Apache2 won’t start when mod_ssl is loaded

apache-2.2

I reissued the SSL certificates for my website today, but now apache2 will not start up anymore. All I get from service apache2 start is this:

[....] Starting web server: apache2[Sat Apr 12 13:52:51 2014] [warn] NameVirtualHost *:80 has no VirtualHosts
Action 'start' failed.
The Apache error log may have more information.
 failed!

(The warning shouldn't be there as apache2 is loading VirtualHost *:80 sites?)

There are only normal operations before this log. Line 2 is the original restart, line 3 is starting without loading mod_ssl and line 4 is trying to restart with mod_ssl again.

chmod: changing permissions of `/home/servers/MTA/newserver/mods/deathmatch/resources/[maps]/maps/DM-OS-TheNicO-SML-II/meta.xml': Operation not permitted
[Sat Apr 12 13:31:38 2014] [notice] caught SIGTERM, shutting down
[Sat Apr 12 13:51:08 2014] [notice] Apache/2.2.22 (Debian) PHP/5.5.11-1~dotdeb.1 configured -- resuming normal operations
[Sat Apr 12 13:51:51 2014] [notice] caught SIGTERM, shutting down

With LogLevel debug I get the following lines when trying to start apache:

[Sat Apr 12 14:36:13 2014] [info] Init: Seeding PRNG with 656 bytes of entropy
[Sat Apr 12 14:36:13 2014] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Sat Apr 12 14:36:13 2014] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Sat Apr 12 14:36:13 2014] [info] Init: Initializing (virtual) servers for SSL

I checked that the SSLCertificateKeyFile and SSLCertificateFile match and the key is for the certificate. I'm using Debian Wheezy with OpenSSL.

Site-logs all show this:

[Sat Apr 12 17:04:22 2014] [info] Loading certificate & private key of SSL-aware server
[Sat Apr 12 17:04:22 2014] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Sat Apr 12 17:04:22 2014] [info] Configuring server for SSL protocol
[Sat Apr 12 17:04:22 2014] [debug] ssl_engine_init.c(469): Creating new SSL context (protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2)
[Sat Apr 12 17:04:22 2014] [debug] ssl_engine_init.c(705): Configuring permitted SSL ciphers [HIGH:MEDIUM:!aNULL:!MD5]
[Sat Apr 12 17:04:22 2014] [debug] ssl_engine_init.c(789): Configuring server certificate chain (4 CA certificates)
[Sat Apr 12 17:04:22 2014] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Sat Apr 12 17:04:22 2014] [debug] ssl_engine_init.c(836): Configuring RSA server certificate
[Sat Apr 12 17:04:22 2014] [debug] ssl_engine_init.c(875): Configuring RSA server private key

Apache2 definitely knows about the sites (apache2ctl -t -D DUMP_VHOSTS):

[Sat Apr 12 17:21:02 2014] [warn] NameVirtualHost *:80 has no VirtualHosts
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:80                   is a NameVirtualHost
         default server twisted.twisted-gamers.net (/etc/apache2/sites-enabled/000-default:1)
         port 80 namevhost twisted.twisted-gamers.net (/etc/apache2/sites-enabled/000-default:1)
         port 80 namevhost dev.twisted-gamers.net (/etc/apache2/sites-enabled/dev.twisted-gamers.net:1)
         port 80 namevhost editor.twisted-gamers.net (/etc/apache2/sites-enabled/editor.twisted-gamers.net:1)
         port 80 namevhost forum.twisted-gamers.net (/etc/apache2/sites-enabled/forum.twisted-gamers.net:1)
         port 80 namevhost i.3ventic.eu (/etc/apache2/sites-enabled/i.3ventic.eu:1)
         port 80 namevhost minecraft.twisted-gamers.net (/etc/apache2/sites-enabled/minecraft.twisted-gamers.net:1)
         port 80 namevhost nyans.twisted-gamers.net (/etc/apache2/sites-enabled/nyans.twisted-gamers.net:1)
         port 80 namevhost www.twisted-gamers.net (/etc/apache2/sites-enabled/twisted-gamers.net:1)
         port 80 namevhost www.wiki.twisted-gamers.net (/etc/apache2/sites-enabled/wiki.twisted-gamers.net:1)
*:443                  is a NameVirtualHost
         default server dev.twisted-gamers.net (/etc/apache2/sites-enabled/dev.twisted-gamers.net:22)
         port 443 namevhost dev.twisted-gamers.net (/etc/apache2/sites-enabled/dev.twisted-gamers.net:22)
         port 443 namevhost editor.twisted-gamers.net (/etc/apache2/sites-enabled/editor.twisted-gamers.net:21)
         port 443 namevhost forum.twisted-gamers.net (/etc/apache2/sites-enabled/forum.twisted-gamers.net:21)
         port 443 namevhost i.3ventic.eu (/etc/apache2/sites-enabled/i.3ventic.eu:16)
         port 443 namevhost www.twisted-gamers.net (/etc/apache2/sites-enabled/twisted-gamers.net:21)
Syntax OK

How can I get apache2 running with SSL again?

Best Answer

If you have configured a VirtualHost, and Apache is giving you a warning that there are no VirtualHosts configured, the problem is with your VirtualHosts config, not your SSL certs.

I'd check you VirtualHosts config for syntax errors that may have occurred while you were updating it to take account of your new certificate.

Related Solutions

Apache Named VirtualHosts with wildcards

Update: * is valid syntax but not necessary. You can find out more here.

This will work though.

<VirtualHost *:80>
   ServerName example.com
</VirtualHost>

<VirtualHost *:80>
    ServerName www.example.com
</VirtualHost>

The first directive will match everything that is not explicitly defined elsewhere.

Linux – Apache2 quietly breaking, won’t make apache2.pid

Hmm, I am pretty suspicious of the config file

/etc/apache2/vhosts.d/30_subversion_ssl_vhost.conf

When you remove the '-D SSL' you will cause all parts of the configuration files that are enclosed in ... to be skipped. The default SSL vhost file on my Gentoo box is wrapped in that tag so I wonder if, by removing the '-D SSL', you are preventing the config in 30_subversion_ssl_vhost.conf from being run at all and if that is what is allowing Apache to start.

If you temporarily remove the file 30_subversion_ssl_vhost.conf from /etc/apache2/vhosts.d does Apache run? Are there any other SSL related vhost.conf files in vhosts.d? My reasonably fresh/unused Apache install's vhosts.d directory looks like this:

# pwd && ls
/etc/apache2/vhosts.d
00_default_ssl_vhost.conf  00_default_vhost.conf  default_vhost.include

edit 1:

So much for that theory :) I am now wondering if the problem is with the Apache SSL setup itself. I apologize if I am covering ground you have already checked but I am wondering if you could do the following to help verify your Apache install.

On my Apache install with working SSL the use flags are as follows:

# emerge -av apache

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild     U ] www-servers/apache-2.2.11-r2 [2.2.11] USE="ssl -debug -doc -ldap (-selinux) -sni -static -suexec -threads" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias -asis -auth_digest -authn_dbd -cern_meta -charset_lite -dbd -dumpio -ident -imagemap -log_forensic -proxy -proxy_ajp -proxy_balancer -proxy_connect -proxy_ftp -proxy_http -substitute -version" APACHE2_MPMS="-event -itk -peruser -prefork -worker" 64 kB

In particular do you have the 'ssl' USE flag set?

Also, could you use equery to verify the integrity of your apache2 install? If you do not have the equery command you can install it by running 'emerge -av gentoolkit'. The following command should verify the integrity of your apache install:

equery check apache

On my server the above command gives the following output:

[ Checking www-servers/apache-2.2.11 ]
!!! /etc/apache2/vhosts.d/00_default_ssl_vhost.conf has wrong mtime (is 1256620928, should be 1246793824)
!!! /etc/apache2/modules.d/00_default_settings.conf has wrong mtime (is 1246796304, should be 1246793824)
!!! /etc/conf.d/apache2 has incorrect md5sum
 * 429 out of 432 files good

edit 2:

Well the install looks good to me, so much for theory 2. I am wondering if we can coax Apache into giving some more information on startup. In /etc/conf.d/apache2 if you change your APACHE2_OPTS line from:

APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D SSL -D SSL_DEFAULT_VHOST -D LANGUAGE"

APACHE2_OPTS="-X -e debug -D DEFAULT_VHOST -D INFO -D SSL -D SSL_DEFAULT_VHOST -D LANGUAGE"

and then start Apache (/etc/init.d/apache2 start) the daemon should stay in the foreground (the -X flag) and output debuging messages as it starts (the -e debug option). Maybe this will give a clue as to why it is dying on startup.

Best Answer

Related Solutions

Apache Named VirtualHosts with wildcards

Linux – Apache2 quietly breaking, won’t make apache2.pid

Related Topic