httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Lindner <mailingli...@xgm.de>
Subject Re: [users@httpd] Make Apache react more graceful to SSL errors
Date Sun, 01 May 2016 13:36:26 GMT
Hello,

Am Sonntag, 1. Mai 2016, 14:28:42 CEST schrieb Dr James Smith:
> Agree with Michael,
> 
> My start/stop scripts all now do a configtest before trying to
> stop/start apache - this way I never have no service if something goes
> wrong!

What is deem problematic with this approach, is that I do a configuration 
change and after putting the change into place I see that it fails by using 
configtest. Then I need to do a rollback of my configuration. I'm having very 
simple script to build my config, right now there is no backup or alike before 
the configuration.

But is seems there is no other possibility and I need to implement some kind 
of rollback.

Florian

> I do have a forcestop which will stop an apache if the config is wrong -
> as a last resort!
> 
> James
> 
> On 01/05/2016 14:27, Michael A. Peters wrote:
> > On 05/01/2016 06:19 AM, Florian Lindner wrote:
> >> Hello,
> >> 
> >> in my server configuration users can place their own SSL certificate in
> >> predefined directories. A daily cron script detects them, updates the
> >> apache
> >> config and restarts the server.
> >> 
> >> However, if there is a problem with the certificate or key file, the
> >> apache
> >> refused to work altogether.
> >> 
> >> Is it possible to make apache disable only the problematic vhost
> >> instead of
> >> refusing to start?
> > 
> > What you probably need to do is validate the certificates before
> > updating the apache configuration file. The TLS library (e.g. openssl)
> > probably can do that, though I'm not familiar with the specific
> > argument you would need.
> > 
> > Apache also has a check that can test whether or not apache will
> > successfully start, that you can run before restarting the server.
> > 
> > apachectl configtest
> > 
> > I believe is the command.
> > 
> > I'm not sure it tests all the TLS certs but if it doesn't, it is a bug
> > in my mind.
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message