Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Help troubleshooting Apache config/SSL certificates |
|
| Author |
|
julifos
Joined: 12 Feb 2022
Posts: 3
Location: Spain
|
 Posted: Sat 12 Feb '22 19:05 Post subject: Help troubleshooting Apache config/SSL certificates |
 |
|
Apache 2.4.29, Ubuntu 18.04
Hi!
I'm trying to setup different domains in the same config file and everything works fine till the last domain (called domain3 in this example):
| Code: | NameVirtualHost xxx.xxx.xxx.xxx:80
NameVirtualHost xxx.xxx.xxx.xxx:443
<VirtualHost xxx.xxx.xxx.xxx:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/domain1/
ServerName www.domain1.com
...
</VirtualHost>
<VirtualHost xxx.xxx.xxx.xxx:443>
DocumentRoot /var/www/domain1/
ServerName domain1.com
SSLEngine On
SSLCertificateFile /etc/ssl/certs/www.domain1.com_ssl_certificate.cer
SSLCertificateKeyFile /etc/ssl/private/www.domain1.com_private_key.key
SSLCertificateChainFile /etc/ssl/certs/www.domain1.com_ssl_certificate_INTERMEDIATE.cer
...
</VirtualHost>
<VirtualHost xxx.xxx.xxx.xxx:443>
DocumentRoot /var/www/domain2/
ServerName domain2.com
SSLEngine On
SSLCertificateFile /etc/ssl/certs/www.domain2.com_ssl_certificate.cer
SSLCertificateKeyFile /etc/ssl/private/www.domain2.com_private_key.key
SSLCertificateChainFile /etc/ssl/certs/www.domain2.com_ssl_certificate_INTERMEDIATE.crt
...
</VirtualHost>
<VirtualHost xxx.xxx.xxx.xxx:443>
DocumentRoot /var/www/domain3/
ServerName domain3.com
#SSLEngine On #uncommenting this line avoids Apache restart
SSLCertificateFile /etc/ssl/certs/www.domain3.com_ssl_certificate.cer
SSLCertificateKeyFile /etc/ssl/private/www.domain3.com_private_key.key
SSLCertificateChainFile /etc/ssl/certs/www.domain3.com_ssl_certificate_INTERMEDIATE.crt
...
</VirtualHost> |
Using this config, both domain1.com and domain2.com works as expected, but visiting "https://domain3.com" will serve to the browser domain1.com's SSL certificate (so, it will refuse the connection via SSL).
Uncommenting the line "SSLEngine On" in domain3's VirtualHost declaration will make Apache fail (can't be started). This is the error:
| Code: | Job for apache2.service failed because the control process exited with error code.
See "systemctl status apache2.service" and "journalctl -xe" for details. |
systemctl status brings this info:
| Code: | ● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: failed (Result: exit-code) since Sat 2022-02-12 12:43:38 UTC; 15s ago
Process: 6502 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/SUCCESS)
Process: 54717 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
Process: 6508 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
Main PID: 6456 (code=exited, status=0/SUCCESS)
Feb 12 12:43:38 localhost systemd[1]: Starting The Apache HTTP Server...
Feb 12 12:43:38 localhost apachectl[6508]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-default.conf:1
Feb 12 12:43:38 localhost apachectl[6508]: Action 'start' failed.
Feb 12 12:43:38 localhost apachectl[6508]: The Apache error log may have more information.
Feb 12 12:43:38 localhost systemd[1]: apache2.service: Control process exited, code=exited status=1
Feb 12 12:43:38 localhost systemd[1]: apache2.service: Failed with result 'exit-code'.
Feb 12 12:43:38 localhost systemd[1]: Failed to start The Apache HTTP Server. |
No relevant info is shown in the Apache error log.
As far as I know, both SSL certificates were purchased and installed using the same company and installation process, so not difference should exist (?)
Any hint? What could I do? |
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 149
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Sat 12 Feb '22 22:18 Post subject: |
|
|
Good evening,
| Quote: | | Using this config, both domain1.com and domain2.com works as expected, but visiting "https://domain3.com" will serve to the browser domain1.com's SSL certificate (so, it will refuse the connection via SSL). |
That is normal - if there is no matching VirtualHost for domain3.com then the first VirtualHost is used.
Would be interesting to see the output of "apachectl -t" and "apachectl -S" if SSLEngine is set to on for domain3.com. |
|
| Back to top |
|
julifos
Joined: 12 Feb 2022
Posts: 3
Location: Spain
|
| Posted: Sat 12 Feb '22 22:36 Post subject: |
|
|
Thanks for your answer.
This is the output without SSLEngine On:
| Code: | AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-default.conf:1
Syntax OK
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-default.conf:1
VirtualHost configuration:
82.223.3.128:80 is a NameVirtualHost
default server server1.com (/etc/apache2/sites-enabled/000-default.conf:4)
port 80 namevhost server1.com (/etc/apache2/sites-enabled/000-default.conf:4)
82.223.3.128:443 is a NameVirtualHost
default server gestinot.com (/etc/apache2/sites-enabled/000-default.conf:375)
port 443 namevhost server1.com (/etc/apache2/sites-enabled/000-default.conf:375)
port 443 namevhost server2.com (/etc/apache2/sites-enabled/000-default.conf:699)
port 443 namevhost server3.com (/etc/apache2/sites-enabled/000-default.conf:743)
*:* localhost.localdomain (/etc/apache2/sites-enabled/000-default.conf:1109)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33 |
Some differences in the last part with SSLEngine On:
| Code: | *:* localhost.localdomain (/etc/apache2/sites-enabled/000-default.conf:1109)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33 |
|
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 312
Location: UK
|
| Posted: Mon 14 Feb '22 18:11 Post subject: |
|
|
Since the virtual host definitions are similar (apart from the certificates of course), it rather suggests your problem lies with the certificate files/chain.
My suggestions for domain3 would be to:
a) Check the ownership and permissions on the certificate files (presuming the key file is read only to the Apache process owner).
b) Temporarily, try using domain2 certificates for domain3, to see if Apache still starts. If so, you know there's a problem with the domain3 certs.
c) Is there a password assigned to the domain3 private key file, preventing Apache from starting? Check the start of the key file for the word encrypted, e.g.
| Code: | $ head -3 private-key.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,C0A142839C75245013ABCADBA500BB8E |
If there is a password on the private key then create a new private key file without one.
| Code: | | $ openssl rsa -in old-key.pem -out new-key.pem |
d) Check your certificate and private key match using the openssl modulus command, e.g. compare the hash outputs from:
| Code: | $ openssl x509 –noout –modulus –in site-cert.pem | openssl sha256
$ openssl rsa –noout –modulus –in site-key.pem | openssl sha256 |
e) Enable SSL debug in the configuration, and restart Apache. The error log file should contain helpful information over what the problem is.
| Code: | | LogLevel info ssl:debug |
At this point my guess would be there's a problem with the certificate chain, which you'd need to resolve. There are any number of links on the net showing how to use the openssl verify option to do this, but you'll probably need to split the CA and Intermediate certificates into separate files to check, e.g.
| Code: | | $ openssl verify -CAfile root-ca-cert.pem -untrusted intermediate-cert.pem site-cert.pem |
Let us know how you get on. |
|
| Back to top |
|
julifos
Joined: 12 Feb 2022
Posts: 3
Location: Spain
|
| Posted: Mon 14 Feb '22 22:27 Post subject: |
|
|
Tx!
a) Ownership and permissions are the same both for domain2 and domain3.
b) Yes, using domain2 certificates for domain3 lets Apache start, so some kind of issue exists with the certificates of domain3...
c) No encryption.
d) Match!
e) From different error-log files:
| Code: | [Mon Feb 14 20:15:41.749766 2022] [mpm_prefork:notice] [pid 78150] AH00169: caught SIGTERM, shutting down
[Mon Feb 14 20:15:41.824469 2022] [ssl:info] [pid 78687] AH01887: Init: Initializing (virtual) servers for SSL
AH00016: Configuration Failed
[Mon Feb 14 20:15:41.825313 2022] [ssl:emerg] [pid 78687] AH02565: Certificate and private key domain3:443:0 from /etc/ssl/certs/domain3_ssl_certificate.cer and /etc/ssl/private/domain3_private_key.key do not match |
Now I don't know where I got (or how I created) the private key 
I purchased the certificate and I can donwload both the certificate and the intermediate. How can I obtain a working private key??? (and how I was able to install it properly for the two previous domains...) |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 312
Location: UK
|
| Posted: Mon 14 Feb '22 23:08 Post subject: |
|
|
I'm somewhat confused, since if the modulus for the key and certificate match, they should be ok. You should be able to check the modulus for the corresponding CSR, which should also be the same (use "openssl req –noout –modulus ...")
Are the domain3 files all clean, PEM layout, no missing final EOL character, no mixed LF / CRLF problems?
Key problem aside though, I'd still verify the CA, Intermediate and site cert files, to make sure the certificate chain is valid, and confirm your CA hasn't provided an incorrect/expired Intermediate.
You can't re-create a key for existing certificates. If things really are still broken, you'll have to speak nicely to your CA and see if you can start again with a new key file and CSR. |
|
| Back to top |
|
|
|
|
|
|
