How to make Apache2 run in SSL mode? [SOLVED]

[NotExcessive]

I've just gotten squirrelmail to work in plain mode and have now enabled secure login. When I connect to it from my browser the connection fails because the web server isn't running in secure mode. I've modified httpd.conf and added the line Listen 443 and restarted but it still isn't running. The apache install is 2.0.58-r2, fresh out of the box.

I already have my .pem files generated and working with dovecot.

What do I have to do in order to get an https connection going?

[Janne Pikkarainen]

Just undo your changes to httpd.conf and put -D SSL to /etc/conf.d/apache2 file. Then restart Apache and marvel your fresh, properly-functioning SSL-encrypted website.

(Please also make sure you've compiled Apache with ssl USE flag)
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.".

[NotExcessive]

OK I've added the -D SSL parameter (duh) but it's being stubborn. When I go to the Squirelmail URL, the browser greets me with

[Janne Pikkarainen]

And your Apache really, really is compiled with ssl USE flag? What is the output of emerge -pv apache?
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.".

[Janne Pikkarainen]

Oh, sometimes re-emerging Apache might be needed if you have upgraded openssl.
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.".

[NotExcessive]

[Janne Pikkarainen]

And you restarted Apache after that -D SSL addition? (sorry for asking the obvious)

Does netstat -tlnp state that Apache is listening on port 443?

If it does, what if you create a simple static html page and try to load that over SSL connection?
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.".

[NotExcessive]

Yep I sure did make a restart. It seems to be listening:

[Janne Pikkarainen]

PHP also has an ssl USE flag. Has your PHP been compiled with it?
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.".

[Janne Pikkarainen]

Oh, you edited your last post. Are you 100% positive that there are no any SSL related error messages in /var/log/apache2/error_log?
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.".

[NotExcessive]

This is what I see for php (it's a mouthful):

[Janne Pikkarainen]

One more shot in the dark. Do you need ldap support in Apache? In some versions of Apache ldap + ssl could cause some odd segmentation faults and stuff like that. If you don't need Apache ldap support, then just emerge Apache with -ldap and see what happens.
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.".

[Janne Pikkarainen]

The message you get is very odd. If my memory serves me right, it's actually your www browser's fault. Try another browser? Some odd CFLAGS in /etc/make.conf might also cause problems.
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.".

[NotExcessive]

Well, no. I originally installed LDAP because I was working on getting a Postfix/Dovecot/Squirrelmail server going, which I've done, but it was too hard to get LDAP going so I gave up, left it there, and did the db in MYSQL. I could remove it and recompile Apache, but then I'd have to also recompile Postfix, Dovecot, and Squirrelmail I suppose, so that might be a bit of hassle, making sure I don't nuke my hard-earned config files.

I'd like to keep LDAP if I can, though, because what I'd like to do later on is build an email address book in LDAP that Thunderbird can read.

[NotExcessive]

Whoa... that's weird. If I put https://192.168.2.2 into Internet Exploder, there's nada. Nuttin'.

It comes back with

[NotExcessive]

Well, recompiling Apache with -ldap didn't make any difference.

I noticed that it generated a certificate and key and put them in /etc/apache2/ssl. I copied my own there and renamed them the same server.crt and server.key files, but that didn't do anything.

These were the original .pem certificate and key files I generated and am currently using with Dovecot in secure mode.

Doesn't hurt to try. Should I put the original server.crt and server.key back in /etc/apache2/ssl?

[Janne Pikkarainen]

Yeah. Or even better: backup your current SSL keys and try to generate fresh ones.
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.".

[NotExcessive]

Still at square one

[NotExcessive]

Finally got it. From what I've been able to gather, setting -D SSL is not enough. After some digging I found this on the net, though it was posted four years ago it had the same basic error report:

[csioutis]

if anyone else gets this problem, there is no need to create a separate vhost

i had the same problem described here

i was getting the error "Invalid method in request \x80\x80\x01\x03\x01 "

i was getting this because i hac misspelled the /etc/conf.d/apache2 directives

i had "... -D SSL -D SSL_DEFAULT_HOST" this correct spelling is "-D SSL -D SSL_DEFAULT_VHOST"

notice the "_VHOST" has a V in it.

you may also have a similar typo

[newtonian]