9

I'm updating my question here, at the top, so anyone reading will encounter the latest unresolved issue first.

I was hasty in updating my question in response to Alex Narvey's advice.

The result of: bash3.2/Users/jnorris$ codesign -dv --verbose=4 "/opt/homebrew/opt/php/lib/httpd/modules/libphp.so"

is what I have below with the exception of:

...
Authority=My Name's CA
...

not just:

...
Authority=My Name
...

When I set Line 187 of my https.conf to:

LoadModule php8_module /opt/homebrew/opt/php/lib/httpd/modules/libphp.so "My Name's CA"

I get the error message:

bash3.2/Users/jnorris$ apachectl -config
[Mon Feb 21 17:26:12.913882 2022] [so:error] [pid 3892] AH06663: Unable to find code signature authority on module at /opt/homebrew/opt/php/lib/httpd/modules/libphp.so that matches authority name "P James Norris's CA" configured on LoadModule directive.
httpd: Syntax error on line 187 of /private/etc/apache2/httpd.conf: Code signing error - not loading module at: /opt/homebrew/opt/php/lib/httpd/modules/libphp.so

I take it that My Name's CA is a certificate that give me the authority to issue the signing certificate My Name, but I don't know if this is correct, and why I'm getting the error message I'm getting now as opposed to below.

Again, any help anyone can give me will be greatly appreciated because if I don't get this resolved soon, I'm going to downgrade my server to Mac OS 11 Big Sur, and I'd really rather not do that.

=====

I recently upgraded my Mac mini (M1, 2020) to Mac OS Monterey (12.0.1) and discovered that I had to download and code sign PHP 8.1. Having not had to code sign PHP before, I followed the instructions at "How to future proof your apache modules in macOS by signing them with your own certificate authority"1. But when I run apachectl configtest I get the following error message:

AH06663: Unable to find code signature authority on module at /opt/homebrew/opt/php/lib/httpd/modules/libphp.so that matches authority name "My Name" configured on LoadModule directive.
httpd: Syntax error on line 187 of /private/etc/apache2/httpd.conf: Code signing error - not loading module at: /opt/homebrew/opt/php/lib/httpd/modules/libphp.so

This is what line 187 of my httpd.conf looks like:

LoadModule php8_module /opt/homebrew/opt/php/lib/httpd/modules/libphp.so "my name"

I have confirmed that lib-up.so exists at /opt/homebrew/opt/php/lib/httpd/modules/.

Following Alex Narvey's advice, I:

bash3.2/Users/jnorris$ codesign -dv --verbose=4 "/opt/homebrew/opt/php/lib/httpd/modules/libphp.so"
Executable=/opt/homebrew/Cellar/php/8.1.1/lib/httpd/modules/libphp.so
Identifier=libphp
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=117087 flags=0x0(none) hashes=3654+2 location=embedded
VersionPlatform=1
VersionMin=720896
VersionSDK=721664
Hash type=sha256 size=32
CandidateCDHash xxxx
CandidateCDHashFull xxxx
Hash choices=sha256
CMSDigest=xxxx
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=13058048
Executable Segment flags=0x0
Page size=4096
CDHash=xxxx
Signature size=2064
Authority=***My Names's CA***
Signed Time=Dec 25, 2021 at 11:28:37 AM
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=84

where I have changed the hashes to xxxx and my certificate name to My Name's CA.

Line 187 of my https.conf now reads:

LoadModule php8_module /opt/homebrew/opt/php/lib/httpd/modules/libphp.so "xxxx"

But I still get the error:

bash3.2/Users/jnorris$ apachectl configtest
[Mon Jan 24 07:38:09.095804 2022] [so:error] [pid 14290] AH06663: Unable to find code signature authority on module at /opt/homebrew/opt/php/lib/httpd/modules/libphp.so that matches authority name "xxxx" configured on LoadModule directive.
httpd: Syntax error on line 187 of /private/etc/apache2/httpd.conf: Code signing error - not loading module at: /opt/homebrew/opt/php/lib/httpd/modules/libphp.so

I see someone has asked a similar question at "Unable to codesign PHP v7.4 with Apache on Big Sur"2, but that request for help has been up for 2 months with no replies and s/he is getting error messages that I am not.

Thanks for any help anyone can offer.

P. James Norris
  • 158
  • 2
  • 14
  • I'm having the same error after uninstalling PHP (trying to switch to MAMP). – David Rhoden Dec 30 '21 at 00:53
  • I'm having the same problem in macOS 11. I have tried every solution presented without luck. I'm getting ```net::ERR_EMPTY_RESPONSE``` in Chrome for CSS and image files that are not missing. This is driving me crazy. – chillywilly Mar 05 '22 at 07:49

7 Answers7

6

You can find out exactly what the matches authority name is by checking the codesigning on the module.

codesign -dv --verbose=4 "/path/to/ModuleName.so"

This will yield the results that include a line like:

Authority=Developer ID Application: Example Name (XYZ12345678)

So you would put everything after the "Authority=" into your module load directive:

eg.

LoadModule php8_module /opt/homebrew/opt/php/lib/httpd/modules/libphp.so "Developer ID Application: Example Name (XYZ12345678)"
Alex Narvey
  • 61
  • 1
  • Thank you for the advice. Unfortunately, it seems not have worked. Please see my question updated with the results of following your advice. – P. James Norris Jan 24 '22 at 16:16
  • It would appear that I was a little hasty in updating my question--my "Authority=" is different from what I said it was, and I think this is part of the problem. Please look back at my "Authority=" and the error message I get when I try to codesign with that Authority, and advise, if you can. – P. James Norris Feb 21 '22 at 23:51
  • It solved my issue, but in my case it was not outputing the Authority as above, but instead only with my name: `Authority=Telmo Dias` So I had to define the line on `httpd.conf` as `LoadModule php_module /usr/local/opt/php@8.1/lib/httpd/modules/libphp.so "Telmo Dias"` – Telmo Dias Mar 08 '23 at 16:08
2

Have you added the code signing certificate name after module path in PHP LoadModule directive in the httpd.conf file? For example in your httpd.conf file on line 187 it should now have the certificate name after the module:

/opt/homebrew/opt/php/lib/httpd/modules/libphp.so your-certificate-name

user3037179
  • 31
  • 3
  • 1
    Sorry, you shouldn't have had to ask this question--I should have said I did in my question. So, yes, but I have it in double-quotes, that is, "your-certificate-name". I have tried removing the quotes, and get the error message: ```httpd: Syntax error on line 187 of /private/etc/apache2/httpd.conf: LoadModule takes two or three arguments, a module name and the name of a shared object file to load it from, optionally followed by the code signature authority name``` – P. James Norris Dec 28 '21 at 11:02
2

I had this same issue and the problem was that I was escaping a special character. This gave me that error:

LoadModule php_module /usr/local/opt/php\@8.1/lib/httpd/modules/libphp.so MY_CERT_COMMON_NAME

When I changed it to this and took out the escaping \ in front of the @:

LoadModule php_module /usr/local/opt/php@8.1/lib/httpd/modules/libphp.so MY_CERT_COMMON_NAME

The error went away and I got this coveted message instead:

[Mon Jan 17 08:16:47.071047 2022] [so:notice] [pid 85842] AH06662: Allowing module loading process to continue for module at /usr/local/opt/php@8.1/lib/httpd/modules/libphp.so because module signature matches authority "MY_CERT_COMMON_NAME" specified in LoadModule directive
Sheeri
  • 558
  • 3
  • 6
  • Thanks for your answer, but I don't have an ```@``` in my ```php_module``` path. I have updated my question and posted line 187 of my ```httpd.conf```, which I probably should have done from the beginning. Sorry to have wasted your time! – P. James Norris Jan 19 '22 at 15:59
  • Nice catch. This had worked for me. – Rakonjac Feb 25 '22 at 13:06
1

For me it was setting my authority certificate to "always trust" mode again after the update.

  1. go to your mac's keychain and find your certificate
  2. right click / Get Info
  3. in the dialog open the trust tab
  4. set to "Always Trust"

I went through the same blog article guide and you can find it there in step 29 in the section Contemporary.

It's as if Apple trying to ruin my apache setup with every update >.<

André Kelling
  • 1,575
  • 16
  • 23
  • 1
    Thanks for the suggestion, but it didn't do the job. When I opened trust tab, the certificate showed "Always Trust". I changed it to "Never Trust", closed the certificate and the system asked for my password to change the certificate's trust level. I then went back in and changed it back to "Always Trust", closed it, and reentered my password to make this change effective, and I continue to get the same error message. The error message doesn't say anything but trust--it says it can't FIND the certificate... – P. James Norris Feb 09 '22 at 18:18
1

It looks like everyone is experiencing different and unique gotchas so I'm going to add mine in hopes it helps someone else.

  1. Created Certificate Authority (set to Always Trust)
  2. Found the module's path to sign using grep -nir "^loadmodule.*php" /etc/apache2 the output was /etc/apache2/httpd.conf:72:LoadModule php7_module /usr/local/opt/php@7.4/lib/httpd/modules/libphp7.so
  3. Used codesign to sign the module codesign --sign "YOUR_AUTHORITY_NAME" --force --keychain ~/Library/Keychains/login.keychain-db /usr/local/opt/php@7.4/lib/httpd/modules/libphp7.so
  4. Tried to restart apache using sudo apachectl -k restart and that's when I encountered a similar error
Unable to find code signature authority on module at /usr/local/opt/php@7.4/lib/httpd/modules/libphp7.so that matches authority name "YOUR_AUTHORITY_NAME" configured on LoadModule directive.
httpd: Syntax error on line 72 of /private/etc/apache2/httpd.conf: Code signing error - not loading module at: /usr/local/opt/php@7.4/lib/httpd/modules/libphp7.so

To troubleshoot I used the command codesign -dv --verbose=4 "/path/to/ModuleName.so" to get the authority name, it looked identical BUT I still copied it just to make sure.

The problem was the apostrophe character was different when certificate authority was created versus the one I manually typed in the terminal.

Solution: Copy/paste the authority name value from the troubleshooting step Authority=YOUR_AUTHORITY_NAME into your httpd.conf file as well as using it to sign the module.

After running codesign (step 3) command with the pasted value the output was /usr/local/opt/php@7.4/lib/httpd/modules/libphp7.so: replacing existing signature

Restart apache sudo apachectl -k restart, received the following output

AH06662: Allowing module loading process to continue for module at /usr/local/opt/php@7.4/lib/httpd/modules/libphp7.so because module signature matches authority "YOUR_AUTHORITY\xe2\x80\x99s NAME" specified in LoadModule directive

The apostrophe \xe2\x80\x99s character was the issue in my case.

dchayka
  • 1,291
  • 12
  • 20
  • I did have the same issue. So is the `AH06662` notice normal behavior after the codesign process? – free2idol1 May 24 '23 at 03:07
  • @free2idol1 I can't say with confidence that the output is "normal" but I did not experience any issues with the notice in place. – dchayka Jun 12 '23 at 15:28
0

if the codesign command yields this message: "code object is not signed at all"

you can sign the module with a built-in utility instructions

catomatic
  • 661
  • 8
  • 10
0

I got the php module to codesign using the Keychain ID found with security find-identity rather than the common name.

codesign -f -s 5142BA50D25CFF00A461C43FCD43F405B3703A88 /usr/local/opt/php/lib/httpd/modules/libphp.so

Then my php module loaded using the common as in

LoadModule php_module /usr/local/opt/php@8.2/lib/httpd/modules/libphp.so "My nice newly minted CA"
starball
  • 20,030
  • 7
  • 43
  • 238
Alan
  • 33
  • 2