Error Illegal Attempt To Re-initialise Ssl For Server
Contents |
After dist-upgrading my main Hetzner server from Lenny to Squeeze, Apache failed to come up, barfing the following error message in the alphabetically last defined and init: multiple rsa server certificates not allowed centos enabled virtual host's error log: [error] Illegal attempt to re-initialise SSL
Sslengine On Should Go In The Virtualhost, Not In Global Scope.
for server (theoretically shouldn't happen!) Well this is not theory but the real world and it
Apache Ssl Certificate
did happen — and it took me a while to find out what was wrong with the configuration despite it worked with Lenny's Apache version. To avoid that others have to search as long as I had to, here's the solution: Look at all enabled sites, pick out those which have a VirtualHost on port 443 defined and verify that all these VirtualHost containers do have their own "SSLEngine On" statement. If at least one is missing, you'll run into the above mentioned error message. And it won't necessarily show up in the error log of those VirtualHosts which are missing the statement but only in the last VirtualHost (or the last VirtualHost on port 443). To find the relevant site files, I used the following one-liner: grep -lE 'VirtualHost.*443' sites-enabled/*[^~] | \ xargs grep -ci "SSLEngine On" | \ grep :0 Should work for all sites which have defined just one VirtualHost on port 443 per file. I suspect that the raise of SNI made Apache's SSL implementation more picky with regards to VirtualHosts. Oh, and kudos to this comment to an article on Debian-Administration.org because it finally pointed me in the right direction. :-) Filed under: Blogging is futile » English » Computer » Web » Apache » Tagged as: Apache, CLI, commandline, Debian, error, experience, grep, HTTPS, KMMR, Lenny, Squeeze, SSL, xargs 3 comments // show without comments // write a comment Related stories Hidden Terminals (4 shared tags) sort -h (3 sh
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Unix & Linux Questions Tags Users Badges Unanswered Ask Question _ Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems. Join them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers http://noone.org/blog/English/Computer/Web/Apache/Illegal%20attempt%20to%20re-initialise%20SSL.html are voted up and rise to the top Multiple RSA server certificates not allowed up vote 1 down vote favorite 1 I purchased a multidomain certificate, and I was trying to install it on my server. I put the following information inside the virtual host for one of my sites:
Apache2 These are instructions for setting up SSL on Apache2 running on Debian. These instructions assume that https://www.smallbusinesstech.net/more-complicated-instructions/encyrption/setting-up-ssl-on-apache2 Apache2 is already installed and working on a Debian machine. They also assume that OpenSSL is installed. The procedures should be quite similar for other distributions of Linux. http://marc.info/?l=apache-modssl&m=99528033410283&w=2 All the commands listed below should be run as root. 1. Create a directory inside of /etc/apache2 called ssl. This is where we will store our self-signed certificate error illegal and key. mkdir /etc/apache2/ssl 2. From this directory run the following command to create a self-signed certificate and private key. More information about options for this command can be found on the Apache website. Of course, if you are paying a Certificate Authority to sign your key, you should follow their instructions. (This is, as they say, error illegal attempt SSL on the cheap.) openssl req -new -x509 -nodes -days 3650 -out server.crt -keyout server.key As part of the certificate creation process, when it asks for the Common Name, use the fully qualified domain name of your server--for example www.sbtechsolutions.biz. Otherwise you will make visiting browsers even less happy. This command creates two files. server.crt is the certificate that is transferred to the web browser visiting your secure site. The browser uses the information in the certificate to encrypt the information it sends you. server.key is the private key that allows your server to decrypt the information it receives. -days 3650 creates a certificate that is valid for 10 years. 365 would be one year. If -days is not included the certificate is valid for 1 month. 3. Edit /etc/apache2/sites-available/default, changing the first line to explicitly state that they are only listening to port 80. This will allow you to continue to use your webserver in non-ssl mode. If you don't need to do this, you can
at> Date: 2001-07-16 10:41:53 [Download message RAW] Thanks for your quick response but "SSLEngine on" does not appears two times in my httpd.conf (I wished that would have been the problem) Can you (or anybody else!) think of an other reason (->solution) for my problem? Help needed! Lukas Feiler /************************** EndlosProduktion Kusch Senoner OEG lukas.feiler@endlos.at www.endlos.at **************************/ ----- Original Message ----- From: