Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
apache2 failing with AH00016: Configuration Failed? [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
tld
Veteran
Veteran


Joined: 09 Dec 2003
Posts: 1845

PostPosted: Tue Oct 15, 2024 7:03 pm    Post subject: apache2 failing with AH00016: Configuration Failed? [SOLVED] Reply with quote

HELP!! I just did an update and apache is failing to start and getting is just getting this in it's error_log:
Code:
AH00016: Configuration Failed

The update didn't involve apache2 at all, nor PHP. The ONLY thing I can think of is that it did update openssl-3.0.14 to openssl-3.3.2.

Other than that I've got nothing. Any ideas?

Thanks!
Tom


Last edited by tld on Tue Oct 15, 2024 10:42 pm; edited 1 time in total
Back to top
View user's profile Send private message
tld
Veteran
Veteran


Joined: 09 Dec 2003
Posts: 1845

PostPosted: Tue Oct 15, 2024 7:37 pm    Post subject: Reply with quote

WOW I am really really desperate here. I decided to try to recompile apache and that didn't help.

I have to think it's somehow related to that openssl, but HOW would that break the apache2 configuration?? Nothing even changed in there.

To make matters worse, I wanted to try downgrading dev-libs/openssl and is will NOT let me and somehow I'm missing why!!?? I added this:
Code:
grep dev-libs/openssl /etc/portage/package.mask
>dev-libs/openssl-3.0.14

And that 3.0.14 IS available yet I'm getting this?:
Code:
emerge -auv dev-libs/openssl

These are the packages that would be merged, in order:

Calculating dependencies... done!
Dependency resolution took 19.29 s (backtrack: 0/20).


Total: 0 packages, Size of downloads: 0 KiB

!!! The following installed packages are masked:
- dev-libs/openssl-3.3.2::gentoo (masked by: package.mask)
/etc/portage/package.mask:
# IMPORTANT! Seeing if this fixes apache start failure with AH00016: Configuration Failed

For more information, see the MASKED PACKAGES section in the emerge
man page or refer to the Gentoo Handbook.



 * dev-libs/openssl

Would you like to add these packages to your world favorites? [Yes/No]


Why won't that downgrade??!! WHAT on earth am I missing with this!!? I feel like I'm loosing my mind.

EDIT: OK...I figured out that in order to downgrade openssl I have to downgrade curl as well. Trying that now.

Tom
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22581

PostPosted: Tue Oct 15, 2024 7:51 pm    Post subject: Reply with quote

If I remember correctly, the apache startup pre-checks the configuration file. If that checker were broken, you might get this error, even when the file is well-formed.

If you want to run an older openssl, ask for it: emerge --ask --oneshot --verbose '=dev-libs/openssl-3.0.14'.

Beyond that, you have not given us anything with which to work.
Back to top
View user's profile Send private message
tld
Veteran
Veteran


Joined: 09 Dec 2003
Posts: 1845

PostPosted: Tue Oct 15, 2024 8:09 pm    Post subject: Reply with quote

Thanks Hu. I'm downgrading openssl now (which required also downgrading curl) and that will take a while. Hopefully that'll do it. If not I'll post everything that was in this update just to see if anything else there may have caused this.

Will post when that's done. I had no issues with these similar upgrades on this AMD machine. This failure is on my x86 mythtv backend.

Tom
Back to top
View user's profile Send private message
grknight
Retired Dev
Retired Dev


Joined: 20 Feb 2015
Posts: 1898

PostPosted: Tue Oct 15, 2024 8:14 pm    Post subject: Reply with quote

Quick online searches suggest checking other logs, often ssl_error_log, as well for a contributing factor. Often a bad/outdated certificate or key.
Back to top
View user's profile Send private message
tld
Veteran
Veteran


Joined: 09 Dec 2003
Posts: 1845

PostPosted: Tue Oct 15, 2024 9:15 pm    Post subject: Reply with quote

Thanks grknight! First of all it clearly WAS being caused by the openssl upgrade as downgrading it got apache to start.

And as to your suggestion, I think I found the issue:
Code:
cat /var/log/apache2/ssl_error_log
[Tue Oct 15 14:40:01.711698 2024] [ssl:emerg] [pid 2087:tid 2087] AH02562: Failed to configure certificate localhost:443:0 (with chain), check /etc/ssl/apache2/server.crt
[Tue Oct 15 14:40:01.711923 2024] [ssl:emerg] [pid 2087:tid 2087] SSL Library Error: error:0A00018F:SSL routines::ee key too small


That's clearly because of the default self-signed certificate...specifically the one here:
Code:
ls -l /etc/ssl/apache2
total 16
-r--r--r-- 1 root root 1038 Nov 15  2009 server.crt
-r--r--r-- 1 root root  749 Nov 15  2009 server.csr
-r-------- 1 root root  887 Nov 15  2009 server.key
-r-------- 1 root root 1926 Nov 15  2009 server.pem


So I assume I have to re-generate that server.crt(?). Anyone familiar with how to do that offhand?

Thanks a million for the help! Wow that was tough.

Tom
Back to top
View user's profile Send private message
tld
Veteran
Veteran


Joined: 09 Dec 2003
Posts: 1845

PostPosted: Tue Oct 15, 2024 9:40 pm    Post subject: Reply with quote

Wow. Any help with generating that God-awful self-signed cert would be greatly appreciated.

I'd forgotten how cryptic that mess is...have read about it and hoped I'd never have to do it. Now I remember why. Just horrible.

EDIT: OK. I was able to do that. After saving the old ones elsewhere, inside of /etc/ssl/apache2 I did this:
Code:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./server.key -out ./server.crt


That seems to have worked and I was able to restart apache. Upgrading back to the newer openssl now.

Tom
Back to top
View user's profile Send private message
tld
Veteran
Veteran


Joined: 09 Dec 2003
Posts: 1845

PostPosted: Tue Oct 15, 2024 10:42 pm    Post subject: Reply with quote

OK....yup. With the new key I was able to upgrade openssl again and apache starts just fine. Thanks everyone for the help!!

Rom
Back to top
View user's profile Send private message
gjaekel
n00b
n00b


Joined: 24 Nov 2022
Posts: 2

PostPosted: Fri Nov 01, 2024 12:38 pm    Post subject: Reply with quote

Thank you for solving this; I also just stepped into this issue while updating.

It happens on a bunch of quite older self-signed certifcates for different internal vhosts. It was difficult to discover, because it wan't logged in the main error log but in the vhosts error log file. And at first i had no clue what happens.

I found the unusable certificates with something like
Code:

openssl x509 -in cert.pem -text -noout | grep 'Public-Key:.*1024'
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum