Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Having an SSL certificate problem

Status
Not open for further replies.

rlttharp

Technical User
Oct 21, 2008
13
Hello All,

New to the forum and very new to Linux and Apache. I have a Fedora Core 6 server with Apache and Mod-SSL. I have had it up and running for a year. I was using a Go Daddy Certificate for some e-commerce that is hosted on the sever is the URL. Well it came due. I created a new CSR did the procedure and placed the Cert the Intermidate bundle and the key in the proper location "getting it from the ssl-config". When I restart the server the HTTPD fails to start? When I place the old files back in place it starts fine? Followed the same procedure that worked the first time and yet I have failure. ANy sugjestions as to where to look for some clues would be greatly appreciated!
Rich
 
Anything in error logs? This is usually a mismatch in the keys or its waiting for a passphrase.
 
error logs, btw, are located in one of two places. If you use the generic apache installed provided with FC, they'll be located in /etc/httpd/logs. If you inherited the server log location may have been changed to /var/log/httpd
 
Well I went in the error logs and have these errors from 4 diffret log files

"WARNING"] [hostname "www.petestown.com"] [uri "/admin/whos_online.php?info=flsudfscbspovnlvrjgu4nb624&zenAdminID=r4eg92p99spiq3q1lhot87m2o7"] [unique_id "-7juyUz1XqkAAD@jYLUAAAAI"]
[Thu Oct 23 14:52:56 2008] [notice] caught SIGTERM, shutting down

[Thu Oct 23 14:34:34 2008] [error] [client 76.245.94.173] ModSecurity: Warning. Operator EQ match: 0. [id "960903"] [msg "ModSecurity does not support content encodings"] [severity "WARNING"] [hostname "www.petestown.com"] [uri "/admin/index.php?zenAdminID=r4eg92p99spiq3q1lhot87m2o7"] [unique_id "wPwTwkz1XqkAAEaQoZwAAAAS"]

76.245.94.173 - - [23/Oct/2008:14:52:04 -0500] "GET /admin/whos_online.php?info=flsudfscbspovnlvrjgu4nb624&zenAdminID=r4eg92p99spiq3q1lhot87m2o7 HTTP/1.1" 200 5214 " "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)"

--f356c176-H--
Message: Could not set variable "resource.alerted_960903_compression" as the collection does not exist.
Message: Warning. Operator EQ match: 0. [id "960903"] [msg "ModSecurity does not support content encodings"] [severity "WARNING"]
Apache-Handler: php5-script
Stopwatch: 1224791524175561 104342 (1006 3217 103692)
Producer: ModSecurity v2.1.3 (Apache 2.x)
Server: Apache/2.2.6 (Fedora)

--f356c176-Z--

These are the things it gives me! Not that I understand them.
 
I assume the SIGTERM is the shutdown, but I don't see a startup (and the others seem to be generated from accesses)

When you simply start/stop your correct config, do you see
the apache startup in your error log?

Does the https site have a separate errorlog and is the SSLEngineLog configured? The engine log is where an ssl problem would be reported.

Do you see port 443 bound (using netstat -an) for the IP of your https site?
 
Oh, perhaps it is logging in /var/log/messages or daemon.log or something? Do an ls -lt to see what logs after starting it up to see if it wrote to a log in that directory.
 
Well I went through and made sure all the logs are pointing to /var/logs/httpd Then I put the new certificate along with its bundle and the key in the proper places and did a restart! It failed again as usual. This was after talking to Go Daddy and asking them how it should be keyed! I also looked at it in the KDE software that allows you to look at certs and bith the cert and bundle came up fine! They looked just how they were suppose to? Your thoughts?

This log is the httpd error

[Fri Oct 24 16:43:51 2008] [error] [client 38.99.44.105] ModSecurity: Warning. Operator EQ match: 0.
[id "960903"] [msg "ModSecurity does not support content encodings"] [severity "WARNING"]
[hostname "www.petestown.com"] [uri "/index.php?main_page=product_info&products_id=182"]
[unique_id "rU-VAkz1XqkAAEt7F2sAAAAA"]
[Fri Oct 24 16:43:56 2008] [notice] caught SIGTERM, shutting down
[Fri Oct 24 16:47:45 2008] [notice] core dump file size limit raised to 18446744073709551615 bytes
[Fri Oct 24 16:47:45 2008] [notice] SELinux policy enabled; httpd running as context
system_u:system_r:httpd_t:s0
[Fri Oct 24 16:47:45 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Oct 24 16:47:46 2008] [notice] ModSecurity for Apache 2.1.3 configured - Apache/2.2.6 (Fedora)
[Fri Oct 24 16:47:47 2008] [notice] Digest: generating secret for digest authentication ...
[Fri Oct 24 16:47:47 2008] [notice] Digest: done
[Fri Oct 24 16:47:50 2008] [notice] mod_python: Creating 4 session mutexes based on 199 max
processes and 0 max threads.
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: /usr/bin/mono: Permission denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: exec: /usr/bin/mono: cannot execute: Permission
denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: /usr/bin/mono: Permission denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: exec: /usr/bin/mono: cannot execute: Permission
denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: /usr/bin/mono: Permission denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: exec: /usr/bin/mono: cannot execute: Permission
denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: /usr/bin/mono: Permission denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: exec: /usr/bin/mono: cannot execute: Permission
denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: /usr/bin/mono: Permission denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: exec: /usr/bin/mono: cannot execute: Permission
denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: /usr/bin/mono: Permission denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: exec: /usr/bin/mono: cannot execute: Permission
denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: /usr/bin/mono: Permission denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: exec: /usr/bin/mono: cannot execute: Permission
denied
[Fri Oct 24 16:47:50 2008] [notice] Apache/2.2.6 (Unix) DAV/2 mod_auth_kerb/5.3 mod_auth_pgsql/
2.0.3 mod_ssl/2.2.6 OpenSSL/0.9.8b Apache/2.2.0 (Fedora) mod_mono/1.2.1 mod_nss/2.2.6
NSS/3.11.7.1 PHP/5.1.6 mod_python/3.2.8 Python/2.4.4 SVN/1.4.3 mod_apreq2-20051231/2.6.1
mod_perl/2.0.2 Perl/v5.8.8 configured -- resuming normal operations
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: /usr/bin/mono: Permission denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: exec: /usr/bin/mono: cannot execute: Permission
denied
[Fri Oct 24 16:49:11 2008] [notice] caught SIGTERM, shutting down
[Fri Oct 24 16:51:38 2008] [notice] core dump file size limit raised to 18446744073709551615 bytes
[Fri Oct 24 16:51:38 2008] [notice] SELinux policy enabled; httpd running as context
system_u:system_r:httpd_t:s0
[Fri Oct 24 16:51:38 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Oct 24 16:51:39 2008] [notice] ModSecurity for Apache 2.1.3 configured - Apache/2.2.6 (Fedora)
[Fri Oct 24 16:51:40 2008] [notice] Digest: generating secret for digest authentication ...
[Fri Oct 24 16:51:40 2008] [notice] Digest: done
[Fri Oct 24 16:51:44 2008] [notice] mod_python: Creating 4 session mutexes based on 199 max
processes and 0 max threads.
[Fri Oct 24 16:51:45 2008] [notice] Apache/2.2.6 (Unix) DAV/2 mod_auth_kerb/5.3 mod_auth_pgsql/
2.0.3 mod_ssl/2.2.6 OpenSSL/0.9.8b Apache/2.2.0 (Fedora) mod_mono/1.2.1 mod_nss/2.2.6
NSS/3.11.7.1 PHP/5.1.6 mod_python/3.2.8 Python/2.4.4 SVN/1.4.3 mod_apreq2-20051231/2.6.1
mod_perl/2.0.2 Perl/v5.8.8 configured -- resuming normal operations
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: /usr/bin/mono: Permission denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: exec: /usr/bin/mono: cannot execute: Permission
denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: /usr/bin/mono: Permission denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: exec: /usr/bin/mono: cannot execute: Permission
denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: /usr/bin/mono: Permission denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: /usr/bin/mono: Permission denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: exec: /usr/bin/mono: cannot execute: Permission
denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: exec: /usr/bin/mono: cannot execute: Permission
denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: /usr/bin/mono: Permission denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: exec: /usr/bin/mono: cannot execute: Permission
denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: /usr/bin/mono: Permission denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: exec: /usr/bin/mono: cannot execute: Permission
denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: /usr/bin/mono: Permission denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: exec: /usr/bin/mono: cannot execute: Permission
denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: /usr/bin/mono: Permission denied
/usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: exec: /usr/bin/mono: cannot execute: Permission
denied

The next message was from webmin!

Stopping httpd: [ OK ]
Starting httpd: Syntax error on line 113 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/ does not exist
or is empty
[FAILED]
 
from the above, it would seem you have a number of errors to investigate:

usr/lib64/pkgconfig/../../bin/mod-mono-server: line 2: /usr/bin/mono: Permission denied

The above is indicating that mod-mono-server attempts to start the mono executable, it's getting an invalid permissions condition. Verify the userid specified to start apache has the correct permissions. They should be set to rwxr-xr-x. Verify this by doing:

ls -al /usr/bin/mono

and the other error is the:

SSLCertificateFile: file '/etc/pki/tls/certs/ does not exist

the biggest concern right now is the SSLCertificateFile either is not in the correct directory or is empty. This would prevent apache from starting.
 
Yes I did a ls -al /usr/bin/mono and got this!

-rwxr-xr-x 1 root root 1875216 Nov 7 2007 /usr/bin/mono

The other being the path and file is correct and viewing the certificate in the KDE software shows a valid certificate!
 
Well both the old and the new reside in the same place! And as stated when the old one is started with the httpd it starts fine and the server is running its just you have an expired certificate when you go to make a purchase. So it would make sense that it is a readable path if one is working! Would you agree?
 
Did you check the mode of the file

I looked at the mod_ssl.c code briefly, the "exists" check are well before anything that would check the cert. It checks exists, non-zero and a "regular" file.
 
OK ya lost me there? What do you mean by "checking the mode" REMEBER I am a real novice at this LOL
 
At a loss here, unless the apache was setup chrooted in some fashion.

Try a dummy cert, see if it comes up.
 
Yeah I ahve been very busy all day. I am goingto create a self signed cert and try it out! I think its how it keyed and the fact that we did not document it and should have! Apache Apache or Redhat Apache or Other Apache. You have to select the server type and platform. I think something has gone bad here. It really bothers me that go daddy does not no what it should be for Fedora, apache, mod ssl LOL. I will due that cert this evening and see what happens I will post that tomarrow for the educationl benifit of this all!
 
Yeah, I am really confused.

You can even try to point it to a file that doesn't exist, or a file that you know that exists (doesn't need to a crt, just want to see the error or lack thereof). I don't know why you can see the file but apache can't. (Since the other crt is in the same dir, it can't be pathing as you stated).
 
Well I am doing nothing more than going back and forth and old works new does not? NOW I even generated my own stuck it in there works fine LOL. So there old one works MY new one works THERE NEW one does not work. Its not the cofiguration path or anything other than there file! PERIOD lol. I just sent a long nsty message to them go checj the cert now the one that is running is my self signed on and the system works with it
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top