Add ssl_mod to existing apache server?

PeterBSD

New Member
Joined
Jul 8, 2020
Messages
14
Reaction score
1
Credits
173
We have an isolated (no internet connection) RHEL7 system with existing httpd service running. Now we want to add ssl_mod to the apache server.

Most ssl setup posts started with 'yum install mod_ssl', so one we we can go is to download mod_ssl and all dependencies and run local install on the server.

However, there is mod_ssl.so module file (and bunch of other modules) on the system, and there are several 'LoadModule' entries in httpd.conf file. So we are thinking to add a LoadModule call to mod_ssl.so in httpd.conf file. But this breaks the existing httpd service, a little bit details here (sorry for the typing) -
1) systemctl reload httpd: First time got "Job for httpd.service failed because the control process exited with error code. See ....... and .... for details", and repeating it got "Job for httpd.service invalid"
2) systemctl status httpd: obviously it's "Active: failed (exit-code)". The lines are typed below (ignoring cases):
...
Starting the apache HTTP server ..
Started the apache HTTP server...
httpd.service: main process exited, code=exited, status=1/FAILURE
kill: cannot find process ""
httpd.service: control process exited, code=exited status=1
Reload failed for the apache HTTP server
Unit httpd.service entered failed state.
httpd.service failed
Unit httpd.service cannot be reloaded because it is inactive.
...

3) Journalctl -xe: output is pretty much the same as above, except there are two lines on top of that -
... polkitd[1329]: Registered Authentication Agent for unix-process: 12345:6789012 (system bus name :1.352 [/usr/bin/pkttyagent -notify-fd 6 --fallback], object path /org/freedesktop/Policykit1/AuthenticatioAget, locale en_US.UTF-8)
... polkitd[1329]: Operator of unix-session: 12 successfully authenticated as unix-user:user-name to gain TEMPORARY authorization for action org.freedesktop.systemd1.manage-units for system-bus-name::1.353 [systemctl reload httpd] (owned by unix-user:user-name)

...

While trying to enable ssl_mod, I also found that there is no ssl.conf file on the system, not sure if that's generated by yum install, or it should be copied or installed by other process.

Once I commented the (LoadModule) line in httpd.conf, reload/restart of httpd works and runs fine.

Questions: Is ssl.conf file required to enable ssl_mod? Can I download/copy a ssl.conf file and modify from it?

Any suggestions are highly appreciated!
 


My 1st question should be: can we use mod_ssl.so to install and enable ssl mod without yum downloading and install?
 
Do you have another redhat 7 system with internet access? Do you have a "staging" yum server?

If so, you could do a yum install mod_ssl -y --downloadonly --downloaddir=. and then copy the files via USB thumb drive or something.

Doing it without the automated install in a pain. There are missing binaries, conf files, certificates, that can all be generated by hand, but the RPMs take care of all this automatically for you.

You can copy a ssl.conf file. But you will also need ...

# rpm -ql mod_ssl

/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.modules.d/00-ssl.conf
/usr/lib/.build-id
/usr/lib/.build-id/30/6977058e6f39cb7f2c73d6babb7fc478af2433
/usr/lib/systemd/system/httpd-init.service
/usr/lib/systemd/system/httpd.socket.d/10-listen443.conf
/usr/lib64/httpd/modules/mod_ssl.so
/usr/libexec/httpd-ssl-gencerts
/usr/libexec/httpd-ssl-pass-dialog
/usr/share/man/man8/httpd-init.service.8.gz
/var/cache/httpd/ssl

Do you want signed certificates from a CA authority, or just self-signed certificates?
Do you have DNS for this system? (even if it's just internal)
 
Thank you for your quick reply and suggestion!

I tried the following command to download the pkgs to a staging system, but got 'Requires: /etc/mime.types' error, even after I added a /etc/mime.types file to the system -

sudo yum -y install mod_ssl --downloadonly --downloaddir=/tmp

So which one is the problem: expired license or /etc/mime.types file?

The attached screens are the outputs of the command ...
 

Attachments

  • ssl1.PNG
    ssl1.PNG
    105 KB · Views: 625
  • ssl2.PNG
    ssl2.PNG
    155.7 KB · Views: 619
Welcome to what is affectionately known amongst Linux users as "dependency hell".

you can type...

yum whatprovides /etc/mime.types

The answer will be mailcap.
But mailcap will require other programs, which require other programs...

It's a lot easier if you have internet access, or a "secure/staging" yum repo server.
Then all the dependencies are taken care of automatically for you.
 
The better way of providing systems in an isolated network with a way to install packages offline is by using an internal central repository server such as satellite. This way you avoid having to manually download packages of another system to then try to install them on another system and running into a dependency hell.
 
Last edited:
Thank you guys for replying!

The output I posted WAS from a system with internet connection, I expected to download all dependencies to my folder.

I tried a different command today (again on the system with internet access) and got the same 'failure' (Requires: /etc/mime.types). The command does have '--resolve' so it should resolve all dependencies, why does it still throw the /etc/mime.types requirement?

Here is the command -
yumdownloader --resolve --destdir= ... mod_ssl

How can I make the download to cover all the dependencies?

Thanks again!
 
I checked the target system, and found that there is 'mailcap' pkg there, so does that mean I can ignore the 'failure' and ssl_mod install should work on the system?
 
I checked the target system, and found that there is 'mailcap' pkg there, so does that mean I can ignore the 'failure' and ssl_mod install should work on the system?

Yes, but this is the other problem with doing it this way. You have to keep the target system exactly in sync with the download system. If one has packages installed that the other doesn't, it won't download the ones it already has installed.

So you have to do something like this...

on download server
download package(s)
save the RPMs off somewhere safe.
install the packages.

on target server
copy the RPMs here
install the packages.

repeat for every new package.

I can tell you from experience this gets old fast.
f33dm3bits mentioned satellite server, this is probably the route you want to go if you do this very often.
 
Just thinking of it now, mrepo should also work.
 
Thanks guys! I got over mod_ssl but now mod_session blocks me!

I added the following in httpd.conf, per V-92687, I also included the existing lines with 'Session' config -
Session On
SessionCryptoCipher aes256
SessionCookieName session path=/private;domain=dm_name;htttponly;secure;version=1

Then I got the following error when starting apache or run any httpd commands (e.g. httpd -V, httpd -M):
AH00526: Syntax error on line 75 of /etc/httpd/conf/httpd.conf:
Invalid command 'SessionCryptoCipher', perhaps misspelled or defined by a module not included in the server configuration


After I verified the spelling, I added 'mod_session' installation (as did with mod_ssl), it turned out that the mod already installed, but the error stays.

I also switched the order of the last two 'Sessionxxxx' command in the conf file, no luck.

Any idea?
 
You also need mod_session installed in order to use those options, the module also includes the crypto options. mod_session includes these:
Code:
/usr/lib64/httpd/modules/mod_auth_form.so
/usr/lib64/httpd/modules/mod_session.so
/usr/lib64/httpd/modules/mod_session_cookie.so
/usr/lib64/httpd/modules/mod_session_crypto.so
/usr/lib64/httpd/modules/mod_session_dbd.so

Also don't forget to read the apache warning: "The session modules make use of HTTP cookies, and as such can fall victim to Cross Site Scripting attacks, or expose potentially private information to clients. Please ensure that the relevant risks have been taken into account before enabling the session functionality on your server."
 
Thank you f33dm3bits!

All the listed mod files are installed/loaded on the system. However, they are loaded from a special folder, here are the two lines right before 'Session On' in httpd.conf file -

LoadModule session_module /opt/NAI/LinuxShield/apache/modules/mod_session.so
LoadModule session_cookie_module /opt/NAI/LinuxShield/apache/modules/mod_session_cookie.so


So the modules loaded are from McAfee. But why did it throw 'syntax' error on 'SessionCryptoCipher aes256'? Isn't it a standard Session configure for apache? Could it be that McAfee session module doesn't take (or excludes) 'SessionCryptoCipher'?

I only have McAfee .so file(s) and don't think have access to the source code, is there a way to verify if 'SessionCryptoCipher' is valid for the module?

TIA
 
I don't get how you went from apache problems to Mcafee problems? Also how come your apache is installed in such a strange location if you installed the apache packag and modules from a system that uses the default repositories?

This makes me thing you installed apache from a different source and also have the original apache installed but then just copied over the modules(mod_ssl and mod_session) from the apache installed from the default repository to the apache under /opt/NAI/LinuxShield/apache. You are making this very confusing...?
 
Last edited:
Agree, it IS confusing!

I'm working to apply STIGs to the existing systems, and this weird installations caused tons of troubles to even very simple VKey fixes, like this one.

Next I will try to comment out the two 'LoadModule' in httpd.conf that load modules from /opt/NAI/..., and install the modules with standard .rpm packages. hopefully this may clear the 'Session' issues.

I like to follow typical installation to apply VKey fixes, and would like to convert all McAfee apache to use the standard one (/etc/httpd), but don't know how bad that will break the existing McAfee - it's not fun to deal with McAfee!
 
You have got me even more lost now. Why did you need the apache install from the internet connected machine in the first place if you already had a custom apache install on the machine in an isolated network?
 
They are different modules.

McAfee didn't load/install ssl module, so I had to download and install it with internet connection. Now it turned out that one is easier since McAfee doesn't have it so there is on conflict. Since session modules have been installed/loaded by McAfee, it's hard for me to modify or even troubleshoot conflicts ...
 
They are different modules.

McAfee didn't load/install ssl module, so I had to download and install it with internet connection. Now it turned out that one is easier since McAfee doesn't have it so there is on conflict. Since session modules have been installed/loaded by McAfee, it's hard for me to modify or even troubleshoot conflicts ...

After I verified the spelling, I added 'mod_session' installation (as did with mod_ssl), it turned out that the mod already installed, but the error stays.
After going so on about apache I forgot that it was about getting mod_ssl to work, the rest is starting to make a bit more sense. I would stick with the apache setup from Mcafee since you won't know how much of it will break if you try to make it use the default apache installation.

So from my understanding of your setup now you have the following:
1. mod_ssl working within Mcafee Apache modules location: By first installing mod_ssl on the system, then copied /usr/lib64/httpd/modules/mod_ssl.so to /opt/NAI/LinuxShield/apache/modules, then loaded the mod_ssl module from the Mcafee Apachee configuration file, httpd.conf?
2. mod_session is not working this is what came with the Mcafee Apache install which was already on the system /opt/NAI/LinuxShield/apache/modules?

Am I with you so far?


Earlier you mentioned:"
Then I got the following error when starting apache or run any httpd commands (e.g. httpd -V, httpd -M):
AH00526: Syntax error on line 75 of /etc/httpd/conf/httpd.conf:
Invalid command 'SessionCryptoCipher', perhaps misspelled or defined by a module not included in the server configuration


After I verified the spelling, I added 'mod_session' installation (as did with mod_ssl), it turned out that the mod already installed, but the error stays."

How are you doing an apache configtest, seems you also have the default apache installed on the system, if you do:
Code:
which httpd
Since the custom apache install is part of a Mcafee setup I would expect apache binary to be here:
/opt/NAI/LinuxShield/apache/bin
And the apache configuration to be here: /opt/NAI/LinuxShield/apache/conf/httpd.conf
Maybe look somewhere in that direction?
 
Last edited:
You are right about the modules.

'which httpd' points me to /usr/sbin/httpd

The most urgent thing for me now is to fix the VKey, i.e. to add 'SessionCryptoCipher aes256' in httpd.config file (without breaking httpd service), do you have any suggestions?

To clarify, when I install module packages (i.e. run yum or rpm install), it will install or copy the .so file(s) to certain locations, then 'LoadModule' will be called to actually load them so they can be used, they are separate steps, right? I thought when you install packages it will completely settle the module to be used, so was wrong before.

Thanks again!
 
For example when you downloaded mod_ssl from the internet connected system and installed on the system you are working on, it will then install the modules in the default location. To get them working for the apache that came with mcafee under that custom location, you will have to place them in that modules directory and then also load them in the configuration of that apache setup. Did you also download the mod_sessions from the internet connected system or did it come with the Mcafee setup?
 


Top