Troubleshooting HTTPS Redirection Issues: Why Your Apache SSL Configuration Fails to Load


2 views

When attempting to redirect the root domain to HTTPS, the rewrite appears successful but the HTTPS connection stalls at "connecting to thinkingmonkey.me..." with no content loading. The server shows:

Proto Recv-Q Send-Q Local Address       Foreign Address     State       PID/Program name  
tcp        0      0 :::443              :::*                LISTEN      1334/httpd
tcp        0      0 :::80               :::*                LISTEN      1334/httpd

The current setup includes:

  • Working HTTP to HTTPS redirect via .htaccess
  • Proper SSL certificate configuration
  • Apache listening on both ports 80 and 443

The rewrite log confirms the redirect is executing:

my-ip - - [24/Jan/2012:19:01:14 +0000] [thinkingmonkey.me/sid#7fa2335ceb18][rid#7fa2339336d8/initial] (1) [perdir /mysite/] redirect to https://thinkingmonkey.me [REDIRECT/302]

The main issue lies in the VirtualHost configuration. While the SSL VirtualHost exists, it lacks the essential DocumentRoot directive:

<VirtualHost *:443>
    ServerName thinkingmonkey.me
    DocumentRoot /mysite/  # This was missing!
    # ... rest of SSL configuration ...
</VirtualHost>

Here's the corrected VirtualHost setup:

<VirtualHost *:80>
    ServerName thinkingmonkey.me
    DocumentRoot /mysite/
    ErrorLog logs/site-error_log
    CustomLog logs/site-access_log common
    
    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    ServerName thinkingmonkey.me
    DocumentRoot /mysite/
    
    SSLEngine on
    SSLCertificateFile /path/to/my.crt
    SSLCertificateKeyFile /path/to/my.key
    SSLCertificateChainFile /path/to/my.ca-bundle
    
    # Security enhancements
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on
    
    ErrorLog logs/ssl_error_log
    CustomLog logs/ssl_access_log common
</VirtualHost>

After making these changes:

  1. Test the configuration: apachectl configtest
  2. Restart Apache: systemctl restart httpd
  3. Verify SSL handshake: openssl s_client -connect thinkingmonkey.me:443

If issues persist:

  • Check SELinux contexts: ls -Z /path/to/certificates
  • Verify port accessibility: telnet thinkingmonkey.me 443
  • Inspect real-time logs: tail -f /var/log/httpd/ssl_error_log

When attempting to access https://thinkingmonkey.me, the browser hangs at "connecting to thinkingmonkey.me..." with no response. The HTTP-to-HTTPS redirect appears functional based on rewrite logs, but the HTTPS connection itself fails to establish.

// Current .htaccess configuration
RewriteEngine on
RewriteBase /
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^(.*)$ https://thinkingmonkey.me [L,R=302]
  • Apache is listening on both ports 80 and 443 (confirmed via netstat)
  • SSL certificate files are properly configured in virtual host
  • No errors found in httpd or SSL logs (including separate SSL log)
  • Zero entries in ssl_access_log despite connection attempts
  • Rewrite logs show successful HTTP-to-HTTPS redirection

The virtual host configuration appears correct at first glance, but several subtle issues could cause this behavior:

<VirtualHost *:443>
ServerName thinkingmonkey.me
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /path/to/my.crt
SSLCertificateKeyFile /path/to/my.key
SSLCertificateChainFile /path/to/my.ca-bundle
</VirtualHost>

Based on the symptoms and configuration, the most likely issues are:

  1. Firewall blocking port 443: Despite Apache listening, network rules might prevent connections
  2. SSL certificate chain issues: Intermediate certificates might be missing or misconfigured
  3. Apache worker configuration: Possible thread starvation or process limits
  4. Virtual host precedence: Another virtual host might be intercepting 443 traffic

1. Network-Level Verification

# Test basic connectivity
telnet thinkingmonkey.me 443
# Or using openssl
openssl s_client -connect thinkingmonkey.me:443 -showcerts

2. Enhanced SSL Configuration

Update the SSL configuration with modern settings:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

3. Apache Debug Mode

Enable detailed logging with:

LogLevel debug ssl:trace2
ErrorLog /var/log/httpd/ssl_error_log
CustomLog /var/log/httpd/ssl_access_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

4. Process Inspection

# Check Apache workers handling SSL
ps aux | grep httpd | grep ssl
# Verify open files limit
cat /proc/$(pgrep httpd | head -1)/limits | grep "open files"

Here's an optimized virtual host configuration that addresses common SSL issues:

<VirtualHost *:443>
    ServerName thinkingmonkey.me
    DocumentRoot /mysite/
    
    SSLEngine on
    SSLCertificateFile /path/to/my.crt
    SSLCertificateKeyFile /path/to/my.key
    SSLCertificateChainFile /path/to/my.ca-bundle
    
    # Modern SSL configuration
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
    SSLHonorCipherOrder on
    
    # HSTS Header
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
  • [ ] Verify port 443 is open using netstat -tulnp | grep 443
  • [ ] Test SSL handshake with openssl s_client
  • [ ] Confirm certificate chain with online SSL checkers
  • [ ] Verify Apache can read certificate files (permissions)
  • [ ] Check for SELinux/AppArmor restrictions on SSL ports