Apache won't start when https/TLS is activated although it runs fine with only http. I made the changes previously suggested but now httpd just doesn't start. The error from systemctl is: ----- Nov 21 15:17:51 prod02 systemd[1]: Starting The Apache HTTP Server... Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Failed with result 'exit-code'. Nov 21 15:17:51 prod02 systemd[1]: Failed to start The Apache HTTP Server. ----- and a more useful error from the Apache error log is: ----- [Tue Nov 21 15:17:51.411388 2023] [core:notice] [pid 29577:tid 29577] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [Tue Nov 21 15:17:51.412008 2023] [suexec:notice] [pid 29577:tid 29577] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Nov 21 15:17:51.415738 2023] [ssl:emerg] [pid 29577:tid 29577] AH01898: Unable to configure permitted SSL ciphers [Tue Nov 21 15:17:51.415748 2023] [ssl:emerg] [pid 29577:tid 29577] SSL Library Error: error:0A0000B9:SSL routines::no cipher match [Tue Nov 21 15:17:51.415751 2023] [ssl:emerg] [pid 29577:tid 29577] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed ---- I **think** this may be due to the fact that the default installation of Rocky has a lot of http config files and they all get concatenated BUT I haven't been able to figure out the SSLCipherSuite line. ssl.conf (default install) has this: #SSLCipherSuite PROFILE=SYSTEM SSLProxyCipherSuite PROFILE=SYSTEM but I can't find "SYSTEM" in any of Apache, OpenSSL, or Rocky docs and it isn't defined in this configuratiion file. Also included in the concatenation is the custom one for this server: # SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !RC4: !PSK: !MD5 SSLCipherSuite TLSv1.3 The first line is copied from the old (current production) server and leads to a failure to start error in the syntax immediately but best practice suggests that the second line is what I want anyway. Reading up on this suggests that the '!' ciphers do not appear in TLSv1.3 so not available to delete. The docs indicate that SSLCipherSuite is a per directory parameter and no conflict should be caused by it appearing in two different files. So, I have two immediate questions: 1. I have the default openssl installed which is version openssl-3.0.7-6.el9_2.x86_64. Is this adequate to provide all ciphers that are required by the cipher suite TLSv1.3? 2. Is there something that someone knows of by way of documentation that I haven't found yet? Thanks for any assistance. John ====== --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx