NethServer Version: 7.4.1708
Module: httpd
I install a new NethServer v7.4.1708 in two time :
- Install CentOs 7
- yum install nethserver
After the install went correctly i cannot logon to https://192.168.65.11:980/ my Firefox stood stuck waiting for ssl negotiation until time out.
I looked at /var/log/httpd/error_log and found the errors hereafter :
[Sat Feb 24 13:37:23.992270 2018] [suexec:notice] [pid 1385] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Feb 24 13:37:24.039361 2018] [ssl:error] [pid 1385] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: L=Hometown,C=–,emailAddress=root@localhost.localdomain,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / issuer: L=Hometown,C=–,emailAddress=root@localhost.localdomain,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / serial: 5A9141F1 / notbefore: Feb 24 10:44:01 2018 GMT / notafter: Feb 22 10:44:01 2028 GMT]
[Sat Feb 24 13:37:24.039376 2018] [ssl:error] [pid 1385] AH02235: Unable to configure server certificate for stapling
[Sat Feb 24 13:37:24.039380 2018] [ssl:warn] [pid 1385] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sat Feb 24 13:37:24.039384 2018] [ssl:warn] [pid 1385] AH01909: RSA certificate configured for localhost.localdomain:443 does NOT include an ID which matches the server name
AH00558: httpd: Could not reliably determine the server’s fully qualified domain name, using localhost.localdomain. Set the ‘ServerName’ directive globally to suppress this message
[Sat Feb 24 13:37:24.056326 2018] [auth_digest:notice] [pid 1385] AH01757: generating secret for digest authentication …
[Sat Feb 24 13:37:24.056729 2018] [lbmethod_heartbeat:notice] [pid 1385] AH02282: No slotmem from mod_heartmonitor
[Sat Feb 24 13:37:24.056967 2018] [ssl:warn] [pid 1385] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Sat Feb 24 13:37:24.067946 2018] [ssl:error] [pid 1385] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: L=Hometown,C=–,emailAddress=root@localhost.localdomain,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / issuer: L=Hometown,C=–,emailAddress=root@localhost.localdomain,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / serial: 5A9141F1 / notbefore: Feb 24 10:44:01 2018 GMT / notafter: Feb 22 10:44:01 2028 GMT]
[Sat Feb 24 13:37:24.067957 2018] [ssl:error] [pid 1385] AH02235: Unable to configure server certificate for stapling
[Sat Feb 24 13:37:24.067960 2018] [ssl:warn] [pid 1385] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sat Feb 24 13:37:24.067964 2018] [ssl:warn] [pid 1385] AH01909: RSA certificate configured for localhost.localdomain:443 does NOT include an ID which matches the server name
[Sat Feb 24 13:37:24.093458 2018] [mpm_prefork:notice] [pid 1385] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 configured – resuming normal operations
[Sat Feb 24 13:37:24.093475 2018] [core:notice] [pid 1385] AH00094: Command line: ‘/usr/sbin/httpd -f /etc/httpd/admin-conf/httpd.conf -c MaxConnectionsPerChild 12 -D FOREGROUND’
I goggled different AHAxxxx errors that conduct me to modify different files but it doesn’t correct anything at all :
1.) I modify /etc/httpd/conf/httpd.conf and at the first line add “ServerName localhost.localdomain”, reboot -> doesn’t correct anything at all.
2.) The error “AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate!” send me to “https://httpd.apache.org/docs/trunk/fr/ssl/ssl_howto.html” where I found that i can try correcting /etc/httpd/admin-conf/httpd.conf and adding the missing line SSLCACertificateFile /etc/ssl/certs/ca-bundle.crt, reboot -> doesn’t correct anything at all.
3.) I add HOSTNAME=localhost.localdomain in /etc/sysconfig/network, reboot -> doesn’t correct anything at all.
Obviously this fucking certificate doesn’t correspond to the host. I had to re-openssl a good one but i was afraid to get the things worse. I had to simplify things. “Blink Idea !”.
So lets use a basic browser in local : sudo yum install lynx !!!
Wikipedia : Lynx is a customizable text-based web browser for use on cursor-addressable character cell terminals.[6][7] As of May 2017, it is the oldest web browser still in general use and active development,[8] having started in 1992.
So I “lynx https://192.168.65.11:980/” and can access to the server manager to finish the installation. I had to be careful on what i did because lynx found a lot of “Erreur SSL : self signed certificate - Continuer? (o)” but in the end I can finish the basic configuration and change modules “Date & Time, Network, Organization contacts, Server name” and in the end “Server certificate”.
After that Firefox can access my Nethserver via https.
So if you have such a problem, think Lynx !