Hideki A. Ikeda (HidekiAI) [池田英紀] ["Tony" Ikeda] – BLog

Just recently, there was an update which I’ve no clue of what, but it is happening on both my x86 server and x86_64 dev-box Gentoo…  I was down for few hours with this message in /var/log/apache2/error_log file:

[Sun Aug 02 16:07:53 2009] [info] Init: Initialized OpenSSL library
[Sun Aug 02 16:07:53 2009] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]

I first disabled SSL_DEFAULT_VHOST so that I can at least get this BLog up and running began investigating on my dev-box (none-server) what needs to be looked at.  For those who wish to do the same, on Gentoo it would be modifications in your /etc/conf.d/apache2 and removing the “-D SSL_DEFAULT_VHOST”, you can keep the “-D SSL” because it”s not the mod_ssl is the problem.  By the way if you have very long APACHE2_OPTS, you can append variables like below and just comment the ones you are trying to test:

## First, setup default (without SSL vhost, but SSL enabled)
APACHE2_OPTS="-e debug -D DEFAULT_VHOST -D INFO -D MANUAL -D STATUS -D SUEXEC -D LANGUAGE -D PHP5 -D ERRORDOCS"

## Now start adding anything else (per app based)
#APACHE2_OPTS="$APACHE2_OPTS "

## Note: If you need MEM_CACHE, you have to enable CACHE
APACHE2_OPTS="$APACHE2_OPTS -D FTPD -D CACHE -D MEM_CACHE -D USERDIR -D DNSBL"

## Enable SSL vhost
## As of Apache 2.2.8 and older, SNI (Server Name Indication) is capable for SSL
APACHE2_OPTS="$APACHE2_OPTS -D SSL -D SSL_DEFAULT_VHOST"

## NOTE: SSL and GNUTLS are _MUTUALLY_EXCLUSIVE_!!!  It is either one or the other!
## -D GNUTLS seems to be broken, fails on symbol gnutls_mallor
#APACHE2_OPTS="$APACHE2_OPTS -D GNUTLS -D GNUTLS_DEFAULT_VHOST"

## SVN, you need minimum of:
APACHE2_OPTS="$APACHE2_OPTS -D SVN -D SVN_AUTHZ -D DAV -D DAV_FS -D DAV_SVN"

## PAM, LDAP and auth
APACHE2_OPTS="$APACHE2_OPTS -D LDAP -D AUTH_LDAP -D AUTHNZ_LDAP -D AUTH_PAM -D VHOST_LDAP -D AUTH_OPENID -D AUTH_MYSQL"

# adding "-D SECURITY" causes blogs to fail because it catches some words it doesn't like and it think I'm injecting it
#  you'll need to tweak /etc/apache2/modules.d/mod_security/* to allow pass-throughs
#APACHE2_OPTS="$APACHE2_OPTS -D SECURITY"

## Mailman
APACHE2_OPTS="$APACHE2_OPTS -D MAILMAN"

## Python
APACHE2_OPTS="$APACHE2_OPTS -D PYTHON"

This way, you can comment (using “#”) the lines that is specific to the modules you are debugging.

Using strace (dev-util/strace)

strace apache2 -D DEFAULT_VHOST -D SSL -D SSL_DEFAULT_VHOST <...whatever else is in your /etc/conf.d/apache2 APACHE2_OPTS var...> -f /etc/apache2/httpd.conf -d /usr/lib/apache2 -X -k start

You don’t have to add all the APACEH2_OPTS, at the minimum, you need SSL and SSL_DEFAULT_VHOST to work on this issue… In fact, you won’t need to define “DEFAULT_VHOST” either.

open("/etc/apache2/magic", O_RDONLY|O_CLOEXEC) = 45
fcntl(45, F_GETFD)                      = 0x1 (flags FD_CLOEXEC)
fcntl(45, F_SETFD, FD_CLOEXEC)          = 0
brk(0x2a2d000)                          = 0x2a2d000
read(45, "# Magic data for mod_mime_magic A"..., 4096) = 4096
read(45, "o figure out what's inside.\n\n# st"..., 4096) = 4096
read(45, "FGF95a\t\timage/unknown\n#\n# GRR 950"..., 4096) = 4096
read(45, " The contributor claims:\n#   I co"..., 4096) = 670
read(45, ""..., 4096)                   = 0
close(45)                               = 0
open("/etc/mime.types", O_RDONLY|O_CLOEXEC) = 45
fcntl(45, F_GETFD)                      = 0x1 (flags FD_CLOEXEC)
fcntl(45, F_SETFD, FD_CLOEXEC)          = 0
fstat(45, {st_mode=S_IFREG|0644, st_size=20537, ...}) = 0
read(45, "#################################"..., 4096) = 4096
read(45, "/vnd.canon-cpdl\napplication/vnd.c"..., 4096) = 4096
read(45, "n/vnd.oasis.opendocument.graphics"..., 4096) = 4096
read(45, "/x-java-jnlp-file\t\t\tjnlp\napplicat"..., 4096) = 4096
read(45, "/x-mopac-vib\t\t\t\tmvb\nchemical/x-nc"..., 4096) = 4096
read(45, "rence/x-cooltalk\t\t\t\tice\n\nx-world/"..., 4096) = 57
read(45, ""..., 4096)                   = 0
close(45)                               = 0
gettimeofday({1250511332, 4432}, NULL)  = 0
open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 45
fstat(45, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
poll([{fd=45, events=POLLIN}], 1, 10)   = 1 ([{fd=45, revents=POLLIN}])
read(45, "\331\23Ua\350\0229Ou\247\366m\0H\r\235\335v\334\21\"}\330\355\2l\"\225\212\265\354\301"..., 32) = 32
close(45)                               = 0
getuid()                                = 0
gettimeofday({1250511332, 4906}, NULL)  = 0
gettimeofday({1250511332, 4974}, NULL)  = 0
open("/etc/localtime", O_RDONLY)        = 45
fstat(45, {st_mode=S_IFREG|0644, st_size=3543, ...}) = 0
fstat(45, {st_mode=S_IFREG|0644, st_size=3543, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc3954b1000
read(45, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0\0"..., 4096) = 3543
lseek(45, -2264, SEEK_CUR)              = 1279
read(45, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0\0"..., 4096) = 2264
close(45)                               = 0
munmap(0x7fc3954b1000, 4096)            = 0
write(2, "[Mon Aug 17 07:15:32 2009] [error"..., 123) = 123
exit_group(1)                           = ?

Found /etc/mime.types do not support “.pem” but knows about “.key” and “.crt” so renamed SSL to honor it as well as edited my 00_default_ssl_vhosts.conf.

Keep doing this until you don’t see errors like this:

stat("/var/www/webmail/htdocs/squirrelmail", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/etc/apache2/ssl/apache2_cert.pem", 0x7fff2dba79e0) = -1 ENOENT (No such file or directory)
write(2, "Syntax error on line 14 of /etc/a"..., 84Syntax error on line 14 of /etc/apache2/vhosts.d/60_webmail_hai-techwares_ssl.conf:) = 84
write(2, "SSLCertificateFile: file '/etc/ap"..., 88SSLCertificateFile: file '/etc/apache2/ssl/apache2_cert.pem' does not exist or is empty) = 88
open("/var/run/apache2.pid", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

In the above error case, I had to alter 60_webmail_hai-techwares_ssl.conf as well.

Once that was done, I stopped getting the mime issue, but that is not even close to half of this battle…

SSLCertificateFile per VHost

Running out of time, so I’ll quickly get to what needs to be done…  First, make sure your SSL certificates are up-to-date.  I usually have my “private.key” and “cacert.pem” (some calls this “server.crt”, whatever you call it, it’s basically the certificate you received from your CA) in two different files.  Some likes to combine it into single file, but keeping it separate is easier for me when I need to renew, I just deal with specific file.

One of the changes made on 2.2.28 and later (I think it was 2.2.28, forgive me if I’m wrong) is that they now want SSLCertificateFile in each vhost!  Otherwise, you will get errors such as:

[Mon Feb 22 15:53:46 2010] [error] Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!)
- or -
[Tue Feb 23 07:21:44 2010] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)

I don’t understand the differences nor the meaning for these errors because they seem mutually exclusive to each other, yet both errors would go away when you make sure each vhosts has its own SSLCertificateFile and SSLCertificateKeyFile assigned.

Related posts

• Use your O/S to Multi-Process (0)
• Linux Partition Size (0)
• In the Beginning (0)
• Compiling Apache on Gentoo (0)
• Android: First Encounter (AT&T/Cingular) (0)