Home / server / Questions / 232782
Accepted
PP.
Asked: 2011-02-09 08:44:16 +0800 CST

Debian Squeeze Upgrade Breaks Apache SSL

  • 772

I upgraded my Debian from Lenny to Squeeze. BIG MISTAKE.

Now I get:

[Tue Feb 08 16:34:57 2011] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)

littered throughout /var/log/apache2/error.log.

How to fix? Looking through a mess of forums it is easy to see that Apache changed the way it reads configurations around 2.2.13. Great. But not great for me or the millions of other web administrators who now have web servers that simply won't start, and an error message that says NOTHING about the problem or how to fix.

Anybody else actually solved this issue? I had perfectly working virtual servers with SSL before (for years actually).

debian apache-2.2

4 Answers

  1. Best Answer

    This problem is cause by a change in apache 2.2.12 to support SNI.

    You can find all the details to fix the problem in the file /usr/share/doc/apache2.2-common/NEWS.Debian.gz on your server :

    apache2 (2.2.13-2) unstable; urgency=high

    • The new support for TLS Server Name Indication added in 2.2.12 causes Apache to be stricter about certain misconfigurations involving name based SSL virtual hosts. This may result in Apache refusing to start with the logged error message:

      Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]

      Up to 2.2.11, Apache accepted configurations where the necessary SSL configuration statements were included in the first (default) block but not in subsequent blocks. Starting with 2.2.12, every VirtualHost block used with SSL must contain the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile directives (SSLCertificateKeyFile is optional in some cases).

      When you encounter the above problem, the output of the command

      egrep -ir '^[^#]*(sslcertificate|sslengine|virtualhost)' \
    /etc/apache2/*conf* /etc/apache2/*enabled

      may be useful to determine which VirtualHost sections need to be changed.

      Also, formerly accidentially working constructs like

      <VirtualHost *:80 *:443>

      where one virtual host definition is used for both a non-ssl and a ssl virtual host do not work anymore. You can achieve a similar effect with

      <VirtualHost *:80>
Include /.../vhost.include
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile ...
Include /.../vhost.include
</VirtualHost>

      -- Stefan Fritsch Wed, 16 Sep 2009 20:14:59 +0200

    Important information for packages upgrade are available in the NEWS.Debian file for a lot of packages. Installing the package apt-listchanges is recommanded to see the changes in this files on each upgrade.

    • 10

  2. You need to replace:

    Listen 443

    with 

    Listen 443 http

    Same time I think it will work only in case if you inherit SSL configuration from corresponding default virtual host and using constructions like <VirtualHost *:80 *:443>. In general that assumed that you using wildcard SSL certificate. These change will disable checks for SSLCertificateFile in corresponding VirtualHost.

    It will NOT disable https functionality for that VirtualHost.

    While such error you will have since Apache 2.2.12 it was improved in Apache 2.2.14

    According changelog for Apache 2.2.14:

    mod_ssl: The error message when SSLCertificateFile is missing should at least give the name or position of the problematic virtual host definition.

    So if error message indicate name/position of problematic definition - better to check/correct corresponding virtualhost.

    This is solution from here

    Also you may be interested in messages from Stefan Fritsch here

    • 3

  3. I am adding this because this is specifically how I solved the issue. However I'm awarding the answer of this question to @Fussy Salsify who gave me the answer I needed.

    As per the link offered, /usr/share/doc/apache2.2-common/NEWS.Debian.gz, I ran the following command from my /etc/apache2 directory:

    egrep -ir '^[^#]*(sslcertificate|sslengine|virtualhost)' \
    /etc/apache2/*conf* /etc/apache2/*enabled

    I have about 5 different virtual sites on my server. I found the one site that didn't have any SSL options inside the VirtualHost block, e.g.:

    <VirtualHost *:443>
</VirtualHost>

    Note that other virtual sites on my server had blocks like this:

    <VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>

    So, I opened up my site-specific config file in /etc/apache2/sites-enabled/nnn-specific and inserted the lines:

        SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/apache.pem

    inside the <VirtualHost>...</VirtualHost> block.

    The server now runs.

    Apparently VirtualHost configurations used to inherit from the initial VirtualHost configuration. This was behaviour commonly encouraged to be used by most Apache tutorials - we were instructed to set up a default host (the first one) with the SSL configuration and that would be inherited by all others. I'm very unhappy this was changed.

    • 1

  4. As SNI was not available in Lenny (and is still not supported under MSIE/WinXP BTW) I used a wildcard domain certificate, then used VirtualDocumentRoot to provide multiple vhosts using the same certificate.

    This is how I fixed my install after the upgrade:

    In /etc/apache2/ports.conf

    <IfModule mod_ssl.c>
     # If you add NameVirtualHost *:443 here, you will also have to change
     # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
     # to <VirtualHost *:443>
     # Server Name Indication for SSL named virtual hosts is currently not
     # supported by MSIE on Windows XP.
     Listen 443
     ############ add this line below ##############
     NameVirtualHost *:443
 </IfModule>

    Then in default-ssl, change

    <VirtualHost _default_:443>

    to

    <VirtualHost *:443>

    hope this helps others.

    Rich / Artful Robot.

    • 0