Apache Wont Start with SSL (Mis?)Configured

Question

I'm trying to get PHP and Apache running with SSL on a RedHat server, AWS. After setting up the deployment restarting apache fails.

Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

systemctl status httpd.service gives:

● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2017-04-20 15:21:17 EDT; 3min 25s ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 11017 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
  Process: 11015 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 11015 (code=exited, status=1/FAILURE)

Apr 20 15:21:17 ip-172-16-255-255.internal systemd[1]: Starting The Apache HTTP Server...
Apr 20 15:21:17 ip-172-16-255-255.internal systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Apr 20 15:21:17 ip-172-16-255-255.internal kill[11017]: kill: cannot find process ""
Apr 20 15:21:17 ip-172-16-255-255.internal systemd[1]: httpd.service: control process exited, code=exited status=1
Apr 20 15:21:17 ip-172-16-255-255.internal systemd[1]: Failed to start The Apache HTTP Server.
Apr 20 15:21:17 ip-172-16-255-255.internal systemd[1]: Unit httpd.service entered failed state.
Apr 20 15:21:17 ip-172-16-255-255.internal systemd[1]: httpd.service failed.

My log has:

var/log/httpd/error.log:

[Thu Apr 20 14:25:07.649234 2017] [suexec:notice] [pid 10823] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Apr 20 14:25:07.665400 2017] [ssl:emerg] [pid 10823] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/httpd/dev.example.com/error2.log for more information

In the error log for the specific deployment I get:

[Thu Apr 20 14:24:30.258985 2017] [ssl:emerg] [pid 10795] AH01895: Unable to configure verify locations for client authentication
[Thu Apr 20 14:25:07.665388 2017] [ssl:emerg] [pid 10823] AH01895: Unable to configure verify locations for client authentication

The configuration I'm trying is:

#NameVirtualHost new.example.com:80
<VirtualHost new.example.com:80>
    ServerAdmin webmaster@example.com
    DocumentRoot /var/www/html/dev.example.com
    ServerName new.example.com
    DirectoryIndex index.html
    DirectoryIndex index.php
    LogLevel notice
    ErrorLog /var/log/httpd/dev.example.com/error2.log
    LogFormat "%{%Y-%m-%d %H:%M:%S}t %a %u %A %p %m %U %q %>s \"%{User-agent}i\"" w3c_extended
    CustomLog /var/log/httpd/dev.example.com/access.log w3c_extended
</VirtualHost>

#NameVirtualHost new.example.com:443
<VirtualHost new.example.com:443>
    ServerAdmin webmaster@example.com
    DocumentRoot /var/www/html/dev.example.com
    ServerName new.example.com
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    SSLProtocol all
    SSLCertificateFile /usr/local/ssl/crt/example_2015.cert
    SSLCertificateKeyFile /usr/local/ssl/private/ssl_2015.key
    SSLCACertificateFile /usr/local/ssl/crt/example_2015_intermediate.pem
    DirectoryIndex index.html
    DirectoryIndex index.php
    LogLevel notice
    ErrorLog /var/log/httpd/dev.example.com/error2.log
    LogFormat "%{%Y-%m-%d %H:%M:%S}t %a %u %A %p %m %U %q %>s \"%{User-agent}i\"" w3c_extended
    CustomLog /var/log/httpd/dev.example.com/access.log w3c_extended
</VirtualHost>

I followed this link:

https://forums.cpanel.net/threads/httpd-fails-to-restart-after-install-ssl-certificate.55823/

which allowed me to have Apache and PHP running but this didn't allow the SSL to function, so I think it is something with the certificates.

I lost track of a thread I was on but I also compared the md5 of the key with the cert and those both matched up.

openssl x509 -noout -modulus -in ../crt/example_2015.cert | openssl md5
openssl rsa -noout -modulus -in ssl_2015.key | openssl md5

I'm not sure what else to include here so let me know if I missed something.

Apache2ctl -S gives:

VirtualHost configuration:
255.255.255.255:80       new.example.com (/etc/httpd/conf.d/new.example.conf:2)
255.255.255.255:443      new.example.com (/etc/httpd/conf.d/new.example.conf:15)
*:443                  ip-172-16-255-255.internal (/etc/httpd/conf.d/ssl.conf:56)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

What is that example_2015_intermediate.pem? Is it actually an intermediate for your cert? Are the certs readable by the 'apache' user? — Dylan Knoll, Apr 20 '17 at 20:27
Yes, the `/usr/local/ssl/crt/example_2015_intermediate.pem` is the intermediate. This is the same configuration I've used on centos 6 and 7 servers. This is a newer apache version though (and Red Hat which I've never used before). `-rw-r--r--. 1 root root 1.7K Apr 18 12:38 /usr/local/ssl/crt/example_2015_intermediate.pem`. Here's output from centos 6 `-rw-r--r-- 1 root root 1.7K Sep 4 2015 /usr/local/ssl/crt/example_2015_intermediate.pem` — chris85, Apr 20 '17 at 20:31
Can you cat all 3 certs and confirm output is ASCII and not binary? — Dylan Knoll, Apr 20 '17 at 20:37
I don't have `cat`, I can `vim` them though. The certs all start with `-----BEGN CERTIFICATE-----` and end with `-----END CERTIFICATE-----`). The key starts with `-----BEGIN RSA PRIVATE KEY-----` and ends with `-----END RSA PRIVATE KEY-----`. — chris85, Apr 20 '17 at 20:41
Change 'SSLCACertificateFile' to 'SSLCACertificateChainFile' and retest. — Dylan Knoll, Apr 20 '17 at 21:02
No luck there. Should have become `SSLCACertificateChainFile /usr/local/ssl/crt/ /usr/local/ssl/crt/example_2015_intermediate.pem`, right? — chris85, Apr 20 '17 at 21:05
Yeah, assuming the path typo was just here. Can you try giving apache ownership of the 3 certs just for laughs? — Dylan Knoll, Apr 20 '17 at 21:06
Oh, yea duplicated `/usr/local/ssl/crt/ ` was just here. Sure, `chown apache.apache /usr/local/ssl/ -R` had the same result. — chris85, Apr 20 '17 at 21:11
Wow, sorry I typoed that... should be SSLCertificateChainFile. Also what is listening on *:443 in /etc/httpd/conf.d/ssl.conf? Should that be there? — Dylan Knoll, Apr 20 '17 at 21:35
Nothing I set up is `*:443`, maybe default setting? The `SSLCertificateChainFile` allows the apache to start but the SSL connection fails in browsers. It's the same as if I comment out that line. — chris85, Apr 20 '17 at 21:38
Which browsers have you tried? Try Firefox, Chrome and IE... but specifically IE. If IE works (with an error) we have got this down to a bad intermediate cert chain. Also what is the error given by the browser exactly? — Dylan Knoll, Apr 20 '17 at 21:40
It looks like it is not using the SSL settings in the configuration. It says `Self-signed root certificate` and has the LAN address displayed. I've tried Chrome, Safari, and Firefox. — chris85, Apr 20 '17 at 21:45
The ssl.conf has `SSLCertificateFile /etc/pki/tls/certs/localhost.crt`, `SSLCertificateKeyFile /etc/pki/tls/private/localhost.key`, and `SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt`. If I comment these out apache won't restart either. — chris85, Apr 20 '17 at 21:50
Comment out and every line below up to and including in ssl.conf. — Dylan Knoll, Apr 20 '17 at 21:51
That allows apache to connect but SSL won't work, different message. `ERR_SSL_PROTOCOL_ERROR` and `This site can’t provide a secure connection`. — chris85, Apr 20 '17 at 21:55
OK, so we're hitting the correct site now but it's a certificate installation issue. Can you try commenting out SSLCertificateChainFile in httpd.conf? — Dylan Knoll, Apr 20 '17 at 22:01
Let's make this a bit easier, can you replace the block in ssl.conf with the one for the HTTPS site from httpd.conf? This is best-practise anyway. — Dylan Knoll, Apr 20 '17 at 22:06
Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/57438/discussion-between-chris85-and-dylan-knoll). — chris85, Apr 20 '17 at 22:07

Apache Wont Start with SSL (Mis?)Configured

0 Answers0