Re: [users@httpd] Apache fails to start, without explanation, when certain SSL-related directives are misconfigured

[Ben Johnson <be...@indietorrent.org>]

On 8/22/2012 10:55 AM, Ben Johnson wrote:
> 
> 
> On 8/22/2012 9:36 AM, Eric Covener wrote:
>> On Wed, Aug 22, 2012 at 9:24 AM, Ben Johnson <be...@indietorrent.org> wrote:
>>>
>>>
>>> On 8/22/2012 8:56 AM, Eric Covener wrote:
>>>>> Dovecot dropped its TLS capabilities, but it still started
>>>>> the server and bound to the non-secure port.
>>>>
>>>> I'd personally prefer the server fail startup rather than operate w/o SSL.
>>>
>>> While that may be, this preference should not be assumed. Even if the
>>> current behavior (failing to start under said circumstances) is made the
>>> default, I would prefer this to be a configurable behavior.
>>
>> I'd suggest opening a bug/bugs if there's not already one.  mod_ssl
>> doesn't load keys during config test.
> 
> Thanks for your helpful responses, Eric; much appreciated.
> 
> Indeed; I will open a bug report or feature request, as appropriate, and
> recommend that mod_ssl be made to load the various certificate
> components during validation.
> 
>>>
>>> My post's primary purpose was to underscore the fact that Apache fails
>>> *silently* under the key/cert mismatch scenario.
>>>
>>> Perhaps with a sufficiently high log-level this error would be revealed.
>>> But even if that is so, such a critical failure should be logged
>>> regardless of the setting.
>>
>> I get this in 2.2:
>>
>> [Wed Aug 22 09:32:44 2012] [error] Unable to configure RSA server private key
>> [Wed Aug 22 09:32:44 2012] [error] SSL Library Error: 185073780
>> error:0B080074:x509 certificate routines:X509_check_private_key:key
>> values mismatch
>>
>> In 2.4 it's even higher severity (emerg) and has a few more messages.
>> But maybe your scenario is different.
> 
> Very interesting. This is exactly the type of message I had hoped and
> expected to see.
> 
> Thank you for taking the time to recreate the scenario and report your
> findings.
> 
> I wonder why this message was not present in my logs.
> 
> For the sake of thoroughness, in which log does this message appear on
> your system?
> 
>> What was your LogLevel?
> 
> LogLevel warn
> 
> Apache version is Apache/2.2.14 (Ubuntu), so, we should expect to see
> the same output on this system.
> 
> Unfortunately, the system in question is a production system, so I
> cannot test different scenarios without consequences.
> 
> I will try to reproduce the problem on a development system.
> 
> Thanks again,
> 
> -Ben
> 

I finally had a chance to test this scenario more fully

As it turns-out, Apache does indeed log the appropriate error message.
However, Apache logs the message to the offending vhost's log file, not
the main/primary log file.

>From http://httpd.apache.org/docs/2.2/logs.html#virtualhost :

"If CustomLog or ErrorLog directives are placed inside a section, all
requests or errors for that virtual host will be logged only to the
specified file. Any virtual host which does not have logging directives
will still have its requests sent to the main server logs."

This is why I didn't see the message; I was restarting Apache from the
console, and only messages written to the primary log file are displayed
in this scenario.

My question is now this: is it possible to force Apache to log ALL
messages of severity "warn" and above to the primary log file (while
leaving the existing vhost logging alone)?

Ideally, this would be implemented in the primary server configuration
file; I would prefer not to have to modify each vhost's configuration
(even if by template).

Thanks again,

-Ben

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org