Failure to start apache2 after SSL cert update.

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Failure to start apache2 after SSL cert update.

Jack M. Nilles
I recently updated two virtual servers with new SSL certificates, restarted apache and got a failure to load.

Here is a diagnostic:

 systemctl  status apache2.service
apache2.service - The Apache Webserver
   Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2020-07-10 14:51:00 PDT; 19s ago
  Process: 11801 ExecStart=/usr/sbin/start_apache2 -DSYSTEMD -DFOREGROUND -k start (code=exited, status=1/FAILURE)
 Main PID: 11801 (code=exited, status=1/FAILURE)

Jul 10 14:51:00 server systemd[1]: Starting The Apache Webserver...
Jul 10 14:51:00 server systemd[1]: apache2.service: Main process exited, code=exited, status=1/FAILURE
Jul 10 14:51:00 server systemd[1]: Failed to start The Apache Webserver.
Jul 10 14:51:00 server systemd[1]: apache2.service: Unit entered failed state.
Jul 10 14:51:00 server systemd[1]: apache2.service: Failed with result 'exit-code'.

Any suggestions?

Jack
Reply | Threaded
Open this post in threaded view
|

Re: Failure to start apache2 after SSL cert update.

Antony Stone
On Friday 10 July 2020 at 23:54:05, Jack M. Nilles wrote:

> I recently updated two virtual servers with new SSL certificates, restarted
> apache and got a failure to load.
>
> Here is a diagnostic:

Never mind what systemd tells you - what's in your apache log files?

Also, have you checked the ownership & permissions of the new certificates and
keys are the same as the old ones?


Antony.

--
There's no such thing as bad weather - only the wrong clothes.

 - Billy Connolly

                                                   Please reply to the list;
                                                         please *don't* CC me.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Failure to start apache2 after SSL cert update.

Miguel González
In reply to this post by Jack M. Nilles
Have you checked the apache error logs?
En 10 jul. 2020, en 23:54, "Jack M. Nilles" <[hidden email]> escribió:
I recently updated two virtual servers with new SSL certificates, restarted apache and got a failure to load.

Here is a diagnostic:

 systemctl  status apache2.service
apache2.service - The Apache Webserver
   Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2020-07-10 14:51:00 PDT; 19s ago
  Process: 11801 ExecStart=/usr/sbin/start_apache2 -DSYSTEMD -DFOREGROUND -k start (code=exited, status=1/FAILURE)
 Main PID: 11801 (code=exited, status=1/FAILURE)

Jul 10 14:51:00 server systemd[1]: Starting The Apache Webserver...
Jul 10 14:51:00 server systemd[1]: apache2.service: Main process exited, code=exited, status=1/FAILURE
Jul 10 14:51:00 server systemd[1]: Failed to start The Apache Webserver.
Jul 10 14:51:00 server systemd[1]: apache2.service: Unit entered failed state.
Jul 10 14:51:00 server systemd[1]: apache2.service: Failed with result 'exit-code'.

Any suggestions?

Jack
Reply | Threaded
Open this post in threaded view
|

Re: Failure to start apache2 after SSL cert update.

Jack M. Nilles
In reply to this post by Antony Stone
The apache error logs all quit at the point just before I restarted it. User and group permissions for the SSL files are all root, as before.

Jack

> On 10 Jul 2020, at 15:00, Antony Stone <[hidden email]> wrote:
>
> On Friday 10 July 2020 at 23:54:05, Jack M. Nilles wrote:
>
>> I recently updated two virtual servers with new SSL certificates, restarted
>> apache and got a failure to load.
>>
>> Here is a diagnostic:
>
> Never mind what systemd tells you - what's in your apache log files?
>
> Also, have you checked the ownership & permissions of the new certificates and
> keys are the same as the old ones?
>
>
> Antony.
>
> --
> There's no such thing as bad weather - only the wrong clothes.
>
> - Billy Connolly
>
>                                                   Please reply to the list;
>                                                         please *don't* CC me.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Failure to start apache2 after SSL cert update.

Holger Schramm
Am 11.07.20 um 00:32 schrieb Jack M. Nilles:
> The apache error logs all quit at the point just before I restarted it. User and group permissions for the SSL files are all root, as before.
>
> Jack

have you checked the files? sometime there are missing newlines in cert
chains or other malformed things.

you can try to set a higher log level on apache to get more details. it
should log sth in the error log.

--
~Holger

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Failure to start apache2 after SSL cert update.

angel Hall-Coulston
1st change log level to debug; 2nd run " apachectl -t "  . This will check whether you have bad syntax (often overlooked but just as serious).

Angel
Scotland

On 11 Jul 2020, at 11:10, Holger Schramm <[hidden email]> wrote:

Am 11.07.20 um 00:32 schrieb Jack M. Nilles:
The apache error logs all quit at the point just before I restarted it. User and group permissions for the SSL files are all root, as before.
Jack

have you checked the files? sometime there are missing newlines in cert chains or other malformed things.

you can try to set a higher log level on apache to get more details. it should log sth in the error log.

--
~Holger

---------------------------------------------------------------------
To unsubscribe, [hidden email]
For additional commands, [hidden email]



signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Failure to start apache2 after SSL cert update.

Jim Albert
In reply to this post by Holger Schramm
On 7/11/2020 6:10 AM, Holger Schramm wrote:

> Am 11.07.20 um 00:32 schrieb Jack M. Nilles:
>> The apache error logs all quit at the point just before I restarted
>> it. User and group permissions for the SSL files are all root, as
>> before.
>>
>> Jack
>
> have you checked the files? sometime there are missing newlines in
> cert chains or other malformed things.
>
> you can try to set a higher log level on apache to get more details.
> it should log sth in the error log.

There are various utilities to read private/public key files. For
example, openssl on UNIX. I believe certutil for Windows.
If those utilities can read your key files then they should be valid format.

Jim



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Failure to start apache2 after SSL cert update.

Jack M. Nilles
If I use: openssl x509 -noout -text -in WWW.SITENAME.COM.crt

I get a complete readout of the cert file with no obvious errors. The problem seems to be that apache even fails to start so i'll try the debug level next.





On 11 Jul 2020, at 5:30, Jim Albert <[hidden email]> wrote:

On 7/11/2020 6:10 AM, Holger Schramm wrote:
Am 11.07.20 um 00:32 schrieb Jack M. Nilles:
The apache error logs all quit at the point just before I restarted it. User and group permissions for the SSL files are all root, as before.

Jack

have you checked the files? sometime there are missing newlines in cert chains or other malformed things.

you can try to set a higher log level on apache to get more details. it should log sth in the error log.

There are various utilities to read private/public key files. For example, openssl on UNIX. I believe certutil for Windows.
If those utilities can read your key files then they should be valid format.

Jim



---------------------------------------------------------------------
To unsubscribe, [hidden email]
For additional commands, [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Failure to start apache2 after SSL cert update.

Jack M. Nilles
The /var/log/apache2/error_log simply lists a set of Configuration Failed lines. 

apachectl configtest produces Syntax OK

What file should I change to set the debug level?

On 11 Jul 2020, at 7:08, Jack M. Nilles <[hidden email]> wrote:

If I use: openssl x509 -noout -text -in WWW.SITENAME.COM.crt

I get a complete readout of the cert file with no obvious errors. The problem seems to be that apache even fails to start so i'll try the debug level next.





On 11 Jul 2020, at 5:30, Jim Albert <[hidden email]> wrote:

On 7/11/2020 6:10 AM, Holger Schramm wrote:
Am 11.07.20 um 00:32 schrieb Jack M. Nilles:
The apache error logs all quit at the point just before I restarted it. User and group permissions for the SSL files are all root, as before.

Jack

have you checked the files? sometime there are missing newlines in cert chains or other malformed things.

you can try to set a higher log level on apache to get more details. it should log sth in the error log.

There are various utilities to read private/public key files. For example, openssl on UNIX. I believe certutil for Windows.
If those utilities can read your key files then they should be valid format.

Jim



---------------------------------------------------------------------
To unsubscribe, [hidden email]
For additional commands, [hidden email]



Reply | Threaded
Open this post in threaded view
|

Re: Failure to start apache2 after SSL cert update.

Jack M. Nilles
I set the error level to debug in vhosts.conf, tried a restart and got this from yesterday; nothing from today.

[Fri Jul 10 09:47:37.657510 2020] [mpm_prefork:notice] [pid 7681] AH00173: SIGHUP received.  Attempting to restart
[Fri Jul 10 09:47:37.899186 2020] [ssl:warn] [pid 7681] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri Jul 10 09:47:37.909108 2020] [:emerg] [pid 7681] AH00020: Configuration Failed, exiting
AH00016: Configuration Failed


On 11 Jul 2020, at 7:52, Jack M. Nilles <[hidden email]> wrote:

The /var/log/apache2/error_log simply lists a set of Configuration Failed lines. 

apachectl configtest produces Syntax OK

What file should I change to set the debug level?

On 11 Jul 2020, at 7:08, Jack M. Nilles <[hidden email]> wrote:

If I use: openssl x509 -noout -text -in WWW.SITENAME.COM.crt

I get a complete readout of the cert file with no obvious errors. The problem seems to be that apache even fails to start so i'll try the debug level next.





On 11 Jul 2020, at 5:30, Jim Albert <[hidden email]> wrote:

On 7/11/2020 6:10 AM, Holger Schramm wrote:
Am 11.07.20 um 00:32 schrieb Jack M. Nilles:
The apache error logs all quit at the point just before I restarted it. User and group permissions for the SSL files are all root, as before.

Jack

have you checked the files? sometime there are missing newlines in cert chains or other malformed things.

you can try to set a higher log level on apache to get more details. it should log sth in the error log.

There are various utilities to read private/public key files. For example, openssl on UNIX. I believe certutil for Windows.
If those utilities can read your key files then they should be valid format.

Jim



---------------------------------------------------------------------
To unsubscribe, [hidden email]
For additional commands, [hidden email]




Reply | Threaded
Open this post in threaded view
|

Re: Failure to start apache2 after SSL cert update.

Jack M. Nilles
After more searching I find that loadmodule.conf calls for loading the mod_socache_shmcb.so module during pre-fork. However, the ssl-global.conf file calls for mod_socache_shmcb.c. Is the source file call rather than the executable that's causing the misconfiguration message? Should I just comment out the <IfModule . . .> and </IfModule> lines in ssl-global.conf, leaving the SSLSessioncache line as is?

And why did this glitch just happen recently?

On 11 Jul 2020, at 10:34, Jack M. Nilles <[hidden email]> wrote:

I set the error level to debug in vhosts.conf, tried a restart and got this from yesterday; nothing from today.

[Fri Jul 10 09:47:37.657510 2020] [mpm_prefork:notice] [pid 7681] AH00173: SIGHUP received.  Attempting to restart
[Fri Jul 10 09:47:37.899186 2020] [ssl:warn] [pid 7681] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri Jul 10 09:47:37.909108 2020] [:emerg] [pid 7681] AH00020: Configuration Failed, exiting
AH00016: Configuration Failed


On 11 Jul 2020, at 7:52, Jack M. Nilles <[hidden email]> wrote:

The /var/log/apache2/error_log simply lists a set of Configuration Failed lines. 

apachectl configtest produces Syntax OK

What file should I change to set the debug level?

On 11 Jul 2020, at 7:08, Jack M. Nilles <[hidden email]> wrote:

If I use: openssl x509 -noout -text -in WWW.SITENAME.COM.crt

I get a complete readout of the cert file with no obvious errors. The problem seems to be that apache even fails to start so i'll try the debug level next.





On 11 Jul 2020, at 5:30, Jim Albert <[hidden email]> wrote:

On 7/11/2020 6:10 AM, Holger Schramm wrote:
Am 11.07.20 um 00:32 schrieb Jack M. Nilles:
The apache error logs all quit at the point just before I restarted it. User and group permissions for the SSL files are all root, as before.

Jack

have you checked the files? sometime there are missing newlines in cert chains or other malformed things.

you can try to set a higher log level on apache to get more details. it should log sth in the error log.

There are various utilities to read private/public key files. For example, openssl on UNIX. I believe certutil for Windows.
If those utilities can read your key files then they should be valid format.

Jim



---------------------------------------------------------------------
To unsubscribe, [hidden email]
For additional commands, [hidden email]





Reply | Threaded
Open this post in threaded view
|

Re: Failure to start apache2 after SSL cert update.

Martin Drescher-2
In reply to this post by Jack M. Nilles
Jack,

are you sure, the certificate and the key match up?
You can do this by looking at the modulus, it must be the same.
In OpenSSL this looks like
  'openssl x509 -in [YOUR_CERT] -noout -modulus' respectively
  'openssl rsa -in [YOUR_KEY] -noout -modulus'.
You may pipe this through 'openssl md5' to get the modulus md5 sum.

Martin

--

 Martin Drescher
 Manfred-von-Richthofen-Strasse 223
 12101 Berlin

 VoIP:   +49 30.609 88 293
 Email:<[hidden email]>
 USt-IdNr. DE211832267
 GnuPG Key Fingerprint, KeyID '4FBE451A':
 '2237 1E95 8E50 E825 9FE8  AEE1 6FF4 1E34 4FBE 451A'

Please consider the environment - do you really need HTML email?


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Failure to start apache2 after SSL cert update.

Jack M. Nilles
Thanks, Martin,

Great advice! I have two virtual hosts. The certificate and key match on one of them but not on the other. The mismatched one is much less important so I guess I'll de-ssl it until I trace down the mismatch and redo the certificate/key.

Thanks again,

Jack


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]