From owner-freebsd-questions@freebsd.org Sun Apr 1 05:03:09 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CBFD6F8595C for ; Sun, 1 Apr 2018 05:03:09 +0000 (UTC) (envelope-from bferrell@baywinds.org) Received: from baywinds.org (50-196-187-248-static.hfc.comcastbusiness.net [50.196.187.248]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "baywinds.org", Issuer "rr-v" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 61C0D698FB for ; Sun, 1 Apr 2018 05:03:08 +0000 (UTC) (envelope-from bferrell@baywinds.org) Received: from [192.0.2.130] (rr-iii [192.0.2.130]) by baywinds.org (8.14.4/8.14.4) with ESMTP id w31530Wt022834; Sat, 31 Mar 2018 22:03:01 -0700 Subject: Re: apache24 ssl setup problems; "unknown protocol" To: freebsd@dreamchaser.org, freebsd-questions@freebsd.org References: <3ebae04a-4928-7979-9100-b0c3317a5284@dreamchaser.org> <210673da-f441-491f-7de4-f4bfbadbf5a5@dreamchaser.org> From: Bruce Ferrell Message-ID: <80dadfa7-ea5f-4027-f862-e1cd39f5694b@baywinds.org> Date: Sat, 31 Mar 2018 22:03:00 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <210673da-f441-491f-7de4-f4bfbadbf5a5@dreamchaser.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Greylist: inspected by milter-greylist-4.5.12 (baywinds.org [192.0.2.134]); Sat, 31 Mar 2018 22:03:02 -0700 (PDT) for IP:'192.0.2.130' DOMAIN:'rr-iii' HELO:'[192.0.2.130]' FROM:'bferrell@baywinds.org' RCPT:'' X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.12 (baywinds.org [192.0.2.134]); Sat, 31 Mar 2018 22:03:02 -0700 (PDT) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Apr 2018 05:03:10 -0000 On 03/31/2018 08:40 PM, Gary Aitken wrote: > On 03/31/18 17:30, Bruce Ferrell wrote: >> >> On 03/31/2018 04:06 PM, Gary Aitken wrote: >>> On 03/31/18 16:36, Bruce Ferrell wrote: >>>> That *looks* like you have no certs installed >>> >>> That's what I don't understand.  It says it found the cert fine >>> and it matches the domain. >>> From the error log: >>> >>> [Sat Mar 31 13:56:14.019094 2018] [ssl:info] [pid 13686] AH01887: Init: Initializing (virtual) servers for SSL >>> [Sat Mar 31 13:56:14.019107 2018] [ssl:info] [pid 13686] AH01914: Configuring server www.dreamchaser.org:443 for SSL protocol >>> [Sat Mar 31 13:56:14.019438 2018] [ssl:debug] [pid 13686] ssl_engine_init.c(412): AH01893: Configuring TLS extension handling >>> [Sat Mar 31 13:56:14.019920 2018] [ssl:warn] [pid 13686] AH01906: www.dreamchaser.org:443:0 server certificate is a CA certificate ( >>> BasicConstraints: CA == TRUE !?) >>> [Sat Mar 31 13:56:14.020047 2018] [ssl:debug] [pid 13686] ssl_util_ssl.c(443): AH02412: ... Cert matches for name 'www.dreamchaser.org' ,,, >>> [Sat Mar 31 13:56:14.020071 2018] [ssl:info] [pid 13686] AH02568: Certificate and private key www.dreamchaser.org:443:0 configured f >>> rom /tmp/test.crt and /tmp/test.key >>> [Sat Mar 31 13:56:14.020324 2018] [ssl:info] [pid 13686] AH01876: mod_ssl/2.4.25 compiled against Server: Apache/2.4.25, Library: Op >>> enSSL/1.0.1s-freebsd >>> [Sat Mar 31 13:56:14.031071 2018] [mpm_prefork:notice] [pid 13686] AH00163: Apache/2.4.25 (FreeBSD) OpenSSL/1.0.1s-freebsd configure >>> d -- resuming normal operations >>> [Sat Mar 31 13:56:14.031116 2018] [mpm_prefork:info] [pid 13686] AH00164: Server built: unknown >>> [Sat Mar 31 13:56:14.031154 2018] [core:notice] [pid 13686] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT' >>> [Sat Mar 31 13:56:14.031166 2018] [core:debug] [pid 13686] log.c(1543): AH02639: Using SO_REUSEPORT: no (1) >>> [Sat Mar 31 13:56:14.031177 2018] [mpm_prefork:debug] [pid 13686] prefork.c(1027): AH00165: Accept mutex: flock (default: flock) >>> >>>> On 03/31/2018 03:20 PM, Gary Aitken wrote: >>>>> Hi all, >>>>> >>>>> I'm trying to set up apache24 ssl for the first time; getting nowhere >>>>> very slowly. >>>>> >>>>> Server starts up ok, serves port 80 normally as usual. >>>>> sockstat shows it listening on 443 ok. >>>>> >>>>> When I attempt to connect I get this: >>>>> >>>>> $ openssl s_client -connect 192.168.151.101:443 >>>>> CONNECTED(00000003) >>>>> 34379279064:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782: >>>>> --- >>>>> no peer certificate available >>>>> --- >>>>> No client certificate CA names sent >>>>> --- >>>>> SSL handshake has read 7 bytes and written 291 bytes >>>>> --- >>>>> New, (NONE), Cipher is (NONE) >>>>> Secure Renegotiation IS NOT supported >>>>> Compression: NONE >>>>> Expansion: NONE >>>>> SSL-Session: >>>>>     Protocol  : TLSv1.2 >>>>>     Cipher    : 0000 >>>>>     Session-ID: >>>>>     Session-ID-ctx: >>>>>     Master-Key: >>>>>     Key-Arg   : None >>>>>     PSK identity: None >>>>>     PSK identity hint: None >>>>>     SRP username: None >>>>>     Start Time: 1522531949 >>>>>     Timeout   : 300 (sec) >>>>>     Verify return code: 0 (ok) >>>>> >>>>> I assume the problem is the unknown protocol issue, but it's not clear >>>>> to me what the unknown protocol it's looking for is. >>>>> My extra/httpd-ssl.conf says: >>>>>   SSLProtocol all -SSLv3 >>>>> and my extra/httpd-vhosts.conf does not override it. >>>>> The error log simply says: >>>>>    [core:debug] [pid 13758] protocol.c(1272): ... : request failed: malformed request line >>>>> >>>>> Running apache24-2.4.25_1 on a 10.3 amd64 >> >> Try this on the certificate: >> >> |openssl x509 -text -in /path/to/cert >> >> Make sure it's the correct kind of certificate > > Thanks for the suggestions. > It looks like I was overriding the cert in httpd-ssl.conf with one > in httpd-vhosts.conf which was obsolete, but for some reason it wasn't > even mentioned in the log, which is troubling.  I've changed that but > no difference -- restarted the server and I see the same behavior. > It looks to me like the cert should be ok, generated today: > > $ openssl x509 -text -in test.crt > Certificate: >     Data: >         Version: 3 (0x2) >         Serial Number: 11683896583821530168 (0xa2258a09ff151438) >     Signature Algorithm: sha256WithRSAEncryption >         Issuer: ... >         Validity >             Not Before: Mar 31 15:42:46 2018 GMT >             Not After : Mar 30 15:42:46 2023 GMT > ... >             Public Key Algorithm: rsaEncryption >                 Public-Key: (2048 bit) > ... >         X509v3 extensions: >             X509v3 Subject Key Identifier: > ... >             X509v3 Authority Key Identifier: > ... >             X509v3 Basic Constraints: >                 CA:TRUE >     Signature Algorithm: sha256WithRSAEncryption > ... > > I'm not sure what "correct kind" is in reference to? > >> |[ssl:warn] [pid 13686] AH01906: www.dreamchaser.org:443:0 server certificate is a CA certificate ( >> BasicConstraints: CA == TRUE !?) >> >> That log line bothers me. I think you may have the worn cert installed > > The bad cert was expired, but I'm still seeing that message with the > new certs afik.  I don't see the expired certs mentioned in the log. > > Thanks for any further pointers, > Gary > This is an expired cert from Let's Encrypt... Nothing confidential about them, so in it's entirety: Certificate:     Data:         Version: 3 (0x2)         Serial Number:             03:ca:27:c0:72:10:33:87:1c:e4:49:84:c3:8e:7a:de:08:d2     Signature Algorithm: sha256WithRSAEncryption         Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3         Validity             Not Before: Oct 31 18:50:59 2017 GMT             Not After : Jan 29 18:50:59 2018 GMT         Subject: CN=baywinds.org         Subject Public Key Info:             Public Key Algorithm: rsaEncryption                 Public-Key: (2048 bit)                 Modulus:                     00:ca:3c:d2:f2:91:90:6d:fb:df:93:b4:92:11:1b:                     e3:d3:ac:57:08:4b:de:12:3d:46:2a:1d:19:d6:76:                     a8:8d:b1:e2:60:4e:09:4c:e4:82:b2:fe:a8:14:c7:                     1d:39:d4:c6:cb:99:f0:e2:08:92:85:c4:0e:ad:fd:                     0a:09:71:67:c2:83:50:d4:ae:a0:f4:15:fa:38:ac:                     9c:d9:ef:45:4d:c2:ae:e2:f8:20:32:e3:b2:d7:e7:                     c0:1f:d9:79:1a:b4:9b:28:6b:2b:4d:38:cf:d3:01:                     3f:d7:28:bf:23:64:c7:c7:93:1f:c9:41:78:69:c3:                     c3:fa:e2:17:72:11:3a:ec:ce:6d:6d:be:29:ba:46:                     09:73:8f:b6:26:1c:55:ce:76:34:c4:7e:6b:f0:3c:                     15:51:f8:78:c8:8d:ca:6b:fa:6c:26:26:f6:4d:a3:                     68:ca:ab:52:f8:b3:c8:c4:9d:c7:69:10:74:62:5d:                     2f:78:78:3c:78:1f:9c:f7:7b:f9:d0:59:3f:4b:6b:                     98:bd:0d:eb:4d:de:aa:a4:56:07:71:c5:ad:a1:90:                     15:56:44:30:46:69:15:2d:44:e4:81:41:f8:a3:10:                     02:56:43:47:d3:b7:39:af:6a:c9:af:08:b8:46:6f:                     5b:3d:67:9e:9b:05:e5:ab:48:5d:87:a9:25:41:ff:                     3c:2f                 Exponent: 65537 (0x10001)         X509v3 extensions:             X509v3 Key Usage: critical                 Digital Signature, Key Encipherment             X509v3 Extended Key Usage:                 TLS Web Server Authentication, TLS Web Client Authentication             X509v3 Basic Constraints: critical                 CA:FALSE             X509v3 Subject Key Identifier: 4B:3D:63:4F:E1:92:2A:7D:44:4D:D7:AC:2D:4E:7C:44:BD:58:EE:20             X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1             Authority Information Access:                 OCSP - URI:http://ocsp.int-x3.letsencrypt.org                 CA Issuers - URI:http://cert.int-x3.letsencrypt.org/             X509v3 Subject Alternative Name:                 DNS:baywinds.org             X509v3 Certificate Policies:                 Policy: 2.23.140.1.2.1                 Policy: 1.3.6.1.4.1.44947.1.1.1                   CPS: http://cps.letsencrypt.org                   User Notice:                     Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/     Signature Algorithm: sha256WithRSAEncryption          32:4b:8d:ce:a6:b6:b5:0a:1e:ec:8e:01:3f:f7:c1:c6:90:ba:          5b:bc:72:dc:b5:e8:d7:73:22:ba:70:73:e3:7e:7e:97:8b:b9:          a0:e8:36:8c:9c:45:5e:8f:94:42:d0:1d:33:fc:6e:03:40:fb:          5f:ed:5a:75:6d:8a:41:8a:1a:0d:59:b2:b3:1d:3d:f7:a2:a8:          c3:b1:a1:99:f3:01:42:32:be:a0:79:e3:cb:3a:2e:22:6d:2d:          e6:31:19:ca:23:fd:57:74:a4:74:d2:96:91:24:de:f1:b2:f9:          c2:bf:9e:93:ba:fa:b9:28:8e:f8:6c:6e:42:73:6a:26:1c:be:          54:1e:3c:2d:de:f2:12:68:9b:87:f0:02:76:f7:3b:8a:54:26:          ff:81:9d:20:d6:9d:ca:27:a9:07:5a:25:e6:01:10:ae:d3:f6:          32:d8:87:96:bc:27:49:5b:2e:41:05:5a:22:a9:73:af:27:83:          da:ca:c1:31:7d:24:5e:6d:85:0c:48:0c:f6:29:cd:3f:c5:4d:          6b:7b:d6:df:bd:2d:bb:fa:aa:99:89:5e:01:80:27:e7:87:e5:          c3:29:b4:91:74:45:e3:9b:52:ec:58:f9:de:1b:24:73:b2:09:          31:28:e1:94:49:a9:7e:b6:be:bf:3f:2a:a8:f8:5a:23:5b:a6:          b8:68:5c:98 and the the ascii of the cert.... Compare yours against this.  Yours seems to say CA: True where mine says CA: False.