Re: Apache won't start, strace output enclosed

[Yehuda Katz <yehuda@xxxxxxxxxx>]

SSLCACertificateFile is only for client certificate authentication. Are you trying to use that?

If not, removing that line should solve that particular error.

If you do want to use client certificate auth, then there is probably some other problem with your certificate.

- Y

On Fri, Jan 17, 2014 at 3:22 AM, David Benfell <dbenfell@xxxxxxxxx> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 01/16/2014 11:46 PM, Mathijs Schmittmann wrote:
> ----- Original Message ----- Hi all,

>
> Ack!
>
> This is apache 2.2.25 compiled from source but on a CentOS 6.5
> system. Notably, I included all modules in the build.
>
>> You might want to start to build with a minimal set of modules,
>> to exclude any of them from being the cause. Why did you compile
>> with all modules to start with?
>

This is a build that *was* working. I've been using it--I see (see
below) since December.

>
> I was trying to add a subdomain, ran into memory allocation
> problems and so tweaked the settings accordingly. Here are the
> current settings and I have no idea how sensible they are:
>
> <IfModule prefork.c> StartServers       4 MinSpareServers    4
> MaxSpareServers   64 ServerLimit       512 MaxClients        512
> MaxRequestsPerChild  512 </IfModule> <IfModule worker.c>
> StartServers         4 MaxClients         512 MinSpareThreads 32
> MaxSpareThreads     64 ThreadsPerChild     16 MaxRequestsPerChild
> 0 </IfModule>
>
>> This depends on which MPM you are currently running, see your
>> httpd -V output for this information. Obviously the specific
>> settings will be different in each usecase, depending on load
>> and resources available.
>

This returns:

Server version: Apache/2.2.25 (Unix)
Server built:   Dec  2 2013 08:47:03
Server's Module Magic Number: 20051115:33
Server loaded:  APR 1.4.8, APR-Util 1.5.2
Compiled using: APR 1.4.8, APR-Util 1.5.2
Architecture:   64-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/usr/local/apache2"
 -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

So I can ditch the worker section?

>
>> The last write call shows that its logging an error to the
>> errorlog, are you sure you have looked at the right errorlog?
>> You might want to try to 'strace -s 4096 ...' so the entire
>> message is captured in the trace.
>

Thanks for the strace trick:
                              = 0
munmap(0x7fbfdc208000, 4096)            = 0
write(43, "[Thu Jan 16 23:57:11 2014] [error] Unable to configure
verify locations for client authentication\n", 98) = 98
exit_group(1)                           = ?

I gather this is an SSL problem. Here is the section of that
configuration that is changed. It is a new certificate (that includes
the new subdomain):

        Include /etc/httpd/conf/sites-available/all-ssl-common
        SSLCertificateFile
/big/www/ssl/parts-unknown.org/munich/parts-unknown.org.crt
        SSLCertificateKeyFile
/big/www/ssl/parts-unknown.org/munich/parts-unknown.org.key
        SSLCertificateChainFile
/big/www/ssl/parts-unknown.org/munich/sub.class2.server.ca.pem
        SSLCACertificateFile /big/www/ssl/parts-unknown.org/munich/ca.pem

These files all exist. all-ssl-common is unchanged. It contains:

        SSLEngine on

        SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2
        SSLCipherSuite
ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
        SSLHonorCipherOrder on
        SSLCompression Off
        #SSLCipherSuite RC4-SHA:HIGH:!ADH
        SSLInsecureRenegotiation off
        SSLOptions StdEnvVars

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Thanks!
- --
David Benfell
see https://parts-unknown.org/node/2 if you don't understand the
attachment

- --
David Benfell
see https://parts-unknown.org/node/2 if you don't understand the
attachment
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.0-ecc (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJS2OhYAAoJEKrN0Ha7pkCOK1QP/RdU5wyvOeyjOzhDWUoMvnZP
VrDdNQuMViND5h85q6emi2EfjRjpogWyzXSSA9KL0vagXHen3HWppqUMzkZTv6xf
t1ZnAFGoe+a4YRUNX/f7VaQzBgAnnFeazKnsqfTy8l55yk1G/y4DzlW1Q2MPKG10
vzTz0s/dtUWmB1+DVeCDMypymp22Ttekn0v+XhtB28a8Us8hOCSWsOEmzR48PAad
OucOYHZm/NY/kvjVu/y5dLnxEX2XRWpqQ/gjownFOpeQInSIXZS/LnGdpJgjFlYW
Cu2mV8op1trrvbz2XtHMDARIfnIeUrxV76lUqbxMraSyA4jTrD/8jr+oNqvypKEE
Oh2sRW7sbWPXBgsNbaa4UTugrLyF7xtlWctLw/ll3e328iJXX40/v6/B7jTNoGJS
cwelFYEiONFZEsWq09+Iny+sQA/sEWvT1SkTDEsdQ389pqQQt8jjXCIfwSs0n3Us
IkFyXuXhvOJf5T3BnOuALrol006VZL/3VLka8VXudJFuBeAfCAG/2Pxuq6KKThBE
qgEvGthK/48eTxGEFaRJHdiqCeeNVGrv4c483QfbVwVjDsPLXpI6gXKq+2qyOrks
oNKJiMmleFwl+P9BdtfS6cwDIaIwsUvLZm7kKxqsdz15BjPlcP6NRaSIr+uXTJik
IMiw/mH/WtOil8LXZYKp
=cSla

-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx