[Gllug] simple https troubleshooting?

Avi Greenbury avismailinglistaccount at googlemail.com
Tue May 13 15:16:14 UTC 2008 

On Fri, 9 May 2008 16:19:55 +0100
"Richard Russell" <richard.a.russell at gmail.com> wrote:

>    1. Check that your server is binding to the right port with lsof or
>    netstat or similar (can't remember the latest tool for this job).

Looks right to my untrained eye:

shrek:/home/avi# lsof -i | grep https
apache2    8798    dtc    5u  IPv4 6877453       TCP localhost:https (LISTEN)
apache2    8804    dtc    5u  IPv4 6877453       TCP localhost:https (LISTEN)
apache2   10585    dtc    5u  IPv4 6877453       TCP localhost:https (LISTEN)
apache2   10586    dtc    5u  IPv4 6877453       TCP localhost:https (LISTEN)
apache2   12482    dtc    5u  IPv4 6877453       TCP localhost:https (LISTEN)
apache2   13942    dtc    5u  IPv4 6877453       TCP localhost:https (LISTEN)
apache2   13944    dtc    5u  IPv4 6877453       TCP localhost:https (LISTEN)
apache2   31490   root    5u  IPv4 6877453       TCP localhost:https (LISTEN)
apache2   31500    dtc    5u  IPv4 6877453       TCP localhost:https (LISTEN)
apache2   31502    dtc    5u  IPv4 6877453       TCP localhost:https (LISTEN)
apache2   31508    dtc    5u  IPv4 6877453       TCP localhost:https (LISTEN)

>    2. Telnet to the port from the server.

I can get a connection, and a response. Not entirely sure what the HTTP400 relates to, though.

shrek:~$ telnet localhost 443
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Tue, 13 May 2008 10:25:38 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch10 mod_ssl/2.2.3 OpenSSL/0.9.8c
Connection: close
Content-Type: text/html; charset=iso-8859-1

Connection closed by foreign host.

>    3. Use openssl commandline tool to see if you can see the certificate on
>    that port from the server.

In trying this, I found that Apache had no certificates (which in hindsight is to be expected, since I don't remember creating any). I used mod-ssl-makecert (as suggested in, I think a debian-administration.co.uk article).

So, having made one, I get this (is this what you meant?):

shrek:~$ openssl s_server -cert /etc/apache/ssl.crt/server.crt -key /etc/apache/ssl.key/server.key
Enter pass phrase for /etc/apache/ssl.key/server.key:
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT

>    4. Use a browser on the server to see if you can connect to the server
>    locally.

I can now (couldn't before I did the SSL certificate above). But I can't get at it from the internet. 
If I connect via clear http, I get an error telling me to use https (though lynx apparently doesn't renegotiate).

Could this be because I've put the SSL-related directives in the definition of NameVirtualHost * ? I figured that'd give me the broadest application of https, and I'm not exactly sure how htc sets up its own vhosts.

>    5. Check the serverlogs and the errorlogs to see what's going on. IIRC
>    there's some form of ssl log on many setups - you may be able to configure
>    this somewhere also.

I've been looking for the log, but can't find it. I've got the mod_ssl docs downloaded, though, for a perusal this evening...

> 
> Then try the last four from another machine on the same subnet, and then on
> other networks.
> 

Unfortunately, this is a box in a datacenter in Belgium - outside of the box itself, I can only jump straight to the Big Wide World.

-- 
Avi Greenbury
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list