0

So, I got a brand new CentOS 8 server and I migrated from openSUSE Leap 15.1. The configuration of Apache is pretty much the standard one and I simply added my own sites as includes under the /etc/httpd/sites.d/ directory.

My problem is that httpd is not starting when I use a specific self-signed certificate I use on my lab server for some years now! The error I get is the AH00016: Configuration Failed which is not very helpful (SSL log files are empty).

Without the specific certificate, other SSL enabled sites (which use another certificate) are fine and httpd starts normally.

If I use the same (working) certificate to all sites, httpd start normally. If I remove the other sites and use just this one, httpd does not start. If I use the same (problematic) certificate to all sites, httpd does not start.

The certificate and the private key (obviously) match since I use them for ages, the permissions are correct, SELinux is not an issue and generally speaking I am very confused.

Here is what I did so far:

Check the if the certificate and key matches: 

openssl pkey -in /etc/pki/tls/private/server_ukey.pem -pubout -outform pem | sha256sum 
6bb8de59f3527df9b5cf25a4e52e5ae42682399d795a439d0ba57ee67c8bc4b7  -

openssl x509 -in /etc/pki/tls/certs/server_cert.pem -pubkey -noout -outform pem | sha256sum 
6bb8de59f3527df9b5cf25a4e52e5ae42682399d795a439d0ba57ee67c8bc4b7  -

So, they match.

Check the permissions: 

ls -lrt /etc/pki/tls/certs/server_cert.pem
-rw-r--r--. 1 root apache 1590 Feb   1 07:55 /etc/pki/tls/certs/server_cert.pem

ls -lrt /etc/pki/tls/private/server_ukey.pem
-rw-r-----. 1 root apache 887 Feb   1 07:55 /etc/pki/tls/private/server_ukey.pem

Note that even with 600 as permissions the error message is exactly the same!

Check if there is any syntax error: 

httpd -t
Syntax OK

Check the Virtual Hosts configuration:

httpd -t -D DUMP_VHOSTS

10.0.0.1:80         is a NameVirtualHost
         default server server.example.com (/etc/httpd/conf.d/_default_80.conf:2)
         port 80 namevhost server.example.com (/etc/httpd/conf.d/_default_80.conf:2)
                 alias server
         port 80 namevhost admin.news.example.com (/etc/httpd/sites.d/002-admin.f1.example.com.conf:1)
         port 80 namevhost mysql.example.com (/etc/httpd/sites.d/003-mysql.example.com.conf:1)
         port 80 namevhost phpipam.example.com (/etc/httpd/sites.d/005-phpipam.example.com.conf:1)
         port 80 namevhost trd.example.com (/etc/httpd/sites.d/006-trd.example.com.conf:4)
                 alias trd

*:443                  is a NameVirtualHost
         default server server.example.com (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost server.example.com (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost trd.example.com (/etc/httpd/vhosts.d/006-trd.example.com.conf:19)
                 alias trd

So, nothing strange.

Any help would be appreciated.

ptselios
  • 41
  • 1
  • 6
  • Are you sure there's not more info in the logs? Maybe you could add a redacted version to your question? Have you changed the `LogLevel` option to increase verbosity? – garethTheRed Mar 11 '20 at 07:05
  • I went even to debug level, started httpd in the foreground with `httpd -e debug`, etc etc etc. In all seriousness, I am close to drop this key and certificate and start from scratch, but then I need to change it everywhere. And obviously, I am very curious why it fails. – ptselios Mar 11 '20 at 07:31
  • Sometimes with SSL Apache does tend to fail and do so annoyingly without errors. The test only looks if the files mentioned are there. Are these standard RSA certificates, do they contain the obligatory BEGIN and END lines with five hyphens? Do you use a certfile with chain included or do you have a separate chainfile? – Gerrit Mar 11 '20 at 08:04
  • No, just standard certs. Remember, they where working for 10 years. The only thing I can think of is the length of the key, but this should not be an issue, in theory. – ptselios Mar 12 '20 at 09:13
  • Could it be something to do with mandatory access controls such as SELINUX policies or apparmor? You might be able to find evidence in syslog if auditd is set to log these events. – Richard Salts Mar 13 '20 at 06:51
  • As I said, no. This is between apache and this certificate – ptselios Mar 14 '20 at 07:47
  • I have installed NginX and it complains about the key length. It's too small. So, I suppose it's time to change certificates. Not good. – ptselios Mar 15 '20 at 06:42

0 Answers0