View previous topic :: View next topic |
Author |
Message |
tld Veteran
Joined: 09 Dec 2003 Posts: 1845
|
Posted: Tue Oct 15, 2024 7:03 pm Post subject: apache2 failing with AH00016: Configuration Failed? [SOLVED] |
|
|
HELP!! I just did an update and apache is failing to start and getting is just getting this in it's error_log: Code: | AH00016: Configuration Failed |
The update didn't involve apache2 at all, nor PHP. The ONLY thing I can think of is that it did update openssl-3.0.14 to openssl-3.3.2.
Other than that I've got nothing. Any ideas?
Thanks!
Tom
Last edited by tld on Tue Oct 15, 2024 10:42 pm; edited 1 time in total |
|
Back to top |
|
|
tld Veteran
Joined: 09 Dec 2003 Posts: 1845
|
Posted: Tue Oct 15, 2024 7:37 pm Post subject: |
|
|
WOW I am really really desperate here. I decided to try to recompile apache and that didn't help.
I have to think it's somehow related to that openssl, but HOW would that break the apache2 configuration?? Nothing even changed in there.
To make matters worse, I wanted to try downgrading dev-libs/openssl and is will NOT let me and somehow I'm missing why!!?? I added this:
Code: | grep dev-libs/openssl /etc/portage/package.mask
>dev-libs/openssl-3.0.14 |
And that 3.0.14 IS available yet I'm getting this?: Code: | emerge -auv dev-libs/openssl
These are the packages that would be merged, in order:
Calculating dependencies... done!
Dependency resolution took 19.29 s (backtrack: 0/20).
Total: 0 packages, Size of downloads: 0 KiB
!!! The following installed packages are masked:
- dev-libs/openssl-3.3.2::gentoo (masked by: package.mask)
/etc/portage/package.mask:
# IMPORTANT! Seeing if this fixes apache start failure with AH00016: Configuration Failed
For more information, see the MASKED PACKAGES section in the emerge
man page or refer to the Gentoo Handbook.
* dev-libs/openssl
Would you like to add these packages to your world favorites? [Yes/No] |
Why won't that downgrade??!! WHAT on earth am I missing with this!!? I feel like I'm loosing my mind.
EDIT: OK...I figured out that in order to downgrade openssl I have to downgrade curl as well. Trying that now.
Tom |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22581
|
Posted: Tue Oct 15, 2024 7:51 pm Post subject: |
|
|
If I remember correctly, the apache startup pre-checks the configuration file. If that checker were broken, you might get this error, even when the file is well-formed.
If you want to run an older openssl, ask for it: emerge --ask --oneshot --verbose '=dev-libs/openssl-3.0.14'.
Beyond that, you have not given us anything with which to work. |
|
Back to top |
|
|
tld Veteran
Joined: 09 Dec 2003 Posts: 1845
|
Posted: Tue Oct 15, 2024 8:09 pm Post subject: |
|
|
Thanks Hu. I'm downgrading openssl now (which required also downgrading curl) and that will take a while. Hopefully that'll do it. If not I'll post everything that was in this update just to see if anything else there may have caused this.
Will post when that's done. I had no issues with these similar upgrades on this AMD machine. This failure is on my x86 mythtv backend.
Tom |
|
Back to top |
|
|
grknight Retired Dev
Joined: 20 Feb 2015 Posts: 1898
|
Posted: Tue Oct 15, 2024 8:14 pm Post subject: |
|
|
Quick online searches suggest checking other logs, often ssl_error_log, as well for a contributing factor. Often a bad/outdated certificate or key. |
|
Back to top |
|
|
tld Veteran
Joined: 09 Dec 2003 Posts: 1845
|
Posted: Tue Oct 15, 2024 9:15 pm Post subject: |
|
|
Thanks grknight! First of all it clearly WAS being caused by the openssl upgrade as downgrading it got apache to start.
And as to your suggestion, I think I found the issue: Code: | cat /var/log/apache2/ssl_error_log
[Tue Oct 15 14:40:01.711698 2024] [ssl:emerg] [pid 2087:tid 2087] AH02562: Failed to configure certificate localhost:443:0 (with chain), check /etc/ssl/apache2/server.crt
[Tue Oct 15 14:40:01.711923 2024] [ssl:emerg] [pid 2087:tid 2087] SSL Library Error: error:0A00018F:SSL routines::ee key too small |
That's clearly because of the default self-signed certificate...specifically the one here: Code: | ls -l /etc/ssl/apache2
total 16
-r--r--r-- 1 root root 1038 Nov 15 2009 server.crt
-r--r--r-- 1 root root 749 Nov 15 2009 server.csr
-r-------- 1 root root 887 Nov 15 2009 server.key
-r-------- 1 root root 1926 Nov 15 2009 server.pem |
So I assume I have to re-generate that server.crt(?). Anyone familiar with how to do that offhand?
Thanks a million for the help! Wow that was tough.
Tom |
|
Back to top |
|
|
tld Veteran
Joined: 09 Dec 2003 Posts: 1845
|
Posted: Tue Oct 15, 2024 9:40 pm Post subject: |
|
|
Wow. Any help with generating that God-awful self-signed cert would be greatly appreciated.
I'd forgotten how cryptic that mess is...have read about it and hoped I'd never have to do it. Now I remember why. Just horrible.
EDIT: OK. I was able to do that. After saving the old ones elsewhere, inside of /etc/ssl/apache2 I did this: Code: | sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./server.key -out ./server.crt |
That seems to have worked and I was able to restart apache. Upgrading back to the newer openssl now.
Tom |
|
Back to top |
|
|
tld Veteran
Joined: 09 Dec 2003 Posts: 1845
|
Posted: Tue Oct 15, 2024 10:42 pm Post subject: |
|
|
OK....yup. With the new key I was able to upgrade openssl again and apache starts just fine. Thanks everyone for the help!!
Rom |
|
Back to top |
|
|
gjaekel n00b
Joined: 24 Nov 2022 Posts: 2
|
Posted: Fri Nov 01, 2024 12:38 pm Post subject: |
|
|
Thank you for solving this; I also just stepped into this issue while updating.
It happens on a bunch of quite older self-signed certifcates for different internal vhosts. It was difficult to discover, because it wan't logged in the main error log but in the vhosts error log file. And at first i had no clue what happens.
I found the unusable certificates with something like
Code: |
openssl x509 -in cert.pem -text -noout | grep 'Public-Key:.*1024'
|
|
|
Back to top |
|
|
|