Thursday, December 08, 2005

SSL on RHEL - SSL Certificate on working - Domain not resolving

Recently after migrating data from an older hard drive, I needed to transfer SSL configuration for a domain. The domain was not working with the SSL. Pinging the domain was returning the following error message


ping: unknown host


So here we had two main issues. One is that domain isn't resolving to the server and other one being that SSL isn't working. After running some grep operations, I found that ssl.conf was missing the virtual host configuration for the domain.



ServerName domain.com
DocumentRoot /var/www/html/hosts/domain.com/docs
#ServerName
ServerAdmin admin@domain.com
ErrorLog /etc/httpd/logs/ssl_error_log
TransferLog /etc/httpd/logs/ssl_access_log
#ServerName domain.com
SSLEngine On
SSLCertificateFile /etc/httpd/conf/ssl.crt/domain.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain.com.key


After I put the above code and restarted httpd, it complained about missing .crt and .key files, which I restored from the old drive.

Now that the httpd started properly, time to troubleshoot the domain not resolving. As this domain was recently transferred from another name server, I wasn't sure what exactly was causing the domain not to come up. I tried to ping the domain from the server on which it was hosted as well as from my box, but to no avail.

I found that the DNS zone wasn't yet added to the new DNS by the client. To do that I used a custom script, however you will probably need to use the method which works with your DNS provider.

[root@ensim:~]$ sh /designerz/dns/addDnsZone.sh domain.com 192.144.241.58 ns1.hostingcompany.com ns2.hostingcompany.com

Adding
---------------------
Domain:domain.com
IP: 192.144.241.58
NS1: ns1.hostingcompany.com
NS2: ns2.hostingcompany.com
---------------------
Continue? (Ctrl-c to exit)



$ORIGIN .
$TTL 3600 ; 1 hour
domain.com IN SOA ns1.hostingcompany.com. ensim.designerz.com. (
2005110203 ; serial
3600 ; refresh (1 hour)
600 ; retry (10 minutes)
7200 ; expire (2 hours)
3600 ; minimum (1 hour)
)
NS ns1.hostingcompany.com.
NS ns2.hostingcompany.com.
$TTL 86400 ; 1 day
A 192.144.241.58
$ORIGIN domain.com.
* A 192.144.241.58
--------------
ZONE
------------

zone "domain.com" IN {
type master;
file "/var/named/db.domain.com";
allow-update { key "wp_default_key."; };
allow-transfer { localhost; };
};
--------------
ADDING TO BIND.CONF
------------

looking for domain.com in /etc/bind/bind.conf.wp
Not Found
Adding
include "/etc/bind/zone.domain.com";



After adding the zone, I restarted BIND


service named restart



If everything went fine, pinging the domain should now work.


ping statistics ---
2 packets transmitted, 2 received, 0% loss, time 1012ms
rtt min/avg/max/mdev = 0.558/0.591/0.624/0.033 ms



Next step I did was to turn off firewall (just for a sec) and test SSL connectivity again. As I had thought, the connection was successful.

So I opened up APF configuration file (conf.apf) and found that 443 (SSL port) was missing in the following defition.

IG_TCP_CPORTS="21,22,25,53,80,110,143,443,3306"


Once I added it and restarted APF, Voila! the site started resolving using SSL.

If you are having issues, post a comment.

0 Comments:

Post a Comment

<< Home