1

I've just tried to start working with letsencrypt certificates on my Apache.

  1. Added to my /usr/local/directadmin/conf/directadmin.conf line letsencrypt=1
  2. Edited in my /usr/local/directadmin/conf/directadmin.conf line enable_ssl_sni=1
  3. Then:

cd /usr/local/directadmin/custombuild

./build update

./build letsencrypt

./build rewrite_confs

And I'm getting the result with error:

Checking to ensure /etc/httpd/conf/ssl.crt/server.ca is set.
Using 193.107.90.129 for your server IP
Installation of ModSecurity Rule Set has been finished.
Restarting apache.
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

I have:

CentOS Linux release 7.7.1908 (Core)

Server version: Apache/2.4.25 (Unix)

OpenSSL 1.0.2k-fips

systemctl status httpd.service says

● httpd.service - The Apache HTTP Server
   Loaded: loaded (/etc/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sun 2020-04-05 23:23:06 CEST; 2s ago
  Process: 24927 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
  Process: 24926 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 24926 (code=exited, status=1/FAILURE)

Apr 05 23:23:06 vps.kustransport.kylos.net.pl systemd[1]: Starting The Apache HTTP Server...
Apr 05 23:23:06 vps.kustransport.kylos.net.pl httpd[24926]: AH00526: Syntax error on line 243 of /etc/httpd/conf/extra/httpd-ssl.conf:
Apr 05 23:23:06 vps.kustransport.kylos.net.pl httpd[24926]: Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration
Apr 05 23:23:06 vps.kustransport.kylos.net.pl systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Apr 05 23:23:06 vps.kustransport.kylos.net.pl kill[24927]: kill: cannot find process ""
Apr 05 23:23:06 vps.kustransport.kylos.net.pl systemd[1]: httpd.service: control process exited, code=exited status=1
Apr 05 23:23:06 vps.kustransport.kylos.net.pl systemd[1]: Failed to start The Apache HTTP Server.
Apr 05 23:23:06 vps.kustransport.kylos.net.pl systemd[1]: Unit httpd.service entered failed state.
Apr 05 23:23:06 vps.kustransport.kylos.net.pl systemd[1]: httpd.service failed.

And journalctl -xe is pretty much the same but last two lines:

-- Unit httpd.service has begun starting up.
Apr 05 23:24:06 vps.kustransport.kylos.net.pl httpd[25033]: AH00526: Syntax error on line 243 of /etc/httpd/conf/extra/httpd-ssl.conf:
Apr 05 23:24:06 vps.kustransport.kylos.net.pl httpd[25033]: Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration
Apr 05 23:24:06 vps.kustransport.kylos.net.pl systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Apr 05 23:24:06 vps.kustransport.kylos.net.pl kill[25034]: kill: cannot find process ""
Apr 05 23:24:06 vps.kustransport.kylos.net.pl systemd[1]: httpd.service: control process exited, code=exited status=1
Apr 05 23:24:06 vps.kustransport.kylos.net.pl systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed

last 2 lines:

Apr 05 23:24:09 vps.kustransport.kylos.net.pl kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:52:54:00:22:de:69:08:00 SRC=193.107.89.52 DST=255.255.255.255 LEN=68 TOS=0x00 PRE
Apr 05 23:24:13 vps.kustransport.kylos.net.pl kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3c:af:2d:c5:00:d0:04:94:38:00:08:00 SRC=185.175.93.105 DST=193.107.90.129 LEN=40 TOS=0x00 PRE

The "bad" line in /etc/httpd/conf/extra/httpd-ssl.conf looks fine and is like:

SSLOpenSSLConfCmd DHParameters "/etc/httpd/conf/ssl.crt/dhparams.pem"

I've also found that in /etc/httpd/conf/extra/httpd-ssl.conf I have:

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

#   General setup for the virtual host
DocumentRoot "/var/www/html"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log

And when I'm setting ServerName for my domain it changes to what's above every time I do "./build update". However when I manualy change and restart problem is the same.

Additionaly tail /var/log/httpd/error_log :

[Mon Apr 06 00:55:02.001888 2020] [ssl:warn] [pid 25965:tid 139892334979200] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Mon Apr 06 00:55:02.002157 2020] [suexec:notice] [pid 25965:tid 139892334979200] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Apr 06 00:55:02.002177 2020] [core:emerg] [pid 25965:tid 139892334979200] (28)No space left on device: AH00023: Couldn't create the rewrite-map mutex
AH00016: Configuration Failed
elon
  • 113
  • 2
  • 9
  • 2
    The `SSLOpenSSLConfCmd` directive is available since [Apache 2.4.8](https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslopensslconfcmd). You probably don't have **mod_ssl** enabled and Apache2 stops on the first directive he does not understand. – Piotr P. Karwasz Apr 05 '20 at 22:31
  • After "httpd -t -D DUMP_MODULES | grep ssl" I get "ssl_module (static)" so I assume mod_ssl is there. How to check if it is enabled and how to enable it? – elon Apr 05 '20 at 22:50
  • 1
    you should tell how you installed apache httpd. Apparently it's not the one provided by CentOS7 (which is version 2.4.6). scl (centos-release-scl) provides an updated version of apache (you don't have this one either). – A.B Apr 06 '20 at 01:27
  • Did you notice that there is a `no space left` message left, right after suexec in the Apache error log? – Gerrit Apr 08 '20 at 10:48
  • Actually no. But dh -h says that all is zero used but /dev/vda1 which is 93%. Could it be possible? – elon Apr 08 '20 at 23:01
  • Seems like a lack of IPC resources. Maybe try things on this page: https://support.plesk.com/hc/en-us/articles/213368389-Unable-to-start-Apache-28-No-space-left-on-device-AH00023-Couldn-t-create-the-mutex – Gerrit Apr 09 '20 at 14:29
  • As @Piotr P. Karwasz wrote, `SSLOpenSSLConfCmd` directive is not supported on httpd version that you have. So you can upgrade httpd to version 2.4.8 and later, or exclude that parameter from configuration, and place DH parameters into the certificate file `cat dhparams.pem >> certfile.pem` like it is explained in this post [link](https://serverfault.com/questions/698093/invalid-command-sslopensslconfcmd-perhaps-misspelled-or-defined-by-a-module-n). – dexter Apr 14 '20 at 13:50
  • @dexter the OP uses version 2.4.25, we are just unsure about the compilation options (cf. A.B.'s comment). – Piotr P. Karwasz Apr 14 '20 at 13:57
  • Ok, have you tried other option from my comment? Have you tried to pass DH parameter into the .pem file instead of apache conf? – dexter Apr 14 '20 at 14:41

1 Answers1

0

The parameter as described in the mod_ssl documentation seems to be supported in your httpd servers version ad the ssl version:

Description:    Configure OpenSSL parameters through its SSL_CONF API
Syntax: SSLOpenSSLConfCmd command-name command-value
Context:    server config, virtual host
Status: Extension
Module: mod_ssl
Compatibility:  Available in httpd 2.4.8 and later, if using OpenSSL 1.0.2 or later

Ensure that the mod_ssl is enabled by issue:

a2enmod ssl

if by issuing the previous command you receive an error install the httpd ssl module:

yum install mod_ssl
AtomiX84
  • 415
  • 2
  • 7
  • I believe a2enmod is a Debian command. But I did "rpm -qa | grep mod_ssl" and get nothing. So I believe it's not there. However, when running yum install mod_ssl I get "No package mod_ssl available.". Is there any open online repo with mod_ssl for my CentOS (centos-release-7-7.1908.0.el7.centos.x86_64)? – elon Apr 19 '20 at 22:24