[olug] Apache will no longer run in Red Hat after a reboot

Damian Harouff cekkent at gmail.com
Tue Jan 27 14:26:14 CST 2015


If this is stock RHEL-provided Apache, SSL should already be compiled in,
which can be confirmed with:

root at svr [~]# httpd -t -D DUMP_MODULES | grep ssl
 ssl_module (static)
root at svr [~]#

Otherwise you'll have to compile it in or load the module.

Once you get over that hurdle, getting SSL going should be as easy as
specifying an additional VirtualHost directive on port 443 inside the
site's configuration:

<VirtualHost 192.168.1.1:443>
        SSLEngine on
        SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

        SSLCertificateFile      /etc/ssl/star.example.com.crt
        SSLCertificateKeyFile   /etc/ssl/star.example.com.key

        ServerName      "two.example.com"
        DocumentRoot    "/var/www/html/two"

        CustomLog       "/var/log/httpd/two-access.log" combined
        ErrorLog        "/var/log/httpd/two-error.log"

        <Directory /var/www/html>
                AllowOverride none

                Order Allow,Deny
                Allow from all
        </Directory>
</VirtualHost>



On Tue, Jan 27, 2015 at 2:16 PM, T. J. Brumfield <enderandrew at gmail.com>
wrote:

> Yeah, that's what I tried. I httpd.conf is inheriting any *.conf file in
> /etc/httpd/conf.d so I just renamed nss.conf to nss.conf.bak (since
> nss.conf was the file actually loading mod_nss) and when I did that, Apache
> would start, but SSL wasn't working.
>
> On Tue, Jan 27, 2015 at 2:14 PM, Damian Harouff <cekkent at gmail.com> wrote:
>
> > I hate to be "that guy", but: is he even using mod_nss? Red Hat tends to
> > enable a lot of things arbitrarily. I know that NSS is more "open", but
> > mod_ssl might get him back online sooner.
> >
> > On Tue, Jan 27, 2015 at 2:11 PM, T. J. Brumfield <enderandrew at gmail.com>
> > wrote:
> >
> > > I'll try 644. Every article I saw on this said it must be a permission
> > > issue access the *.db files in /etc/httpd/alias but the permissions
> > appear
> > > to be set correctly.
> > >
> > > On Tue, Jan 27, 2015 at 2:05 PM, Lou Duchez <lou at paprikash.com> wrote:
> > >
> > > > https://www.centos.org/forums/viewtopic.php?t=5818
> > > >
> > > > The fix seems to be:
> > > >
> > > > cd /etc/httpd
> > > > chmod -R +r alias
> > > >
> > > > I don't think that 640 is right; I think you're looking for 644.
> > > >
> > > >  I got a call from a friend whose business depends on an Apache web
> > > server,
> > > >> but he doesn't know much about Linux. He is running Red Hat inside
> of
> > a
> > > >> Windows Hyper-V VM. He bounced the Windows box for patching, which
> in
> > > turn
> > > >> rebooted his VM. He doesn't remember the last time he installed
> > updates
> > > in
> > > >> Red Hat, but he does it from time to time.
> > > >>
> > > >> /var/log/httpd/error_log is just full of this:
> > > >>
> > > >> [error] NSS_Initialize failed. Certificate database:
> /etc/httpd/alias.
> > > >> [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED
> > > >>
> > > >> I've never used NSS personally. I Googled for the error and
> literally
> > > >> every
> > > >> hit I found was a permissions issue, that the apache wasn't running
> > > under
> > > >> the right group or that group couldn't access the files under
> > > >> /etc/httpd/alias.
> > > >>
> > > >> The problem is that doesn't appear to the problem with my buddy.
> Every
> > > >> httpd process is running under apache:apache and all the *.db files
> in
> > > >> /etc/httpd/alias are 640 and owned by the apache group, exactly how
> > they
> > > >> should be.
> > > >>
> > > >> My buddy's business is down until we can resolve this.
> > > >>
> > > >> Any suggestions from someone more familiar with Red
> Hat/Fedora/CentOS
> > > and
> > > >> NSS?
> > > >>
> > > >> -- T. J. Brumfield
> > > >> "I'm questioning my education
> > > >> Rewind and what does it show?
> > > >> Could be, the truth it becomes you
> > > >> I'm a seed, wondering why it grows"
> > > >> -- Pearl Jam, Education
> > > >> _______________________________________________
> > > >> OLUG mailing list
> > > >> OLUG at olug.org
> > > >> https://lists.olug.org/mailman/listinfo/olug
> > > >>
> > > >
> > > > _______________________________________________
> > > > OLUG mailing list
> > > > OLUG at olug.org
> > > > https://lists.olug.org/mailman/listinfo/olug
> > > >
> > >
> > >
> > >
> > > --
> > > "I'm questioning my education
> > > Rewind and what does it show?
> > > Could be, the truth it becomes you
> > > I'm a seed, wondering why it grows"
> > > -- Pearl Jam, Education
> > > _______________________________________________
> > > OLUG mailing list
> > > OLUG at olug.org
> > > https://lists.olug.org/mailman/listinfo/olug
> > >
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > https://lists.olug.org/mailman/listinfo/olug
> >
>
>
>
> --
> "I'm questioning my education
> Rewind and what does it show?
> Could be, the truth it becomes you
> I'm a seed, wondering why it grows"
> -- Pearl Jam, Education
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>


More information about the OLUG mailing list