# Enabling SSL Kills Apache



## Omega_Shadow (Aug 2, 2004)

I am back. Don't run away just yet, I think this one will be easy for you guys.

My Current Apache Configuration is spread out into three .conf files.

httpd.conf
>Basic Configuration
httpd-vhosts.conf
>Virtual Hosts Configuration and Site Specific Setup
httpd-ssl.conf
>Setup of SSL

Apache is currently running EXACTLY like I want it to with the exception of no SSL. All the Virtual Hosts are working like they should, and apache serves files with out errors.

However, the moment I uncomment the line

```
Include etc/apache22/extra/httpd-ssl.conf
```
and attempt to restart Apache, **** hits the proverbial fan.

Apache SAYS it starts but a quick status check shows it does not. Also, my Apache Log shows this error:

```
[warn] Init: Session Cache is not configured [hint: SSLSessionCache]
```
Now, I can find the code it is talking about in the httpd-ssl.conf file, but I have no idea how to edit it so that it works. Can anyone lend me a hand?


----------



## MMJ (Oct 15, 2006)

Can you post the current config for SSLSessionCache?


----------



## Omega_Shadow (Aug 2, 2004)

better yet, I will post the entire ssl-conf file


----------



## MMJ (Oct 15, 2006)

Try this (from the txt file):

SSLSessionCache dbm:/var/run/ssl_scache


----------



## tomdkat (May 6, 2006)

Hey Omega!  As always, have you read the SSLSessionCache doc? 

It looks like "shmcb" isn't a valid option. Try "dbm:", as MMJ suggested, or "shm" or one of the others documented in the SSLSessionCache directive doc.

Peace...


----------



## Omega_Shadow (Aug 2, 2004)

same error as before


----------



## tomdkat (May 6, 2006)

What you posted above is a warning, not an error. So, once again please post the error_log so we can see the errors being generated when Apache tries to start with SSL configured. Also, please post the updated httpd-ssl.conf file so we can see the current configuration. 

EDIT: This is at the top of httpd-ssl.conf:



> #
> # This is the Apache server configuration file providing SSL support.
> # It contains the configuration directives to instruct the server how to
> # serve pages over an https connection. For detailing information about these
> ...


 

Peace...


----------



## Omega_Shadow (Aug 2, 2004)

Oh hey Tomdcat!
I have not read it yet due to the fact I didnt know it existed
But I got your link loaded up and reading though it now.



tomdkat said:


> Hey Omega!  As always, have you read the SSLSessionCache doc?
> 
> It looks like "shmcb" isn't a valid option. Try "dbm:", as MMJ suggested, or "shm" or one of the others documented in the SSLSessionCache directive doc.
> 
> Peace...


----------



## tomdkat (May 6, 2006)

In that case, here is the Apache 2.2 online doc. 

Peace...


----------



## Omega_Shadow (Aug 2, 2004)

Alrighty. Here is the error log (trunkated for easy reading)

```
[Fri Dec 21 15:15:46 2007] [notice] child pid 61159 exit signal Segmentation fault (11)
[Fri Dec 21 15:15:47 2007] [notice] child pid 61160 exit signal Segmentation fault (11)
[Fri Dec 21 15:15:48 2007] [notice] child pid 61161 exit signal Segmentation fault (11)
[Fri Dec 21 15:15:49 2007] [notice] child pid 61162 exit signal Segmentation fault (11)
[Fri Dec 21 15:15:50 2007] [notice] child pid 61163 exit signal Segmentation fault (11)
[Fri Dec 21 15:15:51 2007] [notice] child pid 61164 exit signal Segmentation fault (11)
[Fri Dec 21 15:15:52 2007] [notice] child pid 61165 exit signal Segmentation fault (11)
[Fri Dec 21 15:15:53 2007] [notice] child pid 61166 exit signal Segmentation fault (11)
[Fri Dec 21 15:15:54 2007] [notice] child pid 61167 exit signal Segmentation fault (11)
[Fri Dec 21 15:15:55 2007] [notice] child pid 61169 exit signal Segmentation fault (11)
[Fri Dec 21 15:15:56 2007] [notice] child pid 61168 exit signal Segmentation fault (11)
[Fri Dec 21 15:15:57 2007] [notice] child pid 58234 exit signal Segmentation fault (11)
[Fri Dec 21 15:15:58 2007] [notice] child pid 58313 exit signal Segmentation fault (11)
[Fri Dec 21 15:15:59 2007] [notice] child pid 61107 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:00 2007] [notice] child pid 58312 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:01 2007] [notice] child pid 58238 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:02 2007] [notice] child pid 61108 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:03 2007] [notice] child pid 61109 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:04 2007] [notice] child pid 58236 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:05 2007] [notice] child pid 61112 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:06 2007] [notice] child pid 61111 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:07 2007] [notice] child pid 61113 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:08 2007] [notice] child pid 58398 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:09 2007] [notice] child pid 58235 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:10 2007] [notice] child pid 61114 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:11 2007] [notice] child pid 61116 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:12 2007] [notice] child pid 61117 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:13 2007] [notice] child pid 61119 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:14 2007] [notice] child pid 61118 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:15 2007] [notice] child pid 61121 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:16 2007] [notice] child pid 61120 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:17 2007] [notice] child pid 61122 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:18 2007] [notice] child pid 61123 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:19 2007] [notice] child pid 61125 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:20 2007] [notice] child pid 61124 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:21 2007] [notice] child pid 61128 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:22 2007] [notice] child pid 61127 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:23 2007] [notice] child pid 61126 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:24 2007] [notice] child pid 61129 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:25 2007] [notice] child pid 61131 exit signal Segmentation fault (11)
[Fri Dec 21 15:16:26 2007] [notice] child pid 61133 exit signal Segmentation fault (11)
[Fri Dec 21 15:17:24 2007] [notice] child pid 61180 exit signal Segmentation fault (11)
[Fri Dec 21 15:17:25 2007] [notice] child pid 61181 exit signal Segmentation fault (11)
[Fri Dec 21 15:17:26 2007] [notice] child pid 61182 exit signal Segmentation fault (11)
[Fri Dec 21 15:17:27 2007] [notice] child pid 61183 exit signal Segmentation fault (11)
[Fri Dec 21 15:17:28 2007] [notice] child pid 61184 exit signal Segmentation fault (11)
[Fri Dec 21 15:17:29 2007] [notice] child pid 61110 exit signal Segmentation fault (11)
[Fri Dec 21 15:17:30 2007] [notice] child pid 58396 exit signal Segmentation fault (11)
[Fri Dec 21 15:17:31 2007] [notice] child pid 61132 exit signal Segmentation fault (11)
[Fri Dec 21 15:17:32 2007] [notice] child pid 61136 exit signal Segmentation fault (11)
[Fri Dec 21 15:17:33 2007] [notice] child pid 58311 exit signal Segmentation fault (11)
[Fri Dec 21 15:17:34 2007] [notice] child pid 61171 exit signal Segmentation fault (11)
[Fri Dec 21 15:17:35 2007] [notice] child pid 61172 exit signal Segmentation fault (11)
[Fri Dec 21 15:17:36 2007] [notice] child pid 61135 exit signal Segmentation fault (11)
[Fri Dec 21 15:17:37 2007] [notice] child pid 61130 exit signal Segmentation fault (11)
[Fri Dec 21 15:17:48 2007] [notice] child pid 58397 exit signal Segmentation fault (11)
[Fri Dec 21 15:50:48 2007] [error] [client 65.55.210.23] File does not exist: /www/chaos/robots.txt
[Fri Dec 21 16:45:57 2007] [notice] child pid 61134 exit signal Segmentation fault (11)
[Fri Dec 21 16:45:58 2007] [notice] child pid 61178 exit signal Segmentation fault (11)
[Fri Dec 21 16:46:07 2007] [error] [client 81.52.143.15] File does not exist: /www/chaos/robots.txt
[Fri Dec 21 16:46:33 2007] [notice] child pid 61367 exit signal Segmentation fault (11)
[Fri Dec 21 19:49:42 2007] [notice] caught SIGTERM, shutting down
[Fri Dec 21 19:50:29 2007] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri Dec 21 19:50:30 2007] [notice] Digest: generating secret for digest authentication ...
[Fri Dec 21 19:50:30 2007] [notice] Digest: done
[Fri Dec 21 19:50:31 2007] [notice] Apache/2.2.6 (FreeBSD) mod_ssl/2.2.6 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.4 with Suhosin-Patch configured -- resuming normal operations
```
I have attached the httpd conf file. I am still going though the apache 2.2 bible and adding comments to it as I go, so please ignore the mess of comment lines.

BTW, do you recommend the Apache Server 2.2 Bible, or was getting it a waste?


----------



## tomdkat (May 6, 2006)

I'm not familiar with Apache Server 2.2 Bible so I can't comment on whether it's good or not. 

So, the error_log you posted above corresponds with the httpd.txt file you just posted? If so, it looks like Apache should be up and running despite the warning message being logged.

So, enable httpd-ssl.conf in httpd.txt, restart Apache, and post the error_log after this Apache start so we can see the SSL oriented errors which prevent the server from starting. 

Peace...


----------



## MMJ (Oct 15, 2006)

I'll quietly step out.


----------



## tomdkat (May 6, 2006)

MMJ said:


> I'll quietly step out.


Why? I was _just_ about to post another Tectite FormMail recommendation since they've added another 5,000 lines of code to their script to support adding a CC: to their e-mail messages.  

Peace...


----------



## Omega_Shadow (Aug 2, 2004)

uh, that was from the trail start with the SSL uncommented.


----------



## tomdkat (May 6, 2006)

So, with the SSL stuff enabled the server successfully started? The error log doesn't indicate any kind of crash. What am I missing here????? Does a "ps ax | grep httpd" or an "/usr/local/apache22/bin/apachectl status" not indicate the server is up and running?

Unless you've done something with Apache since posting the error log, it looks like the server should be ready to rock. 

Peace...


----------



## tomdkat (May 6, 2006)

Ok, I just found this tidbit of information. In your httpd.txt file, you have an "ifmodule ssl_module" block:


```
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
```
Try commenting that out and more moving it somewhere in httpd-ssl.conf and see if that warning goes away. *Before* doing that, we need to find out if your server is actually crashing when that warning message is logged.

Peace....


----------



## Omega_Shadow (Aug 2, 2004)

oh sorry. Here is how I know the server is not starting when I enable the SSL config

This is a status from BEFORE I uncomment the ssl config

```
[[email protected] ~]# /usr/local/etc/rc.d/apache22 status
apache22 is running as pid 61813.
[[email protected] ~]#
```
Now, I am going to uncomment that line in httpd.conf and try to restart apache


```
[[email protected] ~]# /usr/local/etc/rc.d/apache22 configtest
Performing sanity check on apache22 configuration:
Syntax OK
[[email protected] ~]# /usr/local/etc/rc.d/apache22 stop
Stopping apache22.
Waiting for PIDS: 62192.
[[email protected] ~]# /usr/local/etc/rc.d/apache22 start
Performing sanity check on apache22 configuration:
Syntax OK
Starting apache22.
[[email protected] ~]# /usr/local/etc/rc.d/apache22 status
apache22 is not running.
[[email protected] ~]#
```


----------



## tomdkat (May 6, 2006)

Ok, do this:

# /usr/local/etc/rc.d/apache22 stop
# ps ax | grep httpd
(make sure there are no httpd processes running)
# /usr/local/etc/rc.d/apache22 start
# ps ax | grep httpd
(make sure there ARE httpd process running)
# tail /path/to/apache/error_log

Post the output here.

Thanks!

Peace...


----------



## Omega_Shadow (Aug 2, 2004)

```
[[email protected] ~]# /usr/local/etc/rc.d/apache22 stop
Stopping apache22.
Waiting for PIDS: 62343.
[[email protected] ~]# ps ax | grep httpd
[[email protected] ~]# /usr/local/etc/rc.d/apache22 start
Performing sanity check on apache22 configuration:
Syntax OK
Starting apache22.
[[email protected] ~]# ps ax | grep httpd
62397  ??  Ss     0:00.69 /usr/local/sbin/httpd -DSSL -DNOHTTPACCEPT
62398  ??  S      0:00.00 /usr/local/sbin/httpd -DSSL -DNOHTTPACCEPT
62399  ??  S      0:00.00 /usr/local/sbin/httpd -DSSL -DNOHTTPACCEPT
62400  ??  S      0:00.00 /usr/local/sbin/httpd -DSSL -DNOHTTPACCEPT
62401  ??  S      0:00.00 /usr/local/sbin/httpd -DSSL -DNOHTTPACCEPT
62402  ??  S      0:00.00 /usr/local/sbin/httpd -DSSL -DNOHTTPACCEPT
[[email protected] ~]# tail /www/logs/apache_err_theta.log
[Fri Dec 21 22:04:36 2007] [notice] caught SIGTERM, shutting down
[Fri Dec 21 22:05:17 2007] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri Dec 21 22:05:18 2007] [notice] Digest: generating secret for digest authentication ...
[Fri Dec 21 22:05:18 2007] [notice] Digest: done
[Fri Dec 21 22:05:19 2007] [notice] Apache/2.2.6 (FreeBSD) mod_ssl/2.2.6 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.4 with Suhosin-Patch configured -- resuming normal operations
[Fri Dec 21 22:11:39 2007] [notice] caught SIGTERM, shutting down
[Fri Dec 21 22:11:59 2007] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri Dec 21 22:12:00 2007] [notice] Digest: generating secret for digest authentication ...
[Fri Dec 21 22:12:00 2007] [notice] Digest: done
[Fri Dec 21 22:12:01 2007] [notice] Apache/2.2.6 (FreeBSD) mod_ssl/2.2.6 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.4 with Suhosin-Patch configured -- resuming normal operations
[[email protected] ~]#
```


----------



## tomdkat (May 6, 2006)

Perfect! Now, run:

# /usr/local/etc/rc.d/apache22 status

and post the output here. 

Thanks!

Peace...


----------



## Omega_Shadow (Aug 2, 2004)

It is important to note that the above output was WITHOUT uncommenting the SSL config line. I have completed the instructions again with the line uncommented and posted it below, along with the status of apache


```
[[email protected] ~]# /usr/local/etc/rc.d/apache22 stop
Stopping apache22.
Waiting for PIDS: 62397.
[[email protected] ~]# ps ax | grep httpd
[[email protected] ~]# /usr/local/etc/rc.d/apache22 start
Performing sanity check on apache22 configuration:
Syntax OK
Starting apache22.
[[email protected] ~]# ps ax | grep httpd
[[email protected] ~]# tail /www/logs/apache_err_theta.log
[Fri Dec 21 22:05:17 2007] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri Dec 21 22:05:18 2007] [notice] Digest: generating secret for digest authentication ...
[Fri Dec 21 22:05:18 2007] [notice] Digest: done
[Fri Dec 21 22:05:19 2007] [notice] Apache/2.2.6 (FreeBSD) mod_ssl/2.2.6 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.4 with Suhosin-Patch configured -- resuming normal operations
[Fri Dec 21 22:11:39 2007] [notice] caught SIGTERM, shutting down
[Fri Dec 21 22:11:59 2007] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri Dec 21 22:12:00 2007] [notice] Digest: generating secret for digest authentication ...
[Fri Dec 21 22:12:00 2007] [notice] Digest: done
[Fri Dec 21 22:12:01 2007] [notice] Apache/2.2.6 (FreeBSD) mod_ssl/2.2.6 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.4 with Suhosin-Patch configured -- resuming normal operations
[Fri Dec 21 22:21:14 2007] [notice] caught SIGTERM, shutting down
[[email protected] ~]# /usr/local/etc/rc.d/apache22 status
apache22 is not running.
```


----------



## tomdkat (May 6, 2006)

Omega_Shadow said:


> It is important to note that the above output was WITHOUT uncommenting the SSL config line. I have completed the instructions again with the line uncommented and posted it below, along with the status of apache


Where?

Peace...


----------



## Omega_Shadow (Aug 2, 2004)

Look above. I accidently pressed post before I pasted the outpout to the post.


tomdkat said:


> Where?
> 
> Peace...


----------



## tomdkat (May 6, 2006)

Omega_Shadow said:


> Look above. I accidently pressed post before I pasted the outpout to the post.


 Ok, here is the important line in the error log:

[Fri Dec 21 22:21:14 2007] [notice] caught SIGTERM, shutting down

This means, Apache shut down since it was basically instructed to do so. 

Ok, what is the current SSLSessionCache setting? What happens if you change it to "none", per the Apache doc? What happens if you comment out the SSLSessionCache setting? What happens if you try what is described here?

Lastly, set the LogLevel setting to "debug" and leave the SSL stuff enabled and hopefully we'll get more details in what is going on.

I'm off to play a card game and will check in with you later.  If possible, post the output from error_log after starting the server with SSL enabled and the LogLevel set to "debug". Then, I'll pour over it and see what is lurking (hopefully).

Peace...


----------



## Omega_Shadow (Aug 2, 2004)

Alright. Will do that first thing in the morning. My boss just told me to keep the server up for right now.


----------



## tomdkat (May 6, 2006)

Ok, that's cool. I thought you were NOT using the production server for this. If possible, make a copy of httpd.txt and change the default port for the main server to be 8042 or some other port. Turn OFF SSL in the production server and use the test server for debugging the SSL stuff. That way, you can bounce Apache all day long without impacting the production server.

My card game is now over. 

Have a good night and I'll check in on this thread sometime tomorrow.

Peace...


----------



## MMJ (Oct 15, 2006)

tomdkat said:


> Why? I was _just_ about to post another Tectite FormMail recommendation since they've added another 5,000 lines of code to their script to support adding a CC: to their e-mail messages.
> 
> Peace...


good one.  :up:


----------



## Omega_Shadow (Aug 2, 2004)

This is going to have to wait. My Terminal Computer at work that I do all the server work on just did it's best impression of a car meeting a tree at 225 miles an hour 

Windows, for lack of better words, is ****ed. I need to reinstall the OS. I will be back at the beginning of the new year with a shiny new install of XP-Pro, ready to tackle this again.

Thanx for your help gentlemen. Happy New Year and Game On Winter-Een-Mas


----------



## tomdkat (May 6, 2006)

Sounds good! 

Peace...


----------



## Omega_Shadow (Aug 2, 2004)

I got a Shiny New OS (PCLinuxOS!  Me So Happy!) and ready to rock and roll! (btw, thats on my Term PC, not the server )

Now, I have tryed your suggestions and nothing worked. By following your example, I have done a bit of footwork of my own. I found where OpenSSL was placing it's own log and opened that up. BINGO.

Found a very interesting block of errors/warns/debugs that repeats itself over and over corrisponding with the times I try to start the server with SSL

```
[Wed Jan 02 23:17:37 2008] [info] Loading certificate & private key of SSL-aware server
[Wed Jan 02 23:17:37 2008] [debug] ssl_engine_pphrase.c(469): unencrypted RSA private key - pass phrase not required
[Wed Jan 02 23:17:37 2008] [info] Configuring server for SSL protocol
[Wed Jan 02 23:17:37 2008] [debug] ssl_engine_init.c(384): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Wed Jan 02 23:17:37 2008] [debug] ssl_engine_init.c(580): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Wed Jan 02 23:17:37 2008] [debug] ssl_engine_init.c(708): Configuring RSA server certificate
[Wed Jan 02 23:17:37 2008] [warn] RSA server certificate CommonName (CN) `www.owwpaintball.com' does NOT match server name!?
[Wed Jan 02 23:17:37 2008] [debug] ssl_engine_init.c(747): Configuring RSA server private key
[Wed Jan 02 23:17:37 2008] [error] Unable to configure RSA server private key
[Wed Jan 02 23:17:37 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
```


----------



## tomdkat (May 6, 2006)

Excellent detective work!!! Unfortunately, I'm not a SSL guy but maybe if you post a message on an OpenSSL mailing list or forum, you can find out how to correct that.

Peace...


----------

