Menu
▾
▴
[AOLSERVER] Fwd: Re: AOL server 4.5.2 w/ virtual servers - SSL not working
|
From: Torben B. <to...@de...> - 2015-08-16 19:37:10
|
Thorpe, my reply to you bounced. Here is original: -------- Forwarded Message -------- Subject: Re: [AOLSERVER] AOL server 4.5.2 w/ virtual servers - SSL not working Date: Sat, 15 Aug 2015 19:55:59 -0700 From: Torben Brosten <to...@de...> To: Thorpe Mayes <tm...@ec...> Thorpe, No guarantees, but you might want to try: 1. setting each http ssl at a different port, and 2. reference each key.pem and cert.pem file only once in the config files. For cases where they are referenced more than once, duplicate the file (with a different name, such as keyfile1.pem, keyfile2.pem etc). This may not get what you need, but I've found this method helps reduce some error conditions. cheers, Torben On 8/15/15 5:17 PM, Thorpe Mayes wrote: > Hi, > > I have AOLserver 4.5.2 running with virtual servers - main.tcl with > several sub config files. > > Three of the domain names are using SSL. The certificate is a UCC SSL > Certificate that will accommodate up to 5 domain names. > > If I activate the virtual server for just one of the three domains that > are using SSL, then everything works fine. When I activate two or more > of the sub files that need ssl, the server fails to start. Here is the > tail end of the log file: > > [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: > nsmain: AOLserver/4.5.2 running > [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: > nsmain: security info: uid=502, euid=502, gid=502\ > , egid=502 > [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: > driver: starting: nssock > [15/Aug/2015:18:39:13][3924.18446744073356683008][-sched-] Notice: > sched: starting > [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] > Notice: starting > [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] > Notice: nssock: listening on 23.253.246.52:80 > [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: > driver: starting: nsopenssl > [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] > Notice: starting > [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] > Notice: nsopenssl: listening on 23.253.246.52\ > :443 > [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: > driver: starting: nsopenssl > [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] > Notice: starting > [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] > Error: nsopenssl: failed to listen on 23.253.\ > 246.52:443: Permission denied > [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] > Notice: exiting > [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: > driver: starting: nsopenssl > [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] > Notice: starting > [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] > Error: nsopenssl: failed to listen on 23.253.\ > 246.52:443: Permission denied > [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] > Notice: exiting > [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Fatal: could > not start drivers > > > Here is the ssl portion of the main.tcl file: > > ns_section "ns/server/module/nsopenssl" > # ns_param RandomFile /some/file > ns_param SeedBytes 2048; # was 1024 > > > Here is what the ssl portion of the sub files (all appear to load > successfully - see below): > > #--------------------------------------------------------------------- > # OpenSSL and nsopenssl > # http://openacs.org/forums/message-view?message_id=320064 - for nsd > code - note: must use port 443 > # http://openacs.org/doc/install-nsopenssl.html - binding port 443 in > daemontools > #--------------------------------------------------------------------- > > ns_section "ns/server/${ecognizant}/module/nsopenssl/sslcontexts" > ns_param ${ecognizant}_users_ctx "SSL context used for $ecognizant > regular user access" > # ns_param admins_ctx "SSL context used for administrator access" > ns_param ${ecognizant}_client_ctx "SSL context used for $ecognizant > outgoing script socket connections" > > > ns_section "ns/server/${ecognizant}/module/nsopenssl/defaults" > ns_param server ${ecognizant}_users_ctx > ns_param client ${ecognizant}_client_ctx > > > ns_section > "ns/server/${ecognizant}/module/nsopenssl/sslcontext/${ecognizant}_users_ctx" > ns_param Role server > ns_param ModuleDir $ssldocdir > ns_param CertFile cert.pem > ns_param KeyFile key.pem > ns_param CAFile ca.pem > ns_param Protocols "All" > ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" > ns_param PeerVerify false > ns_param PeerVerifyDepth 3 > ns_param Trace false > > > ns_section > "ns/server/${ecognizant}/module/nsopenssl/sslcontext/${ecognizant}_client_ctx" > ns_param Role client > ns_param ModuleDir $ssldocdir > ns_param CertFile cert.pem > ns_param KeyFile key.pem > ns_param CAFile ca.pem > ns_param Protocols "All" > ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" > ns_param PeerVerify false > ns_param PeerVerifyDepth 3 > ns_param Trace false > > > ns_section "ns/server/${ecognizant}/module/nsopenssl/ssldrivers" > ns_param ${ecognizant}_users_drv "Driver for regular $ecognizant user > access" > > > ns_section > "ns/server/${ecognizant}/module/nsopenssl/ssldriver/${ecognizant}_users_drv" > ns_param sslcontext ${ecognizant}_users_ctx > ns_param port $httpsport > ns_param hostname $hostname > ns_param address $address > ns_param maxinput [expr{1024 * 1000 * 10}] ;# 10 MB upload limit > > > ns_section "ns/server/${ecognizant}/modules" > ns_param nslog ${bindir}/nslog${ext} > ns_param nsdb ${bindir}/nsdb${ext} > ns_param nscache ${bindir}/nscache${ext} > ns_param nssha1 ${bindir}/nssha1${ext} > ns_param nsopenssl ${bindir}/nsopenssl${ext} > > > The log file portion of one of the sub files that have ssl: > > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > fastpath[server10]: mapped GET / > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > fastpath[server10]: mapped HEAD / > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > fastpath[server10]: mapped POST / > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nslog: > opened '/usr/local/aolserver/servers/server10/access.log' > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > nscache module version 1.5 server: server10 > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > modload: loading '/usr/local/aolserver/bin/nsopenssl.so' > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > nsopenssl: generating 512-bit temporary RSA key ... > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > nsopenssl: generating 1024-bit temporary RSA key ... > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > nsopenssl (server10): loading SSL context 'server10_users_ctx' > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > nsopenssl (server10): 'server10_users_ctx' ciphers loaded successfully > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > nsopenssl (server10): 'server10_users_ctx' using all protocols: SSLv2, > SSLv3 and TLSv1 > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > nsopenssl (server10): 'server10_users_ctx' certificate and key loaded > successfully > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > nsopenssl (server10): 'server10_users_ctx' CA file loaded successfully > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > server10_users_ctx (nsopenssl): session cache is turned on for > sslcontext 'server10' > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > nsopenssl (server10): loading SSL context 'server10_client_ctx' > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > nsopenssl (server10): 'server10_client_ctx' ciphers loaded successfully > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > nsopenssl (server10): 'server10_client_ctx' using all protocols: SSLv2, > SSLv3 and TLSv1 > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > nsopenssl (server10): 'server10_client_ctx' certificate and key loaded > successfully > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > nsopenssl (server10): 'server10_client_ctx' CA file loaded successfully > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > server10_client_ctx (nsopenssl): session cache is turned on for > sslcontext 'server10' > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > nsopenssl (server10): default SSL context for server is server10_users_ctx > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > default server SSL context: server10_users_ctx > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > nsopenssl (server10): default SSL context for client is server10_client_ctx > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > default client SSL context: server10_client_ctx > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > nsopenssl (server10): loading 'server10_users_drv' SSL driver > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: conf: > [ns/server/server10]enabletclpages = 1 > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: tcl: > enabling .tcl pages > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > default thread pool: minthreads 0 maxthreads 10 idle 0 current 0 > maxconns 4000 queued 0 timeout 1000\ > 000 spread 20 > > Here is what the command that starts the server looks like: > > /usr/local/aolserver/bin/nsd -u nsadmin -g nsadmin -it > /usr/local/aolserver/front_end.tcl -b 23.253.246.52:80,23\ > .253.246.52:443 > > It looks like the ssl connection (port 443) is being loaded three times, > with the last two failing and preventing the server from starting. > > Does anyone have an insight for me? > > Thank you, > > Thorpe > > > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > aolserver-talk mailing list > aol...@li... > https://lists.sourceforge.net/lists/listinfo/aolserver-talk > |