Apache won't start when https/TLS is activated although it runs fine with only http. I made the
changes previously suggested but now httpd just doesn't start. The error from systemctl is:
-----
Nov 21 15:17:51 prod02 systemd[1]: Starting The Apache HTTP Server...
Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Failed with result 'exit-code'.
Nov 21 15:17:51 prod02 systemd[1]: Failed to start The Apache HTTP Server.
-----
and a more useful error from the Apache error log is:
-----
[Tue Nov 21 15:17:51.411388 2023] [core:notice] [pid 29577:tid 29577] SELinux policy enabled; httpd
running as context system_u:system_r:httpd_t:s0
[Tue Nov 21 15:17:51.412008 2023] [suexec:notice] [pid 29577:tid 29577] AH01232: suEXEC mechanism
enabled (wrapper: /usr/sbin/suexec)
[Tue Nov 21 15:17:51.415738 2023] [ssl:emerg] [pid 29577:tid 29577] AH01898: Unable to configure
permitted SSL ciphers
[Tue Nov 21 15:17:51.415748 2023] [ssl:emerg] [pid 29577:tid 29577] SSL Library Error:
error:0A0000B9:SSL routines::no cipher match
[Tue Nov 21 15:17:51.415751 2023] [ssl:emerg] [pid 29577:tid 29577] AH02312: Fatal error
initialising mod_ssl, exiting.
AH00016: Configuration Failed
----
I **think** this may be due to the fact that the default installation of Rocky has a lot of http
config files and they all get concatenated BUT I haven't been able to figure out the SSLCipherSuite
line. ssl.conf (default install) has this:
#SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
but I can't find "SYSTEM" in any of Apache, OpenSSL, or Rocky docs and it isn't defined in this
configuratiion file.
Also included in the concatenation is the custom one for this server:
# SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !RC4: !PSK: !MD5
SSLCipherSuite TLSv1.3
The first line is copied from the old (current production) server and leads to a failure to start
error in the syntax immediately but best practice suggests that the second line is what I want
anyway. Reading up on this suggests that the '!' ciphers do not appear in TLSv1.3 so not available
to delete.
The docs indicate that SSLCipherSuite is a per directory parameter and no conflict should be caused
by it appearing in two different files.
So, I have two immediate questions:
1. I have the default openssl installed which is version openssl-3.0.7-6.el9_2.x86_64. Is
this adequate to provide all ciphers that are required by the cipher suite TLSv1.3?
2. Is there something that someone knows of by way of documentation that I haven't found yet?
Thanks for any assistance.
John
======
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|