httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: [users@httpd] Apache22 not starting - is this a SSL from ports bug?
Date Tue, 04 Jan 2011 00:58:23 GMT

----- "David Southwell" <david@vizion2000.net> wrote:

> HI
> 
> 
> 
> Some assistance would be much appreciated as the web server is now off
> line.
> 
> 
> 
> Sysrem is freebsd 7.2 p3
> 
> 
> 
> apache22 has mysteriously stopped loading after an attempted restart.
> The log file even at debug level does not indicate why the server will
> not start. It was working fine and stopped following a recent ports
> upgrade.

Then it's not really mysterious? You have a very probable cause.

> I have had a similar symptom once before which seemed to be due to
> using ssl from ports. On that occasion I recompiled apache22 and all
> mods andput the following line in make.conf:
> 
> WITH_OPENSSL_FROM_PORTS=yes
> 
> and that appeared to solve the problem on that occasion.
> 
> 
> 
> HOWVER this time I am not so fortunate and cannot get the server to
> start.
> 
> 
> 
> I am still curious about SSL from ports as a possible cause. openssl
> from ports is reported as version openssl-1.0.0_4 however as you can
> see from the httpd-error.log (in full below) the lines:
> 
> "[Sat Jan 01 15:08:57 2011] [info] mod_ssl/2.2.17 compiled against
> Server: Apache/2.2.17, Library: OpenSSL/1.0.0c"
> 
> make me wonder if the apache compile has ignored the make.conf
> 
> WITH_OPENSSL_FROM_PORTS=yes
> 
> and compiled from system default.

No, it has not. The OpenSSL from ports should by now be in exactly
that version: http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/openssl/
While the system's OpenSSL will be something like 0.9.8m~
whoa.. I guessed it right:
http://ftp2.at.freebsd.org/pub/FreeBSD/ports/amd64/packages-7.2-release/security/

> Is that what those lines mean and If so how do I remedy it?
> 
> 
> 
> 
> 
> Below is some more detailed info which includes httpd.conf, list of
> ssl relevant ports, & the httpd-error.log file generated at debug
> level.
> 
> 
> 
> The following ssl relevant ports are installed:
> 
> 
> 
> linux-openssl-0.9.7f_2 SSL and crypto library (Linux Version)

This is not really relevant..

> openssl-1.0.0_4 SSL and crypto library

Yup.. OpenSSL from Ports.. 1.0.0c...
 
> php5-openssl-5.3.4 The openssl shared extension for php
> 
> py26-openssl-0.11 Python interface to the OpenSSL library
> 
> qca-ossl-2.0.0.b3_4 QCA OpenSLL plugin

These are not really relevant...
 

> httpd.conf Syntax is reported as OK
> 
> dns1# httpd -t
> 
> Syntax OK
> 
> 
> 
> dns1# hostname
> 
> dns1.vizion2000.net
> 
> dns1#

Is dns1 a hint on the role of that machine?
If so, why are you running an httpd with Subversion on a DNS server?!
 

> httpd-error.log file entries after trying to start the server:
> 
> dns1# /usr/local/sbin/apachectl -e debug -k start
> 
> test_2011_01_01_12
> 
> [Sat Jan 01 15:08:56 2011] [info] Init: Initialized OpenSSL library
> 
> [Sat Jan 01 15:08:56 2011] [info] Init: Seeding PRNG with 0 bytes of
> entropy

This sounds bad. Do you have a /dev/urandom or any other PRNG on your
system? Do you have something configured in httpd.conf...?


> [Sat Jan 01 15:08:56 2011] [info] Init: Generating temporary RSA
> private keys (512/1024 bits)
> 
> [Sat Jan 01 15:08:56 2011] [info] Init: Generating temporary DH
> parameters (512/1024 bits)
> 
> [Sat Jan 01 15:08:56 2011] [warn] Init: Session Cache is not
> configured [hint: SSLSessionCache]
> 
> [Sat Jan 01 15:08:56 2011] [info] Init: Initializing (virtual) servers
> for SSL
> 
> [Sat Jan 01 15:08:56 2011] [info] mod_ssl/2.2.17 compiled against
> Server: Apache/2.2.17, Library: OpenSSL/1.0.0c
> 
> [Sat Jan 01 15:08:56 2011] [info] mod_unique_id: using ip addr
> 62.49.197.50

<SNIP>

> LoadModule dav_svn_module libexec/apache22/mod_dav_svn.so
> LoadModule authz_svn_module libexec/apache22/mod_authz_svn.so


Why are you loading every single one module in existence?
See: http://httpd.apache.org/docs/trunk/mod/
for a reference of which modules you need and which you can skip.

See: for a minimal config that works.
http://blag.esotericsystems.at/2010/04/simple-small-secure/
 
> User www
> 
> Group www
> 
> </IfModule>
> 
> 
> 
> ServerAdmin david@vizion2000.net
> 
> 
> 
> ServerName dns1.vizion2000.net
> 
> 
> 
> DocumentRoot "/usr_www/virtualwebs/vizion2000.net"
> 
> 
> 
> 
> 
> <Location /iinissvn>
> 
> DAV svn
> 
> SVNPath /usr_www/virtualwebs/vizion2000.net/iinis_svn
> 
> SVNListParentPath on
> 
> # Access control Policy
> 
> AuthzSVNAccessFile /usr/local/etc/apache22/Authz_iinis_svn
> 
> 
> 
> # try anonymous access first, resort to authentication
> 
> # if necessary
> 
> 
> 
> Require valid-user
> 
> AuthType Basic
> 
> AuthName "iinis svn repository"
> 
> AuthUserFile /usr/local/etc/apache22/svn-auth-iinis
> 
> 
> 
> </Location>
> 
> CustomLog /usr/local/etc/apache22/svn_dev_logfile "%t %u
> %{SVN-ACTION}e" env=SVN-ACTION
> 
> 
> 
> 
> 
> <Directory />
> 
> AllowOverride None
> 
> Order deny,allow
> 
> Deny from all
> 
> </Directory>
> 
> 
> 
> 
> 
> <Directory "/usr_www/virtualwebs/vizion2000.net">
> 
> 
> 
> Options All Indexes FollowSymLinks
> 
> DirectoryIndex index.php index.html
> 
> Options ExecCGI FollowSymLinks
> 
> 
> 
> AllowOverride None
> 
> 
> 
> Order allow,deny
> 
> Allow from all
> 
> 
> 
> </Directory>
> 
> 
> 
> Alias /doc /usr_www/virtualwebs/vizion2000.net/doc
> 
> <Directory "/usr_www/virtualwebs/vizion2000.net/doc">
> 
> Options Indexes FollowSymLinks
> 
> AllowOverride None
> 
> Order allow,deny
> 
> allow from all
> 
> </Directory>
> 
> <Directory "/usr_www/virtualwebs/icons">
> 
> Options FollowSymLinks ExecCGI
> 
> AllowOverride None
> 
> Order allow,deny
> 
> Allow from all
> 
> </Directory>
> 
> <IfModule dir_module>
> 
> DirectoryIndex index.php index.html
> 
> </IfModule>
> 
> 
> 
> 
> 
> <FilesMatch "^\.ht">
> 
> Order allow,deny
> 
> Deny from all
> 
> Satisfy All
> 
> </FilesMatch>
> 
> 
> 
> ErrorLog /var/log/httpd-error.log
> 
> 
> 
> 
> 
> LogLevel debug
> 
> 
> 
> <IfModule log_config_module>
> 
> #
> 
> # The following directives define some format nicknames for use with
> 
> # a CustomLog directive (see below).
> 
> #
> 
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\"" combined
> 
> LogFormat "%h %l %u %t \"%r\" %>s %b" common
> 
> 
> 
> <IfModule logio_module>
> 
> # You need to enable mod_logio.c to use %I and %O
> 
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\" %I %O" combinedio
> 
> </IfModule>
> 
> 
> 
> CustomLog /var/log/httpd-access.log combined
> 
> </IfModule>
> 
> 
> 
> <IfModule alias_module>
> 
> #
> 
> ScriptAlias /cgi-bin/ "/usr/local/www/apache22/cgi-bin/"
> 
> 
> 
> 
> 
> </IfModule>
> 
> 
> 
> <IfModule cgid_module>
> 
> #
> 
> # ScriptSock: On threaded servers, designate the path to the UNIX
> 
> # socket used to communicate with the CGI daemon of mod_cgid.
> 
> #
> 
> #Scriptsock /var/run/cgisock
> 
> </IfModule>
> 
> 
> 
> #
> 
> # "/usr/local/www/apache22/cgi-bin" should be changed to whatever your
> ScriptAliased
> 
> # CGI directory exists, if you have that configured.
> 
> #
> 
> <Directory "/usr/local/www/apache22/cgi-bin">
> 
> AllowOverride None
> 
> Options None
> 
> Order allow,deny
> 
> Allow from all
> 
> </Directory>
> 
> 
> 
> #
> 
> DefaultType text/plain
> 
> 
> 
> <IfModule mime_module>
> 
> #
> 
> # TypesConfig points to the file containing the list of mappings from
> 
> # filename extension to MIME-type.
> 
> #
> 
> TypesConfig etc/apache22/mime.types
> 
> 
> 
> 
> 
> AddType application/x-compress .Z
> 
> AddType application/x-gzip .gz .tgz
> 
> AddType application/x-httpd-php .php
> 
> AddType application/x-httpd-php-source .phps
> 
> 
> 
> AddHandler cgi-script .cgi
> 
> AddHandler python_module .py
> 
> 
> 
> </IfModule>
> 
> 
> 
> 
> 
> 
> 
> Include etc/apache22/Includes/*.conf
> 
> #Include etc/apache22/extra/httpd-ssl.conf

Okay..
I don't see a single one line in your config that is SSL related.


> Photographic Artist
> 
> Permanent Installations & Design
> 
> Creative Imagery and Advanced Digital Techniques
> 
> High Dynamic Range Photography & Official Portraiture
> 
> Combined darkroom & digital creations
> 
> & Systems Adminstrator for the vizion2000.net network

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message