Apache problem on today upgrade

Discussion in 'Installation/Configuration' started by Clouseau, Jan 13, 2015.

  1. Clouseau

    Clouseau Member

    Hello,

    this happened today when I did apt-get update and apt-get upgrade, apache failed to start, in debug this is written:
    apache2: bad user name ${APACHE_RUN_USER}

    I didn't modify anything in apache.conf by myself or envars...
     
  2. Clouseau

    Clouseau Member

    Hmh, I have added this to apache.conf:
    User www-data
    Group www-data

    And now no error is written anywhere but apache is still failed to start.

    EDIT: okey, don't do this "openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout ispserver.key -out ispserver.csr" in https://www.howtoforge.com/securing...h-a-free-class1-ssl-certificate-from-startssl because it is going to mess with your key... You should build the key in another directory, get the csr, use it on startssl and when you get your certificate then overrite it...
     
    Last edited: Jan 13, 2015
  3. Clouseau

    Clouseau Member

    In the tutorial, shouldn't this "cat ispserver.{key,crt} startssl.chain.class1.server.crt > ispserver.pem " be without key? You are pushing private key file in public pem file... I think only crt of server pair certificate + chain certs should be in final pem because this way you are publishing the private key...
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The tutorial is correct, I use it regularily.

    No, a .pem file for dovecot, which is created by this command, contains the key followed by the cert and the command you posted craetes this file.
     
  5. Clouseau

    Clouseau Member

    No, I'm right.The key file is a private key and should not be used in:
    ssl_cert = </etc/ssl/certs/somecert.pem -- this is a public key which every client gets.
    The documentation http://wiki2.dovecot.org/SSL/DovecotConfiguration read the beginning...
    The correct would be to use just this "cat ispserver.crt startssl.chain.class1.server.crt > ispserver.pem"

    You should add chain cert and public cert in final pem but not a key file and this is not only for dovecot, this is the same for any service that use ssl...
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The file ispconfig.pem is for pure-ftpd, not dovecot. But nontheless, like I pointed out above, the guide is working perfectly you just have to follow it. If you leva eout parts like you claímed in #2 in this thread, then it will not work off course.
     
  7. Clouseau

    Clouseau Member

    Yea, ok, that is specific to pure-ftp because it knows how to parse the private key part fomr the *.pem file. But that should not be used for dovecot/postfix/apache etc. because that way you can retrieve private key by just issuing this:
    openssl s_client -showcerts -connect mail.doman.tld:995

    If you have that pem key for any of those services, please test and see is it showing in the output...

    Btw. was in time frame of waiting for an email from startssl and while waiting I did an apt-get upgrade so the apache got down. After I retrieved validation email, all is good and my site is using startssl certficate.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    dovecot knows to separate that as well, see dovecot docs (from your link above "It's possible to keep the certificate and the key both in the same file". But the guide dont tell you to use the combined cert for dovecot, apache or postfix so this does not matter for this case anyway.

    We have 3 files:

    ispserver.crt (the cert only)
    ispserver.key (the key only)
    ispserver.pem (key and cert and bundle)
    startssl.chain.class1.server.crt (the bundle cert)

    and now compare the config file snippets from the guide to see which service uses which files. As you can see, the service sthat you claimed to use the combined file (apache, postfix and dovecot) dont use this file. Please read the guide till the end and read closely which files are used for which service before you complain about non existing problems.
     
  9. Clouseau

    Clouseau Member

    Ok, I apologise. It s all ok, tested it with openssl. Dovecot, postfix and apache also know how to parse it if there is a private key in pem file. I never used that in my practice, also we don't use them that way at work. Private key goes in *.key file, public and chain goes in public .crt or .pem...
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    The guide does it the same way. But not all services understand separate .key and .crt files. pure-ftpd and courier require a combined file and therefor the guide creates different options and uses for each service the file it can read.
     
  11. Clouseau

    Clouseau Member

    I know ie. that dovecot and postfix doesn't have a chain certificate option so you have to join chain and public crt in one file and use it in ssl_cert = </etc/ssl/certs/dovecot.pem
    Apache on the other side has it, SSLCertificateChainFile.
    Sorry again, I'm a little beefed up with too much information this days so my concentration is not so good...
     

Share This Page