Debian Question posted in
The oficial documentation can be found here.

Apache2 "localhost" works but for 127.0.0.1 I get "This site can’t be reached refused to connect". SSL also returns authorization error – Debian

I am trying to run an apache2 under docker (WSL2) with a self-signing certification to test SSL. The docker file script looks like this

FROM php:7.1-apache
RUN apt-get update && apt-get install -y zlib1g-dev
COPY ./certs/* /etc/apache2/ssl/
COPY dev.conf /etc/apache2/sites-enabled/dev.conf
RUN docker-php-ext-install mysqli pdo pdo_mysql zip mbstring
RUN a2enmod rewrite
RUN a2enmod ssl
RUN service apache2 restart

with dev.conf containing the SSL virtual host shown below.

<VirtualHost *:443>
    DocumentRoot "/var/www/html/"
    
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    
    SSLEngine on
    
    SSLCertificateFile "/etc/apache2/ssl/server.crt"
    SSLCertificateKeyFile "/etc/apache2/ssl/server.key" 
                
    ServerName dev-asusrog.com

</VirtualHost>

Running at port 80 using chrome/firefox/opera at http://localhost:80 it works. The same, but using http://127.0.0.1:80 instead, I get "This site can’t be reached" refused to connect." IP6 only version protocol is disabled.

sysctl net.ipv6.bindv6only
net.ipv6.bindv6only = 0

Using curl -v localhost or curl -v 127.0.0.1 seems to work in both cases.

curl -v localhost
*   Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 12 Jan 2021 08:39:23 GMT
< Server: Apache/2.4.38 (Debian)
< Last-Modified: Tue, 12 Jan 2021 08:05:26 GMT
< ETag: "20-5b8af7c33cb30"
< Accept-Ranges: bytes
< Content-Length: 32
< Content-Type: text/html
<
<html>
<h1>Welcome</h1>
</html>
* Connection #0 to host localhost left intact


curl -v 127.0.0.1
*   Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 12 Jan 2021 08:39:33 GMT
< Server: Apache/2.4.38 (Debian)
< Last-Modified: Tue, 12 Jan 2021 08:05:26 GMT
< ETag: "20-5b8af7c33cb30"
< Accept-Ranges: bytes
< Content-Length: 32
< Content-Type: text/html
<
<html>
<h1>Welcome</h1>
</html>
* Connection #0 to host 127.0.0.1 left intact

Running https://dev-asusrog.com/ (I have already set under host file dev-asusrog.com point to 127.0.1.1) I get "Access to dev-asusrog.com was denied. You don’t have the authorization to view this page. HTTP ERROR 403"

Files server.crt and server.key files are created using openssl using the command below using as server FQDN the fake server above dev-asusrog.com.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt

I get the following Apache2 errors. The 1st one, about fully qualified domain name, is fixed by adding the ServerName localhost statement under /etc/apache2/apache2.conf. How about the others?

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.1.1. Set the 'ServerName' directive globally to suppress this message
[Tue Jan 12 11:53:39.329396 2021] [ssl:warn] [pid 22] AH01906: dev-asusrog.com:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jan 12 11:53:39.329797 2021] [ssl:error] [pid 22] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=dev-asusrog.com,OU=informatics,O=Company,L=mystate,ST=mystate,C=US / issuer: CN=dev-asusrog.com,OU=informatics,O=Company,L=mystate,ST=mystate,C=US / serial: 08C832686429FFF4C45180A8806FE16A278B41A3 / notbefore: Jan 11 10:40:12 2021 GMT / notafter: Jan 11 10:40:12 2022 GMT]
[Tue Jan 12 11:53:39.329830 2021] [ssl:error] [pid 22] AH02604: Unable to configure certificate dev-asusrog.com:443:0 for stapling

Any help here?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    1st step) I had to change/add under Windowssystem32driversetchosts the local testing domain from 127.0.0.1 dev-asusrog.com to ::1 dev-asusrog.com as Olaf Kock recommended.

    2nd step) I had to disable the SSLUseStapling parameter under ssl-params.conf ie commented out

    #SSLUseStapling on

    3nd -option- step) Install server.crt certification in the Windows Trusted Root Certification Authorities For your convenience, I attach the affected files below.

    My Dockerfile changed to this

    FROM php:7.1-apache

COPY ./certs/* /etc/apache2/ssl/
COPY ssl-params.conf /etc/apache2/conf-available/
COPY ./sites-available/* /etc/apache2/sites-available/
RUN a2enconf ssl-params
RUN a2ensite default-ssl
RUN a2enmod rewrite
RUN a2enmod ssl
RUN a2enmod headers

WORKDIR /var/www/html/

RUN service apache2 restart

    My ssl-params.conf is declared like this

    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACH$
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLHonorCipherOrder On

# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"

Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

# Requires Apache >= 2.4
SSLCompression off
#SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

# Requires Apache >= 2.4.11
SSLSessionTickets Off

    The file sites-available/default-ssl.conf is declared like this

    <IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin [email protected]
                ServerName dev-asusrog.com

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile "/etc/apache2/ssl/server.crt"
                SSLCertificateKeyFile "/etc/apache2/ssl/server.key"             

                <FilesMatch ".(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                BrowserMatch "MSIE [2-6]" 
                               nokeepalive ssl-unclean-shutdown 
                               downgrade-1.0 force-response-1.0

        </VirtualHost>
</IfModule>

    Hope it will help you in case you have the same problem I had.

    Best Regards,


  2. 0

    localhost typically is an alias to ::1 these days (note: IPV6), while 127.0.0.1 is obviously IPV4. Thus, you’re connecting to different endpoints and if you don’t explicitly open up IPV4 connections, there’s nothing listening there.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search