Topic: Apache Service Won't Start after openSSL setup

[ShaneMeluck]

Hello Everyone,

I am new to Apache and SSL (and Subversion). I managed to get the Apache 2.0.59 and the Subversion 1.4.2 working together (on Windows Server 2003 with IIS) utilizing the AuthType Basic and was quite happy with how it was working.

What I need now though is Windows Authentication so I followed the various steps posted on the internet regarding how to set up Apache with openSSL. I used the openssl-0.9.8d (copied the file as needed). I modified the httpd.conf by adding the mod_auth_sspi to the end of the load modules section and moved the mod_auth after that as many sites suggested:

...
LoadModule sspi_auth_module modules/mod_auth_sspi.so
LoadModule auth_module modules/mod_auth.so
#end of Load Modules

then added the following to the end of the file
...
<Location /svn>
SSPIAuth On
SSPIAuthoritative On
SSPIDomain <domain name>
SSPIOfferBasic On

DAV svn
SVNListParentPath on
SVNParentPath C:\svnroot
AuthType SSPI
AuthName "Subversion repositories"
#AuthUserFile passwd
#AuthzSVNAccessFile svnaccessfile
Require valid-user
</Location>

When I attempt to start the Apache service I get the following service error:

The Apache2 service terminated with service-specific error 1 (0x1)

There is no information in the Apache error log regarding this. No entry at all in fact.

So I am stumped as I can't seem to find any information on what the error was so it makes it difficult to troubleshoot. Has anyone had a similar experience who could shed some light on what is happening or point me in a direction to troubleshoot?

Much appreciated.

Shane

[ShaneMeluck]

Hello everyone. Thanks for looking at the post.

I found the problem. Seems the IT department decided to change the DC for this machine without telling me. Once I changed that, the service started no problem.

Cheers.

[CameronY]

I too got this error this afternoon, attempting to install Apache 2.2.3/OpenSSL 0.9.8d/mod_ssl 2.2.3 using the ZIP (Win32) via the download page.

Being very new to all this stuff has now got me on a bit of an edge.

Uninstalled Apache 2.0.59 (MSI install) prior, then installed VC++ 2005 and the ZIP. Updated hhtpd.conf/httpd-ssl.conf/httpd-vhosts.conf, I did reconfigure the httpd.conf to find the ssl & vhosts conf's in the ~/conf/ directory. Performed a 'httpd -t' and came back "Syntax OK".

The only things that I've done outside the norm is the installation directory ("C:\Program Files\Apache Group\Apache2.2.3"). When I installed the app I did 'httpd -k install -n "Apache2.2.3" ', then 'httpd -k start -n "Apache2.2.3" '.

In the System Event "The Apache2.2.3 service terminated with service-specific error 1 (0x1)."

I do get the following message while trying to find answers...

[tdonovan]

CameronY,

Try starting Apache with:

[CameronY]

Many thanks tdonovan for the response.

Below was the resulting output. What exactly should I be trying to identify?

[James Blond]

Is there a firewall? (included the windows firewall!!!)

What is when you try httpd -w -e debug Any error in error.log? Any error in the windows event log?

[CameronY]

Thanks again for the quick reply ...

Same output to the console.

Still nothing in the error.log.

No Windows Firewall on the server.

Gotta get some sleep ..... ZZzzzzz

[tdonovan]

It looks like it is indeed SSL which is causing your problems, since it only gets this far at startup.

Some suggestions:

1. Check your .conf files.

extra\httpd-ssl.conf should contain these directives for Windows (along with many others):

Quote:

SSLPassPhraseDialog builtin SSLSessionCache shmcb:logs/ssl_scache(512000) SSLMutex default SSLCertificateFile conf/server.crt SSLCertificateKeyFile conf/server.key SSLRandomSeed startup builtin SSLRandomSeed connect builtin

where conf/server.crt and conf/server.key point to wherever you put your server's certificate and key files.

2. Check that the OpenSSL version 0.9.8d shareable libraries in your Apache \bin directory are the ones actually being used (the timestamps are US EDT timezone):

ssleay32.dll 09/28/2006 08:52p 196,608
libeay32.dll 09/28/2006 08:51p 1,028,096

An incorrect version of these libraries in your System32 directory could get loaded instead of the correct ones and cause problems.

3. In [Control Panel] [Administrative tools] [Services], open the [Properties] for your Apache service, click on the [Log On] tab, and enable "Allow service to interact with desktop".

This may enable a dialog for your password if your key file was created to require one.

Hope this helps!
-tom-

[CameronY]

Thanks for the reply tdonovan.

In my httpd.conf I have the following...

[tdonovan]

re: "The SSLCertificateFile and SSLCertificateKeyFile are not present in the httpd-ssl.conf"

In general, you cannot use named virtual hosts (NameVirtualHost) with SSL.
This is because the sequence of events is:

A secure SSL connection is established from the browser to the server by IP address.
Establishing this connection uses the key and cert files.

The HTTP request headers arrive, encrypted via SSL.
These headers include the Host header

The Host header is then used to select the appropriate virtual host by its ServerName

Since it is impossible to know which host name will be in the Host header before establishing the secure connection,
the encryption key and cert must be located by Apache before the SSL connection is established.

This is true for all versions of Apache (...and for all other web servers...),
so it is a puzzle how Apache 2.0.54 ever worked for you if you relied on NameVirtualHost to select your key and cert!

Perhaps your virtual hosts were selected by IP address rather than by name with Apache 2.0.54?
This could work, since - unlike the Host header - the IP address and port number are known at the point the connection is established.
You would use <VirtualHost> without any <NameVirtualHost> directives to do this.

Check out the docs for <VirtualHost> and <NameVirtualHost> and Name-based Virtual Host Support. Admittedly, these docs can be a bit confusing.

It still isn't clear why this makes your Apache startup fail to report useful error messages, so it probably isn't your whole problem.

I suggest you diagnose this by starting with a simpler setup; with a single host and everything in httpd.conf and http-ssl.conf just to get it working.
Then re-introduce any other virtual hosts (if you need them), your proxy to 10.x.x.x:8008, etc. one-by-one to see which causes the problem.

-tom-

[CameronY]

Cheers for the reply Tom.

I'll read up on the links you provided to see what and in which direction I shall take this.

We listen to traffic only from a LoadBalanced IP (202.x.x.x) ports 80 & 443. And the web servers are clustered. The server I'm currently trying to install is out of the cluster. Not that it should make much difference with the issue I'm working through.

You'll need to excuse me, my networking knowledge is pretty basic.

[CameronY]

Just an FYI about my success (joy!)

After reading the links you provided, I updated the httpd-ssl.conf's SSLCertificateFile and SSLCertificateKeyFile references to point to the same cert/key files used for the primary website of that declared as ServerName in httpd.conf.

Once that was done, attempted the install, then started Apache successfully. Did a test to the primary website (locally) as a http:// entry and it resolved to the https:// entry as expected.
Afterwards, created a shortcut for the ApacheMonitor.exe and bounced the box, all looking good.

Many thanks for your time, comments and patience Tom.

Still unable to see why our preexisting 2.0.54 versions works without entried for SSLCertificateFile and SSLCertificateKeyFile references, but it won't be that way for too much longer.

Cheers,
Cameron Young