Belgium - outside of the box itself, I can only jump straight to the Big Wide World.<br>
<font color="#888888"><br>
--<br>
</font><div><div></div><div class="Wj3C7c">Avi Greenbury<br>
--<br>
Gllug mailing list - <a href="mailto:Gllug@gllug.org.uk">Gllug@gllug.org.uk</a><br>
<a href="http://lists.gllug.org.uk/mailman/listinfo/gllug" target="_blank">http://lists.gllug.org.uk/mailman/listinfo/gllug</a><br>
</div></div></blockquote></div><br></div></div>