Apache2 doesn't see my SSL certificate[SOLVED]

[Havin_it]

Hi all,

I recently upgraded Apache to 2.2.12, and something's gone terribly wrong it seems. After a reboot, I noticed apache2 had not started, and on restarting it I got no error message, the initscript exited "OK", but httpd was not running. I then found the following in the logfile /var/log/apache2/error_log

[boerKrelis]

From which version did you upgrade? 2.0.x ?

[Havin_it]

No, I upgrade regularly so it would have been the last 2.2.x version.

[boerKrelis]

Could it be that some ssl-enabled vhost (maybe another .conf) is being loaded before your 00_default_ssl_vhost.conf, thereby missing your certfile directive?
Does

[Havin_it]

The higher LogLevel doesn't seem to give me much more to chew on. Here it is in full:

[cach0rr0]

as root

[Havin_it]

Thanks, will give that a try. Is there anything particular I need to put in sudoers?

[Havin_it]

OK, I ran the command as suggested - there are a number of errors about being unable to open log files, I expect this is because I need to add something to sudoers?

In the output I get these are the only references to the cert and key files:

[cach0rr0]

possible to dump the full strace output into pastebin or similar so we can have a look?

[Havin_it]

Will do. Will have to sanitise a few lines first, though...

[Havin_it]

OK, pasted here:

http://pastebin.com/m662edc8e

The command issued was like this:

[cach0rr0]

sorry to waste your time, that strace proved fruitless =/

I'm wondering something - something you said turned on a light bulb in my brain; might it be possible to define an FQDN in /etc/hosts and regen the cert with a Common Name matching the FQDN?

Doesn't have to be a resolvable fqdn, but one that allows the cert common name to match the hostname.

[Havin_it]

Well... If it's only for test purposes fair enough, but if this proves to be the basis of a solution it might prove a new problem, because I have a number of vhosts identified both by subdomains of my dyndns.org hostname and by one-part local hostnames. I made the certificate with a commonName that matches the FQDN, so none of the subdomains match it. I haven't a clue about how to provide multiple certificates as I've only ever used the apache script for that purpose, but this has never been a problem because the Internet-facing vhosts are only for my use (so certificate errors in the browser are not a concern).

Anyway I'll give it a whirl and see what happens. Is there a CLI tool for reading a certificate's details?

[haven]

I had the same issue after upgrading from www-servers/apache-2.2.11-r2 to www-servers/apache-2.2.12.

I downgraded to ww-servers/apache-2.2.11-r3 and that fixed the issue. Not had time to look further but I was also getting the error:

[Havin_it]

I got it sorted!

First I took chach0rr0's suggestion and made sure that my certificate matched one of the FQDNs defined in the hosts file. I also took the steps of commenting-out the other vhost I have, and the ServerAlias lines in the main vhost, in 00_default_ssl_vhost.conf to eliminate confusion. This worked.

I then re-enabled the various ServerAlias lines in the main vhost definition. It still worked.

I then uncommented the second vhost definition. It stopped working.

What occurred to me was that the second vhost definition was copied from 00_default_vhost.conf and as such didn't contain any of the SSL-specific directives. This never posed a problem before, though on reflection I can't say whether I've ever accessed that other vhost from the WAN using SSL :/

So, I simply copied all the SSL directives from the main vhost to the other. Again, it works!

Well, make of that what you will. Seems obvious in hindsight, but I'm very grateful to you for steering me in the right direction to prod at the right things to solve it. Ta! =)