On 11.04.2014 14:27, Jeff Trawick wrote: > Is it just this and the SSLPassPhraseDialog exec command-line parameter > change? I dunno. > > > > ---------- Forwarded message ---------- > From: Jesse Defer <[email protected]> > Date: Thu, Apr 10, 2014 at 4:34 PM > Subject: [users@httpd] 2.4.9 expecting DH PARAMETERS > To: "[email protected]" <[email protected]> > > > When upgrading from 2.4.7 to 2.4.9 we found that the server complained > about missing DH PARAMETERS in our certificate and would not start. Adding > dhparams to it fixed it. After some troubleshooting we found that only > systems that did not have SSLCertificateChainFile directives with the > intermediate certificate exhibited this problem. Combining the server and > intermediate certificates into the SSLCertificateFile also required adding > dhparams. > > Errors: > > [Thu Apr 10 13:03:32.999467 2014] [ssl:emerg] [pid 27709] AH02562: Failed > to configure certificate xxx:443:0 (with chain), check > /usr/local/apache2/conf/xxx.crt > [Thu Apr 10 13:03:32.999486 2014] [ssl:emerg] [pid 27709] SSL Library > Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: > DH PARAMETERS) -- Bad file contents or format - or even just a forgotten > SSLCertificateKeyFile? > AH00016: Configuration Failed
The "Expecting: DH PARAMETERS" error is probably a red herring - it's most likely a leftover in the OpenSSL error stack after the configuration of another certificate (we try to load DH parameters at the end of ssl_init_server_certs, which in turn is called from ssl_init_server_ctx). Jesse, do you have multiple SSLCertificateFile directives, perhaps on both the global and VirtualHost level? And looking at /usr/local/apache2/conf/xxx.crt file, what are its contents when running into the above error? Can you provide the output from "egrep 'BEGIN|END' /usr/local/apache2/conf/xxx.crt"? Kaspar
