NethServer Version: 7.4.1708
Module: httpd
I install a new NethServer v7.4.1708 in two time :
- Install CentOs 7
- yum install nethserver
After the install went correctly i cannot logon to https://192.168.65.11:980/ my Firefox stood stuck waiting for ssl negotiation until time out.
I looked at /var/log/httpd/error_log and found the errors hereafter :
[Sat Feb 24 13:37:23.992270 2018] [suexec:notice] [pid 1385] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Feb 24 13:37:24.039361 2018] [ssl:error] [pid 1385] AH02217: ssl_stapling_init_cert: canât retrieve issuer certificate! [subject: L=Hometown,C=â,emailAddress=root@localhost.localdomain,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / issuer: L=Hometown,C=â,emailAddress=root@localhost.localdomain,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / serial: 5A9141F1 / notbefore: Feb 24 10:44:01 2018 GMT / notafter: Feb 22 10:44:01 2028 GMT]
[Sat Feb 24 13:37:24.039376 2018] [ssl:error] [pid 1385] AH02235: Unable to configure server certificate for stapling
[Sat Feb 24 13:37:24.039380 2018] [ssl:warn] [pid 1385] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sat Feb 24 13:37:24.039384 2018] [ssl:warn] [pid 1385] AH01909: RSA certificate configured for localhost.localdomain:443 does NOT include an ID which matches the server name
AH00558: httpd: Could not reliably determine the serverâs fully qualified domain name, using localhost.localdomain. Set the âServerNameâ directive globally to suppress this message
[Sat Feb 24 13:37:24.056326 2018] [auth_digest:notice] [pid 1385] AH01757: generating secret for digest authentication âŚ
[Sat Feb 24 13:37:24.056729 2018] [lbmethod_heartbeat:notice] [pid 1385] AH02282: No slotmem from mod_heartmonitor
[Sat Feb 24 13:37:24.056967 2018] [ssl:warn] [pid 1385] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Sat Feb 24 13:37:24.067946 2018] [ssl:error] [pid 1385] AH02217: ssl_stapling_init_cert: canât retrieve issuer certificate! [subject: L=Hometown,C=â,emailAddress=root@localhost.localdomain,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / issuer: L=Hometown,C=â,emailAddress=root@localhost.localdomain,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / serial: 5A9141F1 / notbefore: Feb 24 10:44:01 2018 GMT / notafter: Feb 22 10:44:01 2028 GMT]
[Sat Feb 24 13:37:24.067957 2018] [ssl:error] [pid 1385] AH02235: Unable to configure server certificate for stapling
[Sat Feb 24 13:37:24.067960 2018] [ssl:warn] [pid 1385] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sat Feb 24 13:37:24.067964 2018] [ssl:warn] [pid 1385] AH01909: RSA certificate configured for localhost.localdomain:443 does NOT include an ID which matches the server name
[Sat Feb 24 13:37:24.093458 2018] [mpm_prefork:notice] [pid 1385] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 configured â resuming normal operations
[Sat Feb 24 13:37:24.093475 2018] [core:notice] [pid 1385] AH00094: Command line: â/usr/sbin/httpd -f /etc/httpd/admin-conf/httpd.conf -c MaxConnectionsPerChild 12 -D FOREGROUNDâ
I goggled different AHAxxxx errors that conduct me to modify different files but it doesnât correct anything at all :
1.) I modify /etc/httpd/conf/httpd.conf and at the first line add âServerName localhost.localdomainâ, reboot -> doesnât correct anything at all.
2.) The error âAH02217: ssl_stapling_init_cert: canât retrieve issuer certificate!â send me to âhttps://httpd.apache.org/docs/trunk/fr/ssl/ssl_howto.htmlâ where I found that i can try correcting /etc/httpd/admin-conf/httpd.conf and adding the missing line SSLCACertificateFile /etc/ssl/certs/ca-bundle.crt, reboot -> doesnât correct anything at all.
3.) I add HOSTNAME=localhost.localdomain in /etc/sysconfig/network, reboot -> doesnât correct anything at all.
Obviously this fucking certificate doesnât correspond to the host. I had to re-openssl a good one but i was afraid to get the things worse. I had to simplify things. âBlink Idea !â.
So lets use a basic browser in local : sudo yum install lynx !!!
Wikipedia : Lynx is a customizable text-based web browser for use on cursor-addressable character cell terminals.[6][7] As of May 2017, it is the oldest web browser still in general use and active development,[8] having started in 1992.
So I âlynx https://192.168.65.11:980/â and can access to the server manager to finish the installation. I had to be careful on what i did because lynx found a lot of âErreur SSL : self signed certificate - Continuer? (o)â but in the end I can finish the basic configuration and change modules âDate & Time, Network, Organization contacts, Server nameâ and in the end âServer certificateâ.
After that Firefox can access my Nethserver via https.
So if you have such a problem, think Lynx !