Rails: SSL stopped working after upgrading from Ubuntu 12.04 to 16.04
12 views
Skip to first unread message
ng/img-e
Dec 28, 2016, 12:10:59 PM12/28/16
to Phusion Passenger Discussions
Hello,
as stated our Rails app (Rails 4.0.13) stopped working with SSL after upgrading our system from Ubuntu 12.04 to the following software versions:
Ubuntu 16.04
Apache 2.4.18
Phusion Passenger Enterprise 5.1.1
Rails 4.0.13
Ruby 2.3.3 or 2.1.5 (with rvm)
It does work without SSL. However with SSL enabled, the website can't be accessed ("Safari can't establish a secure connection"...)
NO errors in application log or Apache's error log.
This is the virtual host config we are using. It's copied from https://www.phusionpassenger.com/library/deploy/apache/prod_ssl.html with some minor changes, so Apache won't complain at startup about i.e. SSLStaplingCache directive not being allowed in virtual host context:
---
SSLStrictSNIVHostCheck off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
<VirtualHost *:80>
# Redirect all to https
ServerName domain.com
ServerAlias domain.com
Redirect / https://domain.com/
</VirtualHost>
<VirtualHost 1.2.3.4:443>
# Basic
ServerName domain.com
ServerAlias domain.com
DocumentRoot /srv/rails/myapp/current/public
# Passenger
PassengerEnabled on
PassengerUser myapp
PassengerGroup myapp
PassengerAppEnv production
PassengerRuby /usr/local/rvm/gems/ruby-2.3.3/wrappers/ruby
<Directory /srv/rails/myapp/current/public>
Options None
Require all granted
</Directory>
# SSL
SSLEngine on
SSLCertificateFile /srv/rails/myapp/current/lib/linux/ssl/myapp.de.crt
SSLCertificateKeyFile /srv/rails/myapp/current/lib/linux/ssl/myapp.de.key
SSLCACertificateFile /srv/rails/myapp/current/lib/linux/ssl/Comodo.pem
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ServerSignature off
SSLCompression off
SSLSessionTickets off
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
</VirtualHost>
---
This is our old and working virtual host config under Ubuntu 12.04 (Apache 2.2):
---
<VirtualHost *:80>
# Redirect all to https
ServerName {{SERVERNAME}}
ServerAlias {{SERVERALIAS}}
Redirect / https://{{SERVERNAME}}/
</VirtualHost>
<VirtualHost {{IP_FOR_SSL}}:443>
# Basic
ServerName {{SERVERNAME}}
ServerAlias {{SERVERALIAS}}
DocumentRoot {{RAILS_ROOT}}/public
# Passenger
PassengerEnabled on
PassengerMinInstances 2
PassengerUser myapp
PassengerGroup myapp
<Directory {{RAILS_ROOT}}/public>
AllowOverride all
Options -MultiViews
</Directory>
# SSL
SSLEngine on
SSLCertificateFile {{RAILS_ROOT}}/lib/linux/ssl/{{SERVERNAME}}.crt
SSLCertificateKeyFile {{RAILS_ROOT}}/lib/linux/ssl/{{SERVERNAME}}.key
SSLCACertificateFile {{RAILS_ROOT}}/lib/linux/ssl/Comodo.pem
</VirtualHost>
---
Thanks, Nikolas
Daniel Knoppel
Jan 2, 2017, 6:40:09 AM1/2/17
to Phusion Passenger Discussions
This issue was handled through Enterprise support (turned out to be a certificate problem, not a Passenger problem)
- Daniel
Reply all
Reply to author
Forward
0 new messages