Instructions to enable HTTPS for Apache 2.4.7 don't work - Icehouse
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openstack-manuals |
Fix Released
|
High
|
Diane Fleming |
Bug Description
Synopsis:
After following the instructions to enable HTTPS for dashboard in this section:
I'm seeing several errors in the logs, and when attempting to browse to the login page I'm getting 'Internal Server Error'.
My initial impression is that the instructions are adapted to an older version of Apache (possibly 2.2.x?) Whereas on Trusty we have:
# apache2 -v
Server version: Apache/2.4.7 (Ubuntu)
Server built: Apr 3 2014 12:20:28
suggest fix:
It would be useful to provide separate configuration tracks for the different apache versions (e.g. 2.2.x vs 2.4.x)
I unfortunately can't suggest corrections for the 2.4.7 track since I'm not overly familiar with apache and haven't yet found alternate configuration steps that work.
It also may be useful to mention that mod_ssl needs to be enabled (e.g. a2enmod ssl)
Some more details:
*On apache startup I get an error message in the log stating that the 'NameVirtualHost' directive is deprecated, is being ignored, and will be removed in the next release.
*Here is the error I get in the apache error.log when I attempt to browse to the site:
****begin error.log excerpt****
[Tue May 20 11:43:57.473929 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.474026 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.474070 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.484104 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.484137 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.484659 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.484685 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.491903 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.491939 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.491971 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.491986 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.492008 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.492044 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.497834 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.497862 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.498048 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.498071 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.498249 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.498275 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.498402 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.498422 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.504339 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.504368 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.504397 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
[Tue May 20 11:43:57.504423 2014] [:error] [pid 3666:tid 140146393478912] [client 2001:6b0:
****end error.log excerpt****
-------
Built: 2014-05-16T14:15:55 00:00
git SHA: ed92ea154f460d7
URL: http://
Changed in openstack-manuals: | |
milestone: | none → juno |
Changed in openstack-manuals: | |
assignee: | Tom Fifield (fifieldt) → Diane Fleming (diane-fleming) |
I identified a configuration that works. In my case at least, the openstack- dashboard. conf file that the document suggests doesn't work for icehouse/trusty, but the one below does. I basically just compared the content of the originally installed conf file and inserted it into the example provided on the doc page (the WSGI lines, etc). Some notable changes are in the first few lines, such as alias path, credentials, etc.
***begin openstack- dashboard. conf*** example. com /%{HTTP_HOST} %{REQUEST_ URI} /dashboard. example. com example. com ssl/dashboard. crt eFile /etc/apache2/ ssl/dashboardca .crt eyFile /etc/apache2/ ssl/dashboard. key shutdown
<VirtualHost *:80>
ServerName dashboard.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https:/
</IfModule>
<IfModule !mod_rewrite.c>
RedirectPermanent / https:/
</IfModule>
</VirtualHost>
<VirtualHost *:443>
ServerName dashboard.
SSLEngine On
# Remember to replace certificates and keys with valid paths in your environment
SSLCertificateFile /etc/apache2/
SSLCACertificat
SSLCertificateK
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-
# HTTP Strict Transport Security (HSTS) enforces that all communications Transport- Security "max-age=15768000"
# with a server go over SSL. This mitigates the threat from attacks such
# as SSL-Strip which replaces links on the wire, stripping away https prefixes
# and potentially allowing an attacker to view confidential information on the
# wire
Header add Strict-
WSGIScriptAlias /horizon /usr/share/ openstack- dashboard/ openstack_ dashboard/ wsgi/django. wsgi openstack- dashboard/ openstack_ dashboard/ static/ openstack- dashboard/ openstack_ dashboard/ wsgi> dashboard. conf***
WSGIDaemonProcess horizon user=horizon group=horizon processes=3 threads=10
WSGIProcessGroup horizon
Alias /static /usr/share/
<Directory /usr/share/
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
***end openstack-