You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Rex Brooks <re...@starbourne.com> on 2006/05/12 23:19:16 UTC

[users@httpd] Revisiting apache startup failure SSLCertificateFile erro

I added the last couple of messages in this 
thread back into the last reply to which I am 
responding.

I was busy all week with the OASIS Symposium 2006.

I want to be clear that I have Apache2.0 
installed on RedHatEnterprise Linux using all the 
included packages. The location of the 
SSLCertificateFile  and SSLCertificateKeyFile 
match the locations in ssl.conf file in the 
conf.d directory from which all .conf files are 
loaded by httpd.conf.

The error message I get in the error log when 
attempting to start httpd remains:

[Mon May 08 06:20:22 2006] [error] Server should 
be SSL-aware but has no certificate configured 
[Hint: SSLCertificateFile]

So I am missing something because it seems to me 
the I have the certificate configured correctly.

My intention to reintall apache was thwarted when 
I unchecked the webserver from the Add or Remove 
Packages list and clicked update, I got the 
message: Package Not Found: php   required by 
<'php-pear', '4.3.9, '3.6').

This is an anomaly similar to the message I get 
that DocumentRoot 
/home/rexb/jakarta-tomcat-5.0.28 does not exist.

So, for now I can't even reinstall Apache and 
then rebuild the portal and registry.

So, I am back to asking if I am missing something 
in the configuration of the certificate or 
pointing to it.

Please note that I tried several ways to build 
and references Certificate-Key files.

Regards,
Rex

At 2:42 PM +0200 5/9/06, Axel-Stéphane  SMORGRAV wrote:
>  No need to reinstall Apache. This is only a configuration issue.
>
>You need to tell Apache where to find the
>- Server certificate
>- Private key associated with the server certificate
>- CA Certificate
>
>>>From your httpd.conf file, you probably include 
>>a configuration file called ssl.conf. This 
>>include directive may be enclosed within a 
>>condition like <IfDefine SSL>. Chances are that 
>>the SSL variable is not defined and therefore 
>>the ssl.conf file is not loaded. You can remove 
>>this condition altogether (and the associated 
>></IfDefine>), or you can start Apache with the 
>>command "apachectl startssl" rather than 
>>"apachectl start".
>
>The module mod_info is very useful for 
>determining exactly what configuation directives 
>have been loaded into Apache by requesting 
>http://myserver.mydomain.com/server-info which 
>will give you a list of all loaded modules and 
>all associated configuration directives.
>
>-ascs
>
>-----Original Message-----
>From: Rex Brooks [mailto:rexb@starbourne.com]
>Sent: Tuesday, May 09, 2006 2:10 PM
>To: Richard de Vries
>Cc: users@httpd.apache.org
>Subject: Re: [users@httpd] Correction & 
>Question: SSLCertificateFile: RedHat (RHEL4) 
>apache startup failure: 
>ebxml-registry-repository on tomcat on port 
>6480, with Mambo LAMP Portal on port 8080: 
>Despite Self-Signed Cert: [error] Server should 
>be SSL-aware but ha
>
>Here is the httpd error_log for that sequence:
>
>[Mon May 08 06:20:21 2006] [notice] core dump file size limit raised
>to 4294967295 bytes
>[Mon May 08 06:20:22 2006] [notice] suEXEC mechanism enabled
>(wrapper: /usr/sbin/suexec)
>[Mon May 08 06:20:22 2006] [error] Server should be SSL-aware but has
>no certificate configured [Hint: SSLCertificateFile]
>
>It's beginning to look like I will have to reinstall apache.
>
>Regards,
>Rex
>
Thanks Richard,

I appreciate that you took the time to answer. So 
far you are the only one. This installation is on 
RedHat Enterprise Linux4 and Apache2.0 and I have 
tried the Key-Certificate generation instructions 
detailed in the System Administration Guide Ch. 
26.6-26.8,

I tried the freebsd instructions at the url you 
advised, and what happened was that the 
certificate signing request could not open the 
key. I have also downloaded and tried with 
openssl-0.9.8b. I was able to generate the 
server.key and server.crt but httpd still does 
not start.

The Admin Guide instructions also result in what 
ought to be a valid server key in the ssl.key 
directory and a server.crt in the ssl.crt 
directory as specified in the ssl.conf file in 
the /etc/httpd/conf directory, but httpd still 
does not start

Here is the terminal output when attempting to start httpd:

[root@c-xxx-xxx-xxx-xxx ~]# service httpd start
Starting httpd: [Mon May 08 06:20:21 2006] [warn] 
The Alias directive in /etc/httpd/conf/httpd.conf 
at line 557 will probably never match because it 
overlaps an earlier AliasMatch.
Warning: DocumentRoot [/home/xxx/jakarta-tomcat-5.0.28] does not exist
                                                            [FAILED]
[root@c-xxx-xxx-xxx-xxx ~]#

Here is the httpd error_log for that sequence:

[Mon May 08 06:20:21 2006] [notice] core dump 
file size limit raised to 4294967295 bytes
[Mon May 08 06:20:22 2006] [notice] suEXEC 
mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon May 08 06:20:22 2006] [error] Server should 
be SSL-aware but has no certificate configured 
[Hint: SSLCertificateFile]

It's beginning to look like I will have to reinstall apache.

Regards,
Rex


>what error are you getting?
>
>Try following the instructions at this URL. They've
>always worked for me:
>
>http://www.corserv.com/freebsd/apache-ssl-howto.html
>
>--- Rex Brooks <re...@starbourne.com> wrote:
>
>>  Please see my previous post for details.
>>
>>  I said that mod_ssl was not installed, but a double
>>  check showed that it is.
>>
>>  My question is only about filenames for
>>  SSLCertificateFile and/or
>>  SSLCertificateKeyFile.
>>
>>  ApacheSSL Documentation says at
>>
>http://www.apache-ssl.org/docs.html#SSLCertificateFile:
>>
>>  This is your PEM-encoded server certificate
>>  (strictly, it is what
>>  SSLeay calls PEM, which isn't really).
>>
>>  Example:
>>
>>  SSLCertificateFile
>>  /usr/local/apache/certs/my.server.pem
>>
>>  What the process described in RedHat Sys. Admin.
>>  Guide Ch. 26.6-26.8
>>  produces in the file ssl.conf located in
>>  /etc/httpd/conf.d/ used to
>>  configure SSL support is:
>>
>>  SSLCertificateFile
>>  /etc/httpd/conf/ssl.crt/server.crt
>>
>>  and
>>
>>  SSLCertificateKeyFile
>>  /etc/httpd/conf/ssl.key/server.key
>>
>>  There is a file named server.crt in the specified
>>  location, and an
>>  server.key file in its corresponding location. Could
>>  this lack of a
>>  PEM-encoded server certificate, however it is
>>  produced, the root
>>  cause of httpd start failure?
>>
>>  I have downloaded and installed openssl-0.9.8b and I
>>  have also now
>>  generated a privkey.pem and a cacert.pem and I have
>>  put them in the
>>  same directories as the ssl.conf file specified, and
>>  edited that file
>>  to reflect that, rebooted and httpd still fails to
>>  start.
>>
>>
>>  Regards,
>  Rex Brooks
-- 
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-849-2309

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org