Linux – Internal Server Error 500 Apache 2.4 with LDAP authentication on CentOs 7

apache-2.4ldaplinux

I have a centos 7 server with apache 2.4.6 and enabled mod_ldap and mod_authnz_ldap modules. After entering username and password I get Internal server 500 error and not showing any error logs in error.log file.
Here is the configuration file

    <VirtualHost *:443>
    ServerName mypage.local
    ServerAlias www.mypage.local
    DocumentRoot /var/www/html/mycompany
    SSLEngine on
    SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
    SSLCertificateFile /etc/pki/tls/certs/server.crt
    SSLCertificateKeyFile /etc/pki/tls/certs/server.key
    ErrorLog /var/log/httpd/error.log
    </VirtualHost>

    <IfModule mod_rewrite.c>
     RewriteEngine On
     RewriteCond %{HTTPS} !on
     RewriteRule .* https://%{HTTP_HOST}/%{REQUEST_URI} [R=301,L,QSA]
     </IfModule>
     <Location />

     SSLRequireSSL
     #LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/certs/server.crt
     #LDAPTrustedMode TLS
     AuthType Basic
     AuthName "Akhil"
     AuthBasicProvider ldap
     #LDAPVerifyServerCert  off
     AuthLDAPBindDN "cn=read-only,dc=example,dc=com"
     AuthLDAPBindPassword "password"
     AuthLDAPURL "ldap://xxxxxxx.com:389/ou=xxxxx,dc=example,dc=com?sAMAccountName?sub?(ObjectClass=*)"
     #AuthUserFile /var/www/html/mycompany/htpasswd
     Require valid-user
     </Location>

The authentication works perfectly with htpasswd and got internal server error with AuthBasicProvider as ldap.
I've also attached the error log.. Used self signed certificate for https….

[Sat Jan 07 16:08:23.216525 2017] [ssl:warn] [pid 3815] AH01909: RSA certificate configured for mypage.local:443 does NOT include an ID which matches the server name [Sat Jan 07 16:08:23.274161 2017] [ssl:warn] [pid 3815] AH01909: RSA certificate configured for mypage.local:443 does NOT include an ID which matches the server name [Sat Jan 07 16:27:15.571289 2017] [ssl:warn] [pid 3982] AH01909: RSA certificate configured for mypage.local:443 does NOT include an ID which matches the server name [Sat Jan 07 16:27:15.627542 2017] [ssl:warn] [pid 3982] AH01909: RSA certificate configured for mypage.local:443 does NOT include an ID which matches the server name [Sat Jan 07 16:28:40.799204 2017] [ssl:warn] [pid 4017] AH01909: RSA certificate configured for mypage.local:443 does NOT include an ID which matches the server name [Sat Jan 07 16:28:40.854610 2017] [ssl:warn] [pid 4017] AH01909: RSA certificate configured for mypage.local:443 does NOT include an ID which matches the server name

Best Answer

Can you try the following three changes?

SSLRequireSSL removed
valid-user changed to ldap-user
START_TLS re-enforced (see AuthLDAPURL)

, require

# the following two directives have to be OUTSIDE vhost
LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/certs/server.crt
LDAPTrustedMode TLS
<VirtualHost *:443>
[...]
<Location />
 AuthType Basic
 AuthName "Akhil"
 AuthBasicProvider ldap
 AuthLDAPBindDN "cn=read-only,dc=example,dc=com"
 AuthLDAPBindPassword "password"
 # note TLS added at the end of this line
 AuthLDAPURL "ldap://xxxxxxx.com:389/ou=xxxxx,dc=example,dc=com?sAMAccountName?sub?(ObjectClass=*)" TLS
 #AuthUserFile /var/www/html/mycompany/htpasswd
 Require ldap-user
</Location>

Related Solutions

Linux – Apache server keeps crashing regularly

I'm not saying this is what's happening but based on my own experience as a CentOS admin, it's most likely runaway apache/php processes taking down the server. I've seen this numerous times on CentOS 5. It's frustrating because there's usually not a trace of what happened in the log files. The machine just grinds to a halt due to physical memory and swap being sucked up by apache/php processes. You would think linux memory management or some daemon would jump in and say "hey stop" but it doesn't. It'll let apache grind your system to a halt.

Having said that, to see what's happening you'll need something that can monitor and log resource usage. I like to use a program called atop. Atop is a lot like the top program but it also takes a snapshot of resource usage at defined intervals. It's pretty simple to install.

wget http://www.atcomputing.nl/Tools/atop/packages/atop-1.23.tar.gz 
tar -zxvf atop-1.23.tar.gz
cd atop-1.23 && make install

Open /etc/atop/atop.daily with a text editor and change INTERVAL=600 to INTERVAL=60

Run the command /etc/atop/atop.daily from a command prompt to start it. Wait a few minutes and run atop -r /var/log/atop/atop_20091118 with the correct date of course.

Hit the t key to go forward in time and T to go back. Next time your server crashes do this and check the MEM free and SWP free lines. If you have memory problems these will be in red. Also look for numerous httpd lines under CMD. If apache/php is your problem there'll be a bunch of them.

If this is the case, I recommend looking at you're MaxClients setting in httpd.conf. If set too high, apache will gladly eat all of your memory causing your machine to crash. Apache/php can easily eat 40-50MB/process. If you multiply 40mb x MaxClients you'll get a rough idea of how much memory apache can potentially use. MaxClients usually defaults to 150 on CentOS so apache can potentially use 6GB of memory by default. This doesn't include memory your system needs for itself and other processes to run. Try setting it to a more realistic value based on the amount of memory you have like 40 if you have 2G of memory and see if that helps. Also if you have KeepAlive On, set KeepAliveTimeout to a low number like 2 or 3.

In my opinion CentOS's apache/php compilation is a real pos that should never have seen the light of day. It's buggy and crash prone. If you run a serious site, I highly recommend compiling your own version of apache/php or even using one of the newer high performance webservers like lighttpd or nginx with fgci php.

Ubuntu – Server certificate does NOT include an ID which matches the server name

If the certificate is valid for specifically only *.dashboard.example.com, it's not valid for dashboard.example.com (the latter does not match the wildcard).

ServerName is used to specify the canonical name (one single name) for the site.
Additional names and wildcards only go into ServerAlias.

Setting eg ServerName foo.dashboard.example.com should work (in combination with the ServerAlias you have).

Regarding the mentioned issues with the certificate chain, these do not appear to be related to the actual question.
I would suggest ensuring that all required intermediate certificates are correctly bundled.

As you noted SSLCertificateChainFile is obsolete, you do not need to use it, you can just put all the certificates in SSLCertificateFile.

The Qualy's SSL Labs test can be used for seeing if any intermediate certs are missing or if there are other issues.

Best Answer

Related Solutions

Linux – Apache server keeps crashing regularly

Ubuntu – Server certificate does NOT include an ID which matches the server name

Related Topic