2

Website(s) were up. I changed my config files in sites-enabled, then ran:

apache2ctl configtest

Got: Syntax OK

Then ran: 

apache2ctl graceful

Got returned to the command prompt. No messages. The websites went down, did not restart. Also, I wasn't prompted for a passphrase which I should have been since my key has it.

So I put back the old configs (quickly) and restarted.

Does apache2ctl graceful not support the passphrase ? No error messages were in error.log files. Just "[notice] Graceful restart requested, doing restart", then nothing.

UPDATE 7/8 : After searching other error logs (previously just checked main one), I found this:

SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Fraggle
  • 61
  • 1
  • 3
  • 10
  • FYI: I've now removed the passphrase from my key, but don't really want to experiment with my live server (no qa box at the moment). So hoping someone can shed some light here before I try again. – Fraggle Jul 08 '11 at 01:51
  • This is the first time I've tried to configure for SSL on my server. I added a VirtualHost *:443 section and changed others to VirtualHost *:80, added a NameVirtualHost *:80 and NameVirtualHost *:443 – Fraggle Jul 08 '11 at 01:53
  • Found the answer. Wrong key file. See my comments below. – Fraggle Jul 08 '11 at 05:40
  • There's a related post at: http://serverfault.com/q/459275/87017 – Pacerier Apr 15 '16 at 18:01

1 Answers1

1

Do a full restart, not a graceful one. Your change to have the private key unencrypted should also work.

Conceptually, I can't imagine the apachectl process being able to prompt for a new passphrase for a startup when the main process is only being sent signals by apachectl, not being spawned by it.

In more concrete terms - this 7-year-old posting on a bug report confirms that the behavior that you're seeing is expected - sorry, couldn't find anything more recent confirming that the issue still exists in current apache versions, but it fits.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • So do apache2ctl stop, then apache2ctl start? What is the correct way to start without using apache2ctl. Apache docs do not have it that I can see. – Fraggle Jul 08 '11 at 04:22
  • `apache2ctl restart` should do the trick. The "right" way depends on your OS and how Apache's set up - might be init scripts, or the `service` command. – Shane Madden Jul 08 '11 at 04:26
  • I've tried again. Put my ssl configs back in place, tried apache2ctl stop, followed by apache2ctl start. Well the stop sure works, but start does nothing. Nothing in error log. Just returns to command prompt and websites are down. Is there some kind of delay when starting with ssl?? – Fraggle Jul 08 '11 at 04:52
  • UPDATE: after more thourough searching of all error logs, I found this: "SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch" – Fraggle Jul 08 '11 at 05:08
  • 1
    Ok, found the answer. All my fault. Wrong key file. Dumb mistake. Had one from a few months ago that I never used. Also missed error message cause it was in a different error log than I checked. Bad mistakes. – Fraggle Jul 08 '11 at 05:39
  • Verify that they do match; output from `openssl x509 -noout -modulus -in cert.pem` should match `openssl rsa -noout -modulus -in cert.key` Edit - oversights happen, glad it was a simple solution! – Shane Madden Jul 08 '11 at 05:40