# Apache SSL Not Working After Update To 2.2.13



## dave (Aug 25, 2009)

I have just updated my port of apache 2.2 to 2.2.13 using portmaster.  Now, when I try to restart with SSL enabled (as it was before), I get...

```
[error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]
```

My cert files are where they always have been, and no changes to config files.

I am using a self-signed cert.

What am I missing?

Thanks in advance.


----------



## anomie (Aug 25, 2009)

Dunno why the port upgrade would cause this, but a couple quick sanity checks: 

 Actually look at the SSLCertificateFile directive in your config and see where it points. 
 Confirm that said file is where you think it is on the filesystem.
 View the cert to be sure it is not corrupted - `# openssl x509 -text -in server.crt`

-------

edit: Something else occurs to me, since you said this happened after a port upgrade. (And presumably no other changes?) 

Perhaps the upgrade modified httpd.conf such that it's no longer including your ssl config file. 

When I'm upgrading ports I take a quick backup of related config files first, just in case. Also, I have a HIDS running so I can check what the port upgrade changed.


----------



## dave (Aug 25, 2009)

Thanks for your reply.

Yes, I checked to make sure file is still there.  Apache configs were not changed by the port upgrade.  Output of 
	
	



```
# openssl x509 -text -in server.crt
```
 looks normal.  Cert has not expired.

Still, same problem.


----------



## dave (Aug 26, 2009)

No response, so I have reverted to 2.2.11 for now.  Everything back to normal.  I guess I will wait to see if others have same problem.

If you are reading this and have the same problem, or have solved it, please post, thanks.


----------



## sigi (Aug 26, 2009)

Yes I confirm this issue!

(First time since at least 4 Years that a apache upgrade breaks my config) :\


----------



## sigi (Aug 26, 2009)

Interesting:

To be back in the Race, I commented out all port 443 virtual hosts.
Then I have a (well known) warning:
RSA server certificate CommonName (CN) `xx.yy.zz' does NOT match server name!? It finds and read the certificate now!!

Remember, before that, I had:
[error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]

isn't that strange?'


----------



## frijsdijk (Aug 26, 2009)

I've got the same problem here. Curious thing is that on a 6.3-p11 host it will fail with the mentioned errors, while with previous versions of Apache (2.2.11) it worked fine.

On a 7.1-p6 host, the apache upgrade went fine, no problems. It seems OS version specific?


----------



## DutchDaemon (Aug 26, 2009)

I can only confirm that on 7.2 installations this upgrade went fine with SSL enabled (with the base openssl and the port openssl).


----------



## dennylin93 (Aug 26, 2009)

Weird. My upgrade also went smoothly. HTTPS is still working.


----------



## turutani (Aug 26, 2009)

I sent PR to upgrade to 2.2.13, for I have no trouble 
on my host of 7-STABLE...
I have no idea about the cause.
Have you updated apr and autotools ? Or version dependent ...?


----------



## sigi (Aug 26, 2009)

I run 7_STABLE and all ports are updated at least weekly.

I assume, it has to do with the configuration itself. Maybe syntax-check?
Running fine under 2.2.11, broken under 2.2.13 
config without ssl also runs under 2.2.13..

I have https virtual hosts and if i comment them out in httpd.conf, it runs and finds the missed certificate in extras/httpd-ssl.conf


----------



## sigi (Aug 26, 2009)

*More Facts:*

http://groups.google.com/group/lucky.freebsd.ports/browse_thread/thread/8678679422363783


----------



## sigi (Aug 26, 2009)

Now it's running again. 

I had to experiment with several changes in SSL VHosts. It was a combination of all mentioned workarounds in this threads.

Unfortunately there are some observations:
- Error Logging is inaccurate or inexistent
- The changes in SSL Part of Syntax are not documented
- First Time for me since Years that a Apache-Upgrade broke my configuration :-(


----------



## DutchDaemon (Aug 26, 2009)

It probably wouldn't have happened if you had updated your configuration over the years .. I believe a lot of people are still running Apache 1.x configuration files (with almost everything in httpd.conf) on Apache 2.x, with only some minimal changes to get it working again. I guess now is the time to overhaul and adapt.


----------



## dave (Sep 24, 2009)

I am not using a 1.x config file.

Has anyone determined the specific syntax or other issue?

Thanks...


----------



## DutchDaemon (Sep 24, 2009)

I would start from a stock extra/httpd-ssl.conf and build it up with the data you have.


----------



## dave (Sep 24, 2009)

*[Solved]*

Thanks to everyone who helped.  Here is what the problem was...

I have only one SSL-enabled web site on a particular IP, but a bunch of other sites that ran on port 80.  I used to have the following in my apache conf _after_ the SSL virtual host:


```
<VirtualHost *:443>
    ServerName myssldomain.com
    ServerAlias www.myssldomain.com
    RedirectPermanent / "https://www.myssldomain.com/"
</VirtualHost>
```

That would force any requests for other domains on port 443 to be redirected to my SSL-enabled domain.

Seems Apache does not like that anymore.    Will have to change the config to suit my needs now.  Wonder if I can write a RedirectMatch to match anything _except_ myssldomain.com...?


----------



## ArnoB (Oct 27, 2009)

*vhost*

Just for the record, I will add my solution.

I ran into this exact problem after upgrading to apache-2.2.13.
After some searching I found it was caused by having a virtual host running at the same port in /usr/local/etc/apache22/extra/httpd-vhosts.conf.

Either changing the port in httpd-ssl.conf to something else or commenting
the vhost in httpd-vhosts.conf made everything run as before 2.2.13.

gr
Arno


----------

