You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Jack M. Nilles" <jn...@jala.com> on 2020/07/10 21:54:05 UTC
[users@httpd] Failure to start apache2 after SSL cert update.
I recently updated two virtual servers with new SSL certificates, restarted apache and got a failure to load.
Here is a diagnostic:
systemctl status apache2.service
● apache2.service - The Apache Webserver
Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2020-07-10 14:51:00 PDT; 19s ago
Process: 11801 ExecStart=/usr/sbin/start_apache2 -DSYSTEMD -DFOREGROUND -k start (code=exited, status=1/FAILURE)
Main PID: 11801 (code=exited, status=1/FAILURE)
Jul 10 14:51:00 server systemd[1]: Starting The Apache Webserver...
Jul 10 14:51:00 server systemd[1]: apache2.service: Main process exited, code=exited, status=1/FAILURE
Jul 10 14:51:00 server systemd[1]: Failed to start The Apache Webserver.
Jul 10 14:51:00 server systemd[1]: apache2.service: Unit entered failed state.
Jul 10 14:51:00 server systemd[1]: apache2.service: Failed with result 'exit-code'.
Any suggestions?
Jack
Re: [users@httpd] Failure to start apache2 after SSL cert update.
Posted by "Jack M. Nilles" <jn...@jala.com>.
Thanks, Martin,
Great advice! I have two virtual hosts. The certificate and key match on one of them but not on the other. The mismatched one is much less important so I guess I'll de-ssl it until I trace down the mismatch and redo the certificate/key.
Thanks again,
Jack
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Failure to start apache2 after SSL cert update.
Posted by dr...@inter.net.
Jack,
are you sure, the certificate and the key match up?
You can do this by looking at the modulus, it must be the same.
In OpenSSL this looks like
'openssl x509 -in [YOUR_CERT] -noout -modulus' respectively
'openssl rsa -in [YOUR_KEY] -noout -modulus'.
You may pipe this through 'openssl md5' to get the modulus md5 sum.
Martin
--
Martin Drescher
Manfred-von-Richthofen-Strasse 223
12101 Berlin
VoIP: +49 30.609 88 293
Email:<dr...@inter.net>
USt-IdNr. DE211832267
GnuPG Key Fingerprint, KeyID '4FBE451A':
'2237 1E95 8E50 E825 9FE8 AEE1 6FF4 1E34 4FBE 451A'
Please consider the environment - do you really need HTML email?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Failure to start apache2 after SSL cert update.
Posted by "Jack M. Nilles" <jn...@jala.com>.
After more searching I find that loadmodule.conf calls for loading the mod_socache_shmcb.so module during pre-fork. However, the ssl-global.conf file calls for mod_socache_shmcb.c. Is the source file call rather than the executable that's causing the misconfiguration message? Should I just comment out the <IfModule . . .> and </IfModule> lines in ssl-global.conf, leaving the SSLSessioncache line as is?
And why did this glitch just happen recently?
> On 11 Jul 2020, at 10:34, Jack M. Nilles <jn...@jala.com> wrote:
>
> I set the error level to debug in vhosts.conf, tried a restart and got this from yesterday; nothing from today.
>
> [Fri Jul 10 09:47:37.657510 2020] [mpm_prefork:notice] [pid 7681] AH00173: SIGHUP received. Attempting to restart
> [Fri Jul 10 09:47:37.899186 2020] [ssl:warn] [pid 7681] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
> [Fri Jul 10 09:47:37.909108 2020] [:emerg] [pid 7681] AH00020: Configuration Failed, exiting
> AH00016: Configuration Failed
>
>
>> On 11 Jul 2020, at 7:52, Jack M. Nilles <jnilles@jala.com <ma...@jala.com>> wrote:
>>
>> The /var/log/apache2/error_log simply lists a set of Configuration Failed lines.
>>
>> apachectl configtest produces Syntax OK
>>
>> What file should I change to set the debug level?
>>
>>> On 11 Jul 2020, at 7:08, Jack M. Nilles <jnilles@jala.com <ma...@jala.com>> wrote:
>>>
>>> If I use: openssl x509 -noout -text -in WWW.SITENAME.COM.crt <http://www.sitename.com.crt/>
>>>
>>> I get a complete readout of the cert file with no obvious errors. The problem seems to be that apache even fails to start so i'll try the debug level next.
>>>
>>>
>>>
>>>
>>>
>>>> On 11 Jul 2020, at 5:30, Jim Albert <jim@netrition.com <ma...@netrition.com>> wrote:
>>>>
>>>> On 7/11/2020 6:10 AM, Holger Schramm wrote:
>>>>> Am 11.07.20 um 00:32 schrieb Jack M. Nilles:
>>>>>> The apache error logs all quit at the point just before I restarted it. User and group permissions for the SSL files are all root, as before.
>>>>>>
>>>>>> Jack
>>>>>
>>>>> have you checked the files? sometime there are missing newlines in cert chains or other malformed things.
>>>>>
>>>>> you can try to set a higher log level on apache to get more details. it should log sth in the error log.
>>>>
>>>> There are various utilities to read private/public key files. For example, openssl on UNIX. I believe certutil for Windows.
>>>> If those utilities can read your key files then they should be valid format.
>>>>
>>>> Jim
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org <ma...@httpd.apache.org>
>>>> For additional commands, e-mail: users-help@httpd.apache.org <ma...@httpd.apache.org>
>>>>
>>>
>>
>
Re: [users@httpd] Failure to start apache2 after SSL cert update.
Posted by "Jack M. Nilles" <jn...@jala.com>.
I set the error level to debug in vhosts.conf, tried a restart and got this from yesterday; nothing from today.
[Fri Jul 10 09:47:37.657510 2020] [mpm_prefork:notice] [pid 7681] AH00173: SIGHUP received. Attempting to restart
[Fri Jul 10 09:47:37.899186 2020] [ssl:warn] [pid 7681] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri Jul 10 09:47:37.909108 2020] [:emerg] [pid 7681] AH00020: Configuration Failed, exiting
AH00016: Configuration Failed
> On 11 Jul 2020, at 7:52, Jack M. Nilles <jn...@jala.com> wrote:
>
> The /var/log/apache2/error_log simply lists a set of Configuration Failed lines.
>
> apachectl configtest produces Syntax OK
>
> What file should I change to set the debug level?
>
>> On 11 Jul 2020, at 7:08, Jack M. Nilles <jnilles@jala.com <ma...@jala.com>> wrote:
>>
>> If I use: openssl x509 -noout -text -in WWW.SITENAME.COM.crt <http://www.sitename.com.crt/>
>>
>> I get a complete readout of the cert file with no obvious errors. The problem seems to be that apache even fails to start so i'll try the debug level next.
>>
>>
>>
>>
>>
>>> On 11 Jul 2020, at 5:30, Jim Albert <jim@netrition.com <ma...@netrition.com>> wrote:
>>>
>>> On 7/11/2020 6:10 AM, Holger Schramm wrote:
>>>> Am 11.07.20 um 00:32 schrieb Jack M. Nilles:
>>>>> The apache error logs all quit at the point just before I restarted it. User and group permissions for the SSL files are all root, as before.
>>>>>
>>>>> Jack
>>>>
>>>> have you checked the files? sometime there are missing newlines in cert chains or other malformed things.
>>>>
>>>> you can try to set a higher log level on apache to get more details. it should log sth in the error log.
>>>
>>> There are various utilities to read private/public key files. For example, openssl on UNIX. I believe certutil for Windows.
>>> If those utilities can read your key files then they should be valid format.
>>>
>>> Jim
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org <ma...@httpd.apache.org>
>>> For additional commands, e-mail: users-help@httpd.apache.org <ma...@httpd.apache.org>
>>>
>>
>
Re: [users@httpd] Failure to start apache2 after SSL cert update.
Posted by "Jack M. Nilles" <jn...@jala.com>.
The /var/log/apache2/error_log simply lists a set of Configuration Failed lines.
apachectl configtest produces Syntax OK
What file should I change to set the debug level?
> On 11 Jul 2020, at 7:08, Jack M. Nilles <jn...@jala.com> wrote:
>
> If I use: openssl x509 -noout -text -in WWW.SITENAME.COM.crt <http://www.sitename.com.crt/>
>
> I get a complete readout of the cert file with no obvious errors. The problem seems to be that apache even fails to start so i'll try the debug level next.
>
>
>
>
>
>> On 11 Jul 2020, at 5:30, Jim Albert <jim@netrition.com <ma...@netrition.com>> wrote:
>>
>> On 7/11/2020 6:10 AM, Holger Schramm wrote:
>>> Am 11.07.20 um 00:32 schrieb Jack M. Nilles:
>>>> The apache error logs all quit at the point just before I restarted it. User and group permissions for the SSL files are all root, as before.
>>>>
>>>> Jack
>>>
>>> have you checked the files? sometime there are missing newlines in cert chains or other malformed things.
>>>
>>> you can try to set a higher log level on apache to get more details. it should log sth in the error log.
>>
>> There are various utilities to read private/public key files. For example, openssl on UNIX. I believe certutil for Windows.
>> If those utilities can read your key files then they should be valid format.
>>
>> Jim
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org <ma...@httpd.apache.org>
>> For additional commands, e-mail: users-help@httpd.apache.org <ma...@httpd.apache.org>
>>
>
Re: [users@httpd] Failure to start apache2 after SSL cert update.
Posted by "Jack M. Nilles" <jn...@jala.com>.
If I use: openssl x509 -noout -text -in WWW.SITENAME.COM.crt
I get a complete readout of the cert file with no obvious errors. The problem seems to be that apache even fails to start so i'll try the debug level next.
> On 11 Jul 2020, at 5:30, Jim Albert <ji...@netrition.com> wrote:
>
> On 7/11/2020 6:10 AM, Holger Schramm wrote:
>> Am 11.07.20 um 00:32 schrieb Jack M. Nilles:
>>> The apache error logs all quit at the point just before I restarted it. User and group permissions for the SSL files are all root, as before.
>>>
>>> Jack
>>
>> have you checked the files? sometime there are missing newlines in cert chains or other malformed things.
>>
>> you can try to set a higher log level on apache to get more details. it should log sth in the error log.
>
> There are various utilities to read private/public key files. For example, openssl on UNIX. I believe certutil for Windows.
> If those utilities can read your key files then they should be valid format.
>
> Jim
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Re: [users@httpd] Failure to start apache2 after SSL cert update.
Posted by Jim Albert <ji...@netrition.com>.
On 7/11/2020 6:10 AM, Holger Schramm wrote:
> Am 11.07.20 um 00:32 schrieb Jack M. Nilles:
>> The apache error logs all quit at the point just before I restarted
>> it. User and group permissions for the SSL files are all root, as
>> before.
>>
>> Jack
>
> have you checked the files? sometime there are missing newlines in
> cert chains or other malformed things.
>
> you can try to set a higher log level on apache to get more details.
> it should log sth in the error log.
There are various utilities to read private/public key files. For
example, openssl on UNIX. I believe certutil for Windows.
If those utilities can read your key files then they should be valid format.
Jim
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Failure to start apache2 after SSL cert update.
Posted by angel Hall-Coulston <ra...@me.com.INVALID>.
1st change log level to debug; 2nd run " apachectl -t " . This will check whether you have bad syntax (often overlooked but just as serious).
Angel
Scotland
> On 11 Jul 2020, at 11:10, Holger Schramm <li...@schramm.by> wrote:
>
> Am 11.07.20 um 00:32 schrieb Jack M. Nilles:
>> The apache error logs all quit at the point just before I restarted it. User and group permissions for the SSL files are all root, as before.
>> Jack
>
> have you checked the files? sometime there are missing newlines in cert chains or other malformed things.
>
> you can try to set a higher log level on apache to get more details. it should log sth in the error log.
>
> --
> ~Holger
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Re: [users@httpd] Failure to start apache2 after SSL cert update.
Posted by Holger Schramm <li...@schramm.by>.
Am 11.07.20 um 00:32 schrieb Jack M. Nilles:
> The apache error logs all quit at the point just before I restarted it. User and group permissions for the SSL files are all root, as before.
>
> Jack
have you checked the files? sometime there are missing newlines in cert
chains or other malformed things.
you can try to set a higher log level on apache to get more details. it
should log sth in the error log.
--
~Holger
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Failure to start apache2 after SSL cert update.
Posted by "Jack M. Nilles" <jn...@jala.com>.
The apache error logs all quit at the point just before I restarted it. User and group permissions for the SSL files are all root, as before.
Jack
> On 10 Jul 2020, at 15:00, Antony Stone <An...@apache.open.source.it> wrote:
>
> On Friday 10 July 2020 at 23:54:05, Jack M. Nilles wrote:
>
>> I recently updated two virtual servers with new SSL certificates, restarted
>> apache and got a failure to load.
>>
>> Here is a diagnostic:
>
> Never mind what systemd tells you - what's in your apache log files?
>
> Also, have you checked the ownership & permissions of the new certificates and
> keys are the same as the old ones?
>
>
> Antony.
>
> --
> There's no such thing as bad weather - only the wrong clothes.
>
> - Billy Connolly
>
> Please reply to the list;
> please *don't* CC me.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Failure to start apache2 after SSL cert update.
Posted by Antony Stone <An...@apache.open.source.it>.
On Friday 10 July 2020 at 23:54:05, Jack M. Nilles wrote:
> I recently updated two virtual servers with new SSL certificates, restarted
> apache and got a failure to load.
>
> Here is a diagnostic:
Never mind what systemd tells you - what's in your apache log files?
Also, have you checked the ownership & permissions of the new certificates and
keys are the same as the old ones?
Antony.
--
There's no such thing as bad weather - only the wrong clothes.
- Billy Connolly
Please reply to the list;
please *don't* CC me.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Failure to start apache2 after SSL cert update.
Posted by Miguel González <mi...@yahoo.es.INVALID>.
Have you checked the apache error logs?
En 10 jul. 2020 23:54, en 23:54, "Jack M. Nilles" <jn...@jala.com> escribió:
>I recently updated two virtual servers with new SSL certificates,
>restarted apache and got a failure to load.
>
>Here is a diagnostic:
>
> systemctl status apache2.service
>● apache2.service - The Apache Webserver
>Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled;
>vendor preset: disabled)
>Active: failed (Result: exit-code) since Fri 2020-07-10 14:51:00 PDT;
>19s ago
>Process: 11801 ExecStart=/usr/sbin/start_apache2 -DSYSTEMD -DFOREGROUND
>-k start (code=exited, status=1/FAILURE)
> Main PID: 11801 (code=exited, status=1/FAILURE)
>
>Jul 10 14:51:00 server systemd[1]: Starting The Apache Webserver...
>Jul 10 14:51:00 server systemd[1]: apache2.service: Main process
>exited, code=exited, status=1/FAILURE
>Jul 10 14:51:00 server systemd[1]: Failed to start The Apache
>Webserver.
>Jul 10 14:51:00 server systemd[1]: apache2.service: Unit entered failed
>state.
>Jul 10 14:51:00 server systemd[1]: apache2.service: Failed with result
>'exit-code'.
>
>Any suggestions?
>
>Jack