Troubleshooting HTTPS Redirection Issues: Why Your Apache SSL Configuration Fails to Load


10 views

When attempting to redirect the root domain to HTTPS, the rewrite appears successful but the HTTPS connection stalls at "connecting to thinkingmonkey.me..." with no content loading. The server shows:

Proto Recv-Q Send-Q Local Address       Foreign Address     State       PID/Program name  
tcp        0      0 :::443              :::*                LISTEN      1334/httpd
tcp        0      0 :::80               :::*                LISTEN      1334/httpd

The current setup includes:

  • Working HTTP to HTTPS redirect via .htaccess
  • Proper SSL certificate configuration
  • Apache listening on both ports 80 and 443

The rewrite log confirms the redirect is executing:

my-ip - - [24/Jan/2012:19:01:14 +0000] [thinkingmonkey.me/sid#7fa2335ceb18][rid#7fa2339336d8/initial] (1) [perdir /mysite/] redirect to https://thinkingmonkey.me [REDIRECT/302]

The main issue lies in the VirtualHost configuration. While the SSL VirtualHost exists, it lacks the essential DocumentRoot directive:

<VirtualHost *:443>
    ServerName thinkingmonkey.me
    DocumentRoot /mysite/  # This was missing!
    # ... rest of SSL configuration ...
</VirtualHost>

Here's the corrected VirtualHost setup:

<VirtualHost *:80>
    ServerName thinkingmonkey.me
    DocumentRoot /mysite/
    ErrorLog logs/site-error_log
    CustomLog logs/site-access_log common
    
    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    ServerName thinkingmonkey.me
    DocumentRoot /mysite/
    
    SSLEngine on
    SSLCertificateFile /path/to/my.crt
    SSLCertificateKeyFile /path/to/my.key
    SSLCertificateChainFile /path/to/my.ca-bundle
    
    # Security enhancements
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on
    
    ErrorLog logs/ssl_error_log
    CustomLog logs/ssl_access_log common
</VirtualHost>

After making these changes:

  1. Test the configuration: apachectl configtest
  2. Restart Apache: systemctl restart httpd
  3. Verify SSL handshake: openssl s_client -connect thinkingmonkey.me:443

If issues persist:

  • Check SELinux contexts: ls -Z /path/to/certificates
  • Verify port accessibility: telnet thinkingmonkey.me 443
  • Inspect real-time logs: tail -f /var/log/httpd/ssl_error_log

When attempting to access https://thinkingmonkey.me, the browser hangs at "connecting to thinkingmonkey.me..." with no response. The HTTP-to-HTTPS redirect appears functional based on rewrite logs, but the HTTPS connection itself fails to establish.

// Current .htaccess configuration
RewriteEngine on
RewriteBase /
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^(.*)$ https://thinkingmonkey.me [L,R=302]
  • Apache is listening on both ports 80 and 443 (confirmed via netstat)
  • SSL certificate files are properly configured in virtual host
  • No errors found in httpd or SSL logs (including separate SSL log)
  • Zero entries in ssl_access_log despite connection attempts
  • Rewrite logs show successful HTTP-to-HTTPS redirection

The virtual host configuration appears correct at first glance, but several subtle issues could cause this behavior:

<VirtualHost *:443>
ServerName thinkingmonkey.me
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /path/to/my.crt
SSLCertificateKeyFile /path/to/my.key
SSLCertificateChainFile /path/to/my.ca-bundle
</VirtualHost>

Based on the symptoms and configuration, the most likely issues are:

  1. Firewall blocking port 443: Despite Apache listening, network rules might prevent connections
  2. SSL certificate chain issues: Intermediate certificates might be missing or misconfigured
  3. Apache worker configuration: Possible thread starvation or process limits
  4. Virtual host precedence: Another virtual host might be intercepting 443 traffic

1. Network-Level Verification

# Test basic connectivity
telnet thinkingmonkey.me 443
# Or using openssl
openssl s_client -connect thinkingmonkey.me:443 -showcerts

2. Enhanced SSL Configuration

Update the SSL configuration with modern settings:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

3. Apache Debug Mode

Enable detailed logging with:

LogLevel debug ssl:trace2
ErrorLog /var/log/httpd/ssl_error_log
CustomLog /var/log/httpd/ssl_access_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

4. Process Inspection

# Check Apache workers handling SSL
ps aux | grep httpd | grep ssl
# Verify open files limit
cat /proc/$(pgrep httpd | head -1)/limits | grep "open files"

Here's an optimized virtual host configuration that addresses common SSL issues:

<VirtualHost *:443>
    ServerName thinkingmonkey.me
    DocumentRoot /mysite/
    
    SSLEngine on
    SSLCertificateFile /path/to/my.crt
    SSLCertificateKeyFile /path/to/my.key
    SSLCertificateChainFile /path/to/my.ca-bundle
    
    # Modern SSL configuration
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
    SSLHonorCipherOrder on
    
    # HSTS Header
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
  • [ ] Verify port 443 is open using netstat -tulnp | grep 443
  • [ ] Test SSL handshake with openssl s_client
  • [ ] Confirm certificate chain with online SSL checkers
  • [ ] Verify Apache can read certificate files (permissions)
  • [ ] Check for SELinux/AppArmor restrictions on SSL ports