Apache2 fails to start

Discussion in 'General' started by DrJohn, Jul 25, 2010.

  1. DrJohn

    DrJohn Member

    I added a new site, installed RoundCube, enabled ssl, and installed the default self-cert. This worked fine but I need a 'real' ssl certificate for webmail access in many situations. Thus, obtained a GoDaddy cert and installed the certificate via ispconfig's ssl panel. Restarted ispconfig, and that's where the trouble started.

    Note: I updated ispconfig to 2.2.36 between installing the new site plus RoundCube, and adding the new cert.

    Upon restarting ispconfig, Apache2 fails to start. This line is near the end of ispconfig.log:
    Code:
    ...
    24.07.2010 - 15:43:56 => WARN - /root/ispconfig/scripts/lib/classes/ispconfig_system.lib.php, Line 755: WARNING: could not /etc/init.d/apache2 restart &> /dev/null
    ...
    I found (from another thread here) that there were two instances of
    Code:
    Include /etc/apache2/vhosts/Vhosts_ispconfig.conf
    in /etc/apache2/apache2.conf. Removed the second instance, but apache failed to restart. Restored the second instance (near the end) and removed the first, same result.

    I manually restarted apache2:
    Code:
    User@Server:/var/log$ sudo /etc/init.d/apache2 restart
     * Restarting web server apache2                                         [fail] 
    
    No error message to the console. /var/log/apache2/error.log gives no clue. The syslog has no relevant entries either.

    Any help on figuring this out?

    Thanks!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Please run:

    httpd -t

    and post the output.
     
  3. DrJohn

    DrJohn Member

    It gives this response:
    Code:
    root@m2a74am-vm1:/# httpd -t
    httpd: bad user name ${APACHE_RUN_USER}
    root@m2a74am-vm1:/# 
    
    I had removed the user names created in ispconfig (my previous post) but restoring /home/admispconfig/ispconfig/users and restarting ispconfig makes no difference.
     
  4. DrJohn

    DrJohn Member

    Chasing this down a little bit:

    Code:
    root@m2a74am-vm1:/etc/apache2# cat envvars
    # envvars - default environment variables for apache2ctl
    
    # Since there is no sane way to get the parsed apache2 config in scripts, some
    # settings are defined via environment variables and then used in apache2ctl,
    # /etc/init.d/apache2, /etc/logrotate.d/apache2, etc.
    export APACHE_RUN_USER=www-data
    export APACHE_RUN_GROUP=www-data
    export APACHE_PID_FILE=/var/run/apache2.pid
    
    ## The locale used by some modules like mod_dav
    export LANG=C
    ## Uncomment the following line to use the system default locale instead:
    #. /etc/default/locale
    
    export LANG
    root@m2a74am-vm1:/etc/apache2# 
    
    and
    Code:
    root@m2a74am-vm1:/# cat /etc/passwd | grep www-data
    www-data:x:33:33:www-data:/var/www:/bin/sh
    root@m2a74am-vm1:/# 
    
    is 33 a sane id for this user / group?
     
  5. falko

    falko Super Moderator Howtoforge Staff

    Try
    Code:
    ./etc/apache2/envvars && httpd -t
     
  6. DrJohn

    DrJohn Member

    Why the '.' at the front of ./etc/apache2/envvars && httpd -t ?
    First I had to make envvars executable:
    Code:
    root@m2a74am-vm1:/etc/apache2# chmod +x envvars
    root@m2a74am-vm1:/etc/apache2# /etc/apache2/envvars && httpd -t
    httpd: bad user name ${APACHE_RUN_USER}
    root@m2a74am-vm1:/etc/apache2#
    Still the same result, though.
    And:
    Code:
    root@m2a74am-vm1:/etc/apache2# export APACHE_RUN__USER=www-data
    root@m2a74am-vm1:/etc/apache2# echo $APACHE_RUN_USER
    
    root@m2a74am-vm1:/etc/apache2# export APACHE_RUN_USER="www-data"
    root@m2a74am-vm1:/etc/apache2# echo $APACHE_RUN_USER
    www-data
    root@m2a74am-vm1:/etc/apache2# /etc/apache2/envvars && httpd -t
    httpd: bad group name ${APACHE_RUN_GROUP}
    root@m2a74am-vm1:/etc/apache2#
     
  7. falko

    falko Super Moderator Howtoforge Staff

    The correct command is
    Code:
    [COLOR="Red"].[/COLOR]/etc/apache2/envvars && httpd -t
    The dot includes the /etc/apache2/envvars file so that the variables in it are available to the httpd command.
     
  8. DrJohn

    DrJohn Member

    OK, but the result is the same:
    Code:
    root@m2a74am-vm1:/# ./etc/apache2/envvars && httpd -t
    httpd: bad user name ${APACHE_RUN_USER}
    root@m2a74am-vm1:/#
    It runs from the root directory, but not in /etc/apache2. Is there really any difference between the above and running the two commands separately, in an interactive session?

    -- John
     
  9. falko

    falko Super Moderator Howtoforge Staff

    Try
    Code:
    . /etc/apache2/envvars && httpd -t
    instead (with a space between . and /etc/apache2/envvars).
     
  10. DrJohn

    DrJohn Member

    Code:
    root@m2a74am-vm1:/etc/apache2# . /etc/apache2/envvars && httpd -t
    Syntax OK
    root@m2a74am-vm1:/etc/apache2# echo $APACHE_RUN_USER
    www-data
    root@m2a74am-vm1:/etc/apache2# ../init.d/ispconfig_server restart
    Shutting down ISPConfig system...
    /root/ispconfig/httpd/bin/apachectl stop: httpd (pid 1862?) not running
    ISPConfig system stopped!
    Starting ISPConfig system...
    Apache/1.3.41 mod_ssl/2.8.31 (Pass Phrase Dialog)
    Some of your private key files are encrypted for security reasons.
    In order to read them you have to provide us with the pass phrases.
    
    Server www.myserver.com:81 (RSA)
    Enter pass phrase:
    
    Ok: Pass Phrase Dialog successful.
    /root/ispconfig/httpd/bin/apachectl startssl: httpd started
    ISPConfig system is now up and running!
    root@m2a74am-vm1:/etc/apache2# httpd -t
    Syntax OK
    root@m2a74am-vm1:/etc/apache2
    This did not start apache2. Here's ISP Server Status:Services from the Management tab:
    Code:
    Web-Server:  Offline
    FTP-Server: 	Online
    SMTP-Server: 	Online
    POP3-Server: 	Online
    BIND-Server: 	Online
    mySQL-Server: 	Online
    I would like to try deleting the ssl site and restarting, then restoring the site. This might make it impossible to know what's happening now, but I do have daily backups of all the files.
     
  11. falko

    falko Super Moderator Howtoforge Staff

    Does
    Code:
    /etc/init.d/apache2 restart
    give you any errors now?
     
  12. DrJohn

    DrJohn Member

    Yes, the error is unchanged:
    Code:
    root@m2a74am-vm1:/# /etc/init.d/apache2 restart
     * Restarting web server apache2                                         [fail] 
    root@m2a74am-vm1:/# 
    
    There are no relevant apache2 log entries that I can find.
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    If there is no error message, then its most likely a ssl error. take a look into the error log of the website were you added / changed the ssl certificate.
     
  14. DrJohn

    DrJohn Member

    Yes, that's the problem:
    Code:
    [Thu Jul 29 07:24:18 2010] [error] Unable to configure RSA server private key
    [Thu Jul 29 07:24:18 2010] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    I thought that the key pair was OK. The ispconfig-supplied csr was provided to GoDaddy, they validated the request and my site, and then provided the cert.

    Although I have installed these before it's been a couple of years since. I've obviously done something wrong here. The cert was downloaded for the "Other" type of web server; the sent me a zip file containing gd_bundle.crt and my.domain.com.crt. I read somewhere else in this forum that I should simply copy the simple crt file into the certificate window in ispconfig but apparently that may be incorrect. Should I obtain the Apache-type cert bundle and install the intermediate file as instructed earlier in the above thread?

    Also, I checked the first and last six characters of the cert as shown in ispconfig and as in the received crt file -- they are identical -- so there's little chance that this is the wrong cert, but is it possible that the csr was accidentally regenerated at some point? I'll re-key the cert at GoDaddy later today and see what happens.

    It would be nice to know if either or both of the above procedures ('Other' or 'Apache' cert, without or with the intermediate file and supporting Apache2 directive) are best, required, preferred, or what.

    Thanks!
     
  15. DrJohn

    DrJohn Member

    I deleted the certificates and made sure that /var/www/web#/ssl was empty. Then used ispconfig to generate a new csr and used that to rekey the GoDaddy cert. Uploaded the two files from GoDaddy's download: sf_bundle.crt and my.domain.com.crt into the web's ssl folder. Added the intermediate file directive to Apache directives:
    Code:
    SSLCertificateChainFile /var/www/web##/ssl/sf_bundle.crt
    Now, when I restart apache2 I get:
    Code:
    root@m2a74am-vm1:/# /etc/init.d/apache2 restart
     * Restarting web server apache2                                               
     apache2: Syntax error on line 340 of /etc/apache2/apache2.conf: Could not open configuration file /etc/apache2/vhosts/Vhosts_ispconfig.conf: No such file or directory
                                                                             [fail]
    
    and yes, there is no such file, only older versions:
    Code:
    root@m2a74am-vm1:/etc/apache2# ls vhosts
    Vhosts_ispconfig.conf_29-07-10_21-00-25
    Vhosts_ispconfig.conf_29-07-10_21-18-53
    Vhosts_ispconfig.conf_29-07-10_21-18-56
    Vhosts_ispconfig.conf_29-07-10_21-19-11
    root@m2a74am-vm1:/etc/apache2# 
    Since there were definitely no changes from the most recent file, and it contained the correct directives and certificate file names, I copied it to Vhosts_ispconfig.conf. Now Apache2 started successfully.

    Question: where did the Vhosts_ispconfig.conf file go? It apparently was not re-created at a juncture when modifying the site configuration.

    SSL is now up on the webmail site; the other sites are running as well. So, problem solved.

    Diagnosis: The intermediate file is required for the GoDaddy cert.

    The steps I ended up following to get SSL re-keying with GoDaddy to work in this one site (this is not ssl for the ispconfig admin site on :81) were:

    1. Enter the directive
      Code:
      SSLCertificateChainFile /var/www/web13/ssl/sf_bundle.crt
      into the Apache Directives window on the Basis tab.
    2. Note the exact country, region, etc. in the original request.
    3. Delete the existing certificates with the Delete Certificates operation in the ispconfig panel.
    4. Make sure that /var/www/web##/ssl was emply.
    5. Generate a new csr using the same country, region, etc. as the original.
    6. From a terminal, cat and then copy the certificate request, paste it into the re-key window from GoDaddy, and the download the rekeyed certificate files.
    7. Unzip and transfer the new crt files to /var/www/web##/ssl
    8. Restart apache2
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    This is not the correct procedure. Your crt file gets removed or overwritten as you have not used ispconfig to save it and ispconfig might now replace the signed certificate with the self signed one.

    The correct steps are:

    6) Copy the csr from the csr field of the ispconfig web interface to godadda and do not use a terminal for that.
    7) copy the content of the cert file that you received from godaddy into the certificate field in ispconfig, select "save" as action and click on save.
    8) Not nescessary.
     
  17. DrJohn

    DrJohn Member

    Thank you Till,

    I had forgotten about that. Ssl is now set up via ispconfig, and it survives a restart, so all is OK.

    Thanks again,

    John
     

Share This Page