SSL Not working

Rails Deployment
1

I am using a mongel cluster with apache. My setup is identical to this
http://wiki.slicehost.com/doku.php?id=automated_rails_install_and_deployment_with_deprec_capistrano

I am trying to use ssl on part of my site but no go. I am used
ssl_required plugin and it is successfully redirecting to an https page
however I am getting the following error, even tho the address bar is
displaying https:

Safari can’t connect to the server.
Safari can’t open the page “https://www.mysite.com/account/signup_free”
because it could not connect to the server “www.mysite.com”.

Any idea’s whats going on? My app Apache Conf File:

<VirtualHost *:80>
ServerName www.mysite.com

ServerAlias www.mysite.com

DocumentRoot /var/www/apps/mysite/current/public

<Directory /var/www/apps/mysite/current/public>
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all

Configure mongrel_cluster

<Proxy balancer://mysite_cluster>

BalancerMember http://127.0.0.1:8000

BalancerMember http://127.0.0.1:8001

BalancerMember http://127.0.0.1:8002

BalancerMember http://127.0.0.1:8003

BalancerMember http://127.0.0.1:8004

BalancerMember http://127.0.0.1:8005

BalancerMember http://127.0.0.1:8006

BalancerMember http://127.0.0.1:8007

RewriteEngine On

Prevent access to .svn directories

RewriteRule ^(.*/)?.svn/ - [F,L]
ErrorDocument 403 “Access Forbidden”

Check for maintenance file and redirect all requests

RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.html
RewriteRule ^.*$ /system/maintenance.html [L]

Rewrite index to check for static

RewriteRule ^/$ /index.html [QSA]

Rewrite to check for Rails cached page

RewriteRule ^([^.]+)$ $1.html [QSA]

Redirect all non-static requests to cluster

RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ balancer://mysite_cluster%{REQUEST_URI} [P,QSA,L]

Deflate

AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
application/x-javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

ErrorLog logs/mysite.com-error_log
CustomLog logs/mysite.com-access_log combined

<VirtualHost *:443>

ServerName www.mysite.com

ServerAlias www.mysite.com

DocumentRoot /var/www/apps/mysite/current/public

<Directory /var/www/apps/mysite/current/public>
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all

Configure mongrel_cluster

<Proxy balancer://mysite_cluster>

BalancerMember http://127.0.0.1:8000

BalancerMember http://127.0.0.1:8001

BalancerMember http://127.0.0.1:8002

BalancerMember http://127.0.0.1:8003

BalancerMember http://127.0.0.1:8004

BalancerMember http://127.0.0.1:8005

BalancerMember http://127.0.0.1:8006

BalancerMember http://127.0.0.1:8007

RewriteEngine On

Prevent access to .svn directories

RewriteRule ^(.*/)?.svn/ - [F,L]
ErrorDocument 403 “Access Forbidden”

Check for maintenance file and redirect all requests

RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.html
RewriteRule ^.*$ /system/maintenance.html [L]

Rewrite index to check for static

RewriteRule ^/$ /index.html [QSA]

Rewrite to check for Rails cached page

RewriteRule ^([^.]+)$ $1.html [QSA]

Redirect all non-static requests to cluster

RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f

Add header for Mongrel to set HTTPS environment for Rails

RequestHeader set X-Forwarded-Proto “https”
RewriteRule ^/(.*)$ balancer://mysite_cluster%{REQUEST_URI} [P,QSA,L]

Deflate

AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
application/x-javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

SSL Engine Switch

SSLEngine on

SSL Cipher Suite:

SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

Server Certificate

SSLCertificateFile /usr/local/apache2/conf/ssl.crt/www.mysite.com.crt

Server Private Key

SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/www.mysite.com.key

BrowserMatch “.MSIE.
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0

ErrorLog logs/mysite.com-error_log
CustomLog logs/mysite.com-access_log combined
CustomLog logs/mysite.com-ssl_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b”

2

I forgot to mention that my logs appear to be clean.

mysite-error_log is empty
mysite-ssl_log is empty

the apache error_log looks like:

[Tue Mar 18 16:45:27 2008] [notice] Apache/2.2.6 (Unix) mod_ssl/2.2.6
OpenSSL/0.9.8a DAV/2 configured – resuming normal operations
[Tue Mar 18 16:47:24 2008] [notice] SIGHUP received. Attempting to
restart
httpd: Could not reliably determine the server’s fully qualified domain
name, using 127.0.0.1 for ServerName
[Tue Mar 18 16:47:25 2008] [notice] Digest: generating secret for digest
authentication …
[Tue Mar 18 16:47:25 2008] [notice] Digest: done
[Tue Mar 18 16:47:26 2008] [notice] Apache/2.2.6 (Unix) mod_ssl/2.2.6
OpenSSL/0.9.8a DAV/2 configured – resuming normal operations
[Tue Mar 18 16:49:43 2008] [notice] SIGHUP received. Attempting to
restart
httpd: Could not reliably determine the server’s fully qualified domain
name, using 127.0.0.1 for ServerName
[Tue Mar 18 16:49:43 2008] [notice] Digest: generating secret for digest
authentication …
[Tue Mar 18 16:49:43 2008] [notice] Digest: done
[Tue Mar 18 16:49:44 2008] [notice] Apache/2.2.6 (Unix) mod_ssl/2.2.6
OpenSSL/0.9.8a DAV/2 configured – resuming normal operations

3

On Tue, Mar 18, 2008 at 10:59 AM, Jason M. <
[email protected]> wrote:

[Tue Mar 18 16:47:24 2008] [notice] SIGHUP received. Attempting to
httpd: Could not reliably determine the server’s fully qualified domain
name, using 127.0.0.1 for ServerName
[Tue Mar 18 16:49:43 2008] [notice] Digest: generating secret for digest
authentication …
[Tue Mar 18 16:49:43 2008] [notice] Digest: done
[Tue Mar 18 16:49:44 2008] [notice] Apache/2.2.6 (Unix) mod_ssl/2.2.6
OpenSSL/0.9.8a DAV/2 configured – resuming normal operations

Something simple to check - is port 443 open on your server? When
running
into these types of problems, I try and take Rails out of the equation -
first just get Apache to response correctly and then go from there.

Dave
http://www.silverrack.com

4

Dave Stevenson wrote:

On Tue, Mar 18, 2008 at 10:59 AM, Jason M. <
[email protected]> wrote:

[Tue Mar 18 16:47:24 2008] [notice] SIGHUP received. Attempting to
httpd: Could not reliably determine the server’s fully qualified domain
name, using 127.0.0.1 for ServerName
[Tue Mar 18 16:49:43 2008] [notice] Digest: generating secret for digest
authentication …
[Tue Mar 18 16:49:43 2008] [notice] Digest: done
[Tue Mar 18 16:49:44 2008] [notice] Apache/2.2.6 (Unix) mod_ssl/2.2.6
OpenSSL/0.9.8a DAV/2 configured – resuming normal operations

Something simple to check - is port 443 open on your server? When
running
into these types of problems, I try and take Rails out of the equation -
first just get Apache to response correctly and then go from there.

Dave
http://www.silverrack.com

Thanks Dave, I can’t believe I didnt think of that. I ran a port tester
and 443 is closed. I opened up the port 443 via webmin, saved the
config, rebooted, and double checked the firewall was enabled yet 443 is
still showing closed when I run the port test again. Any idea’s on why
its not opening up? im running ubuntu 6.06

My commits looked like this:

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 443 -j ACCEPT