From owner-freebsd-questions@freebsd.org Tue Apr 3 18:32:35 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E5C7FF759F4 for ; Tue, 3 Apr 2018 18:32:34 +0000 (UTC) (envelope-from joh.hendriks@gmail.com) Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 614176BA83 for ; Tue, 3 Apr 2018 18:32:34 +0000 (UTC) (envelope-from joh.hendriks@gmail.com) Received: by mail-wm0-x22d.google.com with SMTP id x4so36976762wmh.5 for ; Tue, 03 Apr 2018 11:32:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=cTL+I7BnvMRrHrZPPmryX7OE0UGOuBTnwF0sE9brh48=; b=r4XYcZbDN3JBB6MjxceARDipJa9ZxsJdVJwfNA+V71zaZgQLIsoMZW29a3f4txNwY1 ufS/LtdjW5klBvBOJa2cJcIZ0WdFnpO55A4WrqoEWnnL4oIvBbZ8lQGA3fTFikfGL4Ib WFDlxW4HGsSNJa4H6mMlMPQp2wvvAcbh/xVepTTsmpCTC35CwhxCHQu0c8iljKgwrJNz dXLsVhzg/VOx2sKbOArKeWZBnvuS8oqyN9G977C3s5YbxM4EYRpGQzpYo72+CDY3HgCb k2gayXTGLu3e2/byPLL5Mz95Gaz3+WJ6l+7wMxvlahcySIaZQNkXeuS8h4PmntLe23o8 pQhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=cTL+I7BnvMRrHrZPPmryX7OE0UGOuBTnwF0sE9brh48=; b=RWIUDTWTRFJUz7uyOI2R3PwS72MxXKBbYLYoJXZVjv7aEnstTFhjaw+Ivk3I/yfDW8 VYVUhnANRJF5SMl4ax+ty/CEu9VzRz0DAjJdFFoyDz50BY2AYLbEX3KExygPqLZ8Mblz ngCEK0CTNf9RfB1Cch6ejI5XiD0n8ysqTFK+bCHgly65Tzi1D7hW7cUJCpEx52Bt9QDc Ml1RUYlfS3kYTaYniOyqL2gnMaKBaUXzSScvhmPDrcCnny/TlyoXuyLWeHQ918Uq/Mz3 3m53EkMuJwieKNdpLPZyGOBxgfCu3XjDhQ/PqPfypxySVH1aHqrzkM8cZqj7VhdigW4F YGJQ== X-Gm-Message-State: AElRT7FOqnG53EejqL1MwKqipyNxwIQxgD6trf4C4a303vB0IDX617m3 4+QquK7kBcfEMLTk9XM7LakSCg== X-Google-Smtp-Source: AIpwx49FfagXQFZEhe3WBtpCK7YEJQQvVr6Z63FCF53V9BscWWiLEtDPgb60L8iAJEXIhgc+mTPk5Q== X-Received: by 10.80.130.67 with SMTP id 61mr17542190edf.184.1522780353162; Tue, 03 Apr 2018 11:32:33 -0700 (PDT) Received: from Johans-MacBook-Air-2.local (92-111-79-242.static.v4.ziggozakelijk.nl. [92.111.79.242]) by smtp.googlemail.com with ESMTPSA id r48sm2164616edd.74.2018.04.03.11.32.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 03 Apr 2018 11:32:32 -0700 (PDT) Subject: Re: I broke my Apache 2.4 install and I need help! To: "@lbutlr" References: <20180402204202.GA3145@gmail.com> <20180402213311.GB3145@gmail.com> <22AED507-651D-4FF5-9D3F-73F41F57AC24@kreme.com> Cc: freebsd-questions@freebsd.org From: Johan Hendriks Message-ID: <458eb0bf-dbd8-01c2-4eac-96546e61dec1@gmail.com> Date: Tue, 3 Apr 2018 20:32:31 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <22AED507-651D-4FF5-9D3F-73F41F57AC24@kreme.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: nl X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2018 18:32:35 -0000 Op 03/04/2018 om 00:56 schreef @lbutlr: > On 2018-04-02 (16:40 MDT), William Dudley wrote: >> I've managed to get my apache install working without any SSL stuff >> running. That's progress. > This is what a virtual host looks like for me in apache24. I never put any hosts into http.conf other than a base name that is actually unused for web access. Everything is in user/name.conf or extras/httpd-vhosts.conf > > > ServerName oursite.example.net > DocumentRoot /usr/local/www/oursite > SSLEngine on > SSLCertificateFile /usr/local/etc/dehydrated/certs/covisp.net/cert.pem > SSLCertificateKeyFile /usr/local/etc/dehydrated/certs/covisp.net/privkey.pem > SSLCertificateChainFile /usr/local/etc/dehydrated/certs/covisp.net/chain.pem > SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 > SSLHonorCipherOrder on > # I am not sure this is needed or best for TLSv1.2, but it works for us > SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS > Header always set Strict-Transport-Security "max-age=15638400; includeSubdomains;" > > The documentation of apache states that SSLCertificateChainFile is deprecated and SSLCertificateFile will handle your cert and chain in one file. See apache docs http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile I do not think this helps with your problem but it is cleaner to not use deprecated configs. regards Johan Hendriks