Page 1 of 1

Help SSL / Starting Apache

PostPosted: 31. January 2011 16:44
by Tezcatlipoca
Hi all,

Ok, I'm hoping this will be a quick, easy one, but I've been tearing my hair out for a few hours now and still have no answer. Ok, firstly some background:

Windows 2003 R2 server with latest updates
XAMPP 1.7.3
IIS is installed, but completely disabled
MySQL and Apache have been installed as services and set to autostart

Now, here's my problem. The initial installation went smoothly and without any problems whatsoever and within minutes I had Apache 2.2 happily chugging away and facing the web. All test pages I created in htdocs ran beautifully and with no issues. Based on this, I began to build website elements into the system. Again, everything works smoothly.

Until now. Basically, I need to secure certain pages as https on my website. These are trusted third party issuers rather than self-certs and I have generated the relevant files and had the issuer certify them without any problems.
The files were put into the relevant folders within the C:\xampp\apache\conf folder (so that's the ssl.crt, ssl.csr and ssl.key folders) and the httpd-ssl.conf in the \extra\ folder updated accordingly.
Finally, httpd.conf from the C:\xampp\apache\conf folder was updated to uncomment the 'LoadModule ssl_module modules/mod_ssl.so' line.

I then restarted the Apache service. Now here's where we have a problem.

Any attempt to start the apache service, either from the Xampp panel, the command line or from the services.msc fails, with the latter throwing an error. Checking the system event logs I get:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7024
Date: 1/31/2011
Time: 9:08:46 AM
User: N/A
Computer: DALLAS2
Description:
The Apache2.2 service terminated with service-specific error 1 (0x1).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Hokay. So IIS is off, so it's probably not a port issue, but let's just check anyway. I run port scans via the Xampp panel and root scans using the 'netstat -a -no' command. All scans show that NOTHING is listening on ports 80 or 443. Not the ports then.

I then command lined into the apache install folder and ran a standard 'httpd.exe -t' command. No errors were returned and all syntax checked as OK. Hmmm.

I then triple-checked my httpd.conf and httpd_ssl.conf files, ensuring all the paths and filenames were correct. Again, everything checked out.

Finally, in exasperation, I commented out the 'LoadModule ssl_module modules/mod_ssl.so' line in the httpd.conf file to check that I had broken something fundamental. As soon as I tried to start the apache service, bingo, she started up without a problem.
I uncommented the line again, resaved, then restarted the service. Again, a failure...

...soooo, my problem appears to be that include line. However, this is a major issue for me since I am eventually going to have payment pages for services on this site, so I need SSL active, but apache only seems to want to run with that line commented out.


Can anyone help?

Re: Help SSL / Starting Apache

PostPosted: 31. January 2011 20:53
by JonB
I guess the words 'not for production environments' didn't resonate with you...

If you need a reliable system, why not just do the standalone installations??/

8)

Re: Help SSL / Starting Apache

PostPosted: 31. January 2011 23:43
by Sharley
First thing is when ever Apache can't start check the \apache\logs\error.log file - you did not mention you looked in that file.

Apache in XAMPP is configured for SSL by default and the mod_ssl.so is uncommented by default unless when you used the setup_xampp.bat file you elected to disable SSL, and if you comment out this module then you won't have SSL on your Apache server - I believe your error is caused by changing the SSL settings incorrectly from the working defaults, because we only have your word that you did it correctly which can't be checked effectively, so the SSL module chucks a wobbly. :)

Also check in the httpd.conf file that this line is not commented out
Code: Select all
# Secure (SSL/TLS) connections
Include "conf/extra/httpd-ssl.conf"
as it would be if at some stage you elected not to use SSL.

You can run setup_xampp.bat file at any time in 1.7.3 to change or see the current settings state.

The Apache configuration file for SSL httpd-ssl.conf must not have any syntax errors and may be where your problem lies - the error.log or the ssl_request.log file may have clues.

So to test SSL was working before your configuration edits, revert your certificates and configurations back to the defaults when installed using the backup files you made and try and open https://localhost and move on from there if all is good - you could also change the port from 443 to say 4433 to see if it really is not a port issue then use https:/localhost:4433 to check.


IIS is now known as World Wide Publishing and it is this that needs to be disabled if it is installed on your system but in any case IIS must not be able to access port 443 or your SSL will fail unless you configure SSL on another port - not recommended - and simply stopping IIS and WWP is not sufficient they must be completely disabled as per instructions.
viewtopic.php?p=169028#p169028

If as you say your OS is fully updated from MS then likely IIS or WWP has not been fully disabled and comes into the equation when ever your XAMPP services are started.

From the readme_en.txt file:
A matter of security (A MUST READ!)

As mentioned before, XAMPP is not meant for production use but only for developers in a development environment. The way XAMPP is configured, is to be open as possible and allowing the developer anything he/she wants.
For development environments this is great but in a production environment it could be fatal.
So you will have to learn as much as possible about how to harden your Apache server should you continue down the production path using XAMPP. (Google is your friend).

Good luck and best wishes.

Re: Help SSL / Starting Apache

PostPosted: 01. February 2011 11:49
by Tezcatlipoca
wole wrote:
Tezcatlipoca wrote:Can anyone help?

You can help yourself.
Ask google with:
"The Apache2.2 service terminated with service-specific error 1 (0x1)"

I get any answer und solutions for this.
Do it - try it - test it - ...


An unhelpful comment. Google was obviously among the first things I tried and, equally obviously, had the answer been there I would not have posted this thread.
If you actually read some of the results from that search you'll find they talk about port clashes with other programs (commonly IIS) and / or the need to disable SSL on XAMPP. Strangely enough, neither of these are relevant or an option for me, and I mention having checked and tested both of in my original post. :roll:


Sharley wrote:First thing is when ever Apache can't start check the \apache\logs\error.log file - you did not mention you looked in that file.

Apache in XAMPP is configured for SSL by default and the mod_ssl.so is uncommented by default unless when you used the setup_xampp.bat file you elected to disable SSL, and if you comment out this module then you won't have SSL on your Apache server - I believe your error is caused by changing the SSL settings incorrectly from the working defaults, because we only have your word that you did it correctly which can't be checked effectively, so the SSL module chucks a wobbly. :)


Thank you, a much more helpful, well reasoned response. I looked into this and found that setup_xampp.bat is showing everything as on and healthy (SSL is active, no errors). I also ran the two error checks I mentioned before (httpd.exe -t and net stat -a -no) and both are coming up clean (i.e. there are no syntax errors in my conf files and ports 80 and 443 are not being listened to by anything else.

This installation was done with the standard self-installer downloaded from the site, and no settings were changed. The commenting out of the SSL module was done by me when I found I had problems with the service starting when it was active, so it was on by default.

Sharley wrote:The Apache configuration file for SSL httpd-ssl.conf must not have any syntax errors and may be where your problem lies - the error.log or the ssl_request.log file may have clues.
So to test SSL was working before your configuration edits, revert your certificates and configurations back to the defaults when installed using the backup files you made and try and open https://localhost and move on from there if all is good - you could also change the port from 443 to say 4433 to see if it really is not a port issue then use https:/localhost:4433 to check.


Ah! Thank you, Sharley. Following your advice I dug a little deeper and tested each section of the SSL in isolation (so the service, the ports, etc.) and found the issue. When I reverted back to the standard certificates that are installed with XAMPP everything kicked in, ergo my certificates were at fault. I investigated further, and found an error being thrown that indicated my certificates could not be loaded in a Win32 environment as they had passphrases attached. I rebuilt the certificates without passphrases, re-issued them and everything now works properly again :D

Thank you very much for your help Sharley, it got me looking in the right direction which ultimately solved the issue.

JonB wrote:If you need a reliable system, why not just do the standalone installations???


Quite so. This is still very much a test environment (I have the external IP locked down and inaccessible to all but my production computer). The reason for using XAMPP is it comes with almost everything I need in one easy package, so it's perfect to get everything up and running quickly so I can build the test website.
Once everything is finished, I intend to remove XAMPP and install Apache, PHP and my other requirements separately. This is just a very quick and dirty solution for the moment so the site can be built and shown to the client.

That said, as long as the usual security steps are taken, why doesn't XAMPP get recommended for a production environment? Out of the box, so to speak, I can see the Windows version has a few security holes in it, but none of them are especially obscure or unknown and all are easily fixable. Are there other issues, such as stability, with Xampp in production environments?