From owner-freebsd-questions@freebsd.org Tue Apr 10 06:16:26 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90A37FA4A77 for ; Tue, 10 Apr 2018 06:16:26 +0000 (UTC) (envelope-from kremels@kreme.com) Received: from mail.covisp.net (www.covisp.net [65.121.55.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 37FDB6A693 for ; Tue, 10 Apr 2018 06:16:25 +0000 (UTC) (envelope-from kremels@kreme.com) From: "@lbutlr" Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Re: I broke my Apache 2.4 install and I need help! Date: Tue, 10 Apr 2018 00:16:17 -0600 References: <20180402204202.GA3145@gmail.com> <20180402213311.GB3145@gmail.com> <22AED507-651D-4FF5-9D3F-73F41F57AC24@kreme.com> <458eb0bf-dbd8-01c2-4eac-96546e61dec1@gmail.com> To: freebsd-questions@freebsd.org In-Reply-To: <458eb0bf-dbd8-01c2-4eac-96546e61dec1@gmail.com> Message-Id: X-Mailer: Apple Mail (2.3445.6.18) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Apr 2018 06:16:26 -0000 On 2018-04-03 (12:32 MDT), Johan Hendriks = wrote: >=20 > Op 03/04/2018 om 00:56 schreef @lbutlr: >> On 2018-04-02 (16:40 MDT), William Dudley wrote: >> This is what a virtual host looks like for me in apache24. I never = put any hosts into http.conf other than a base name that is actually = unused for web access. Everything is in user/name.conf or = extras/httpd-vhosts.conf >>=20 >> >> ServerName oursite.example.net >> DocumentRoot /usr/local/www/oursite >> SSLEngine on >> SSLCertificateFile = /usr/local/etc/dehydrated/certs/covisp.net/cert.pem >> SSLCertificateKeyFile = /usr/local/etc/dehydrated/certs/covisp.net/privkey.pem >> SSLCertificateChainFile = /usr/local/etc/dehydrated/certs/covisp.net/chain.pem >> SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 >> SSLHonorCipherOrder on >> # I am not sure this is needed or best for TLSv1.2, but it works = for us >> SSLCipherSuite = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:D= H+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS >> Header always set Strict-Transport-Security "max-age=3D15638400; = includeSubdomains;" >> =20 >>=20 > The documentation of apache states that SSLCertificateChainFile is > deprecated and SSLCertificateFile will handle your cert and chain in = one > file. See apache docs > = http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainf= ile > I do not think this helps with your problem but it is cleaner to not = use > deprecated configs. I am not the OP with the problem, I was just sharing the configuration = that I have that works. it looks like I should change that to=20 SSLCertificateFile /usr/local/etc/dehydrated/certs/covisp.net/chain.pem I'll give that a try next time I'm editing configs. --=20 Don't congratulate yourself too much, or berate yourself either. You choices are half chance; so are everybody else's.