I have the same problem on my server. I'm running mod_ssl-2.3.5-1.3.6.
(Additionally, mod_ssl-2.1.6-1.3.3 appears to have the same problem.) Whenever
I give the server a graceful restart request and have added a new certificate
or key the restart bombs with the "Ops, no RSA or DSA server certificate
found?!" error message from pkg.sslmod/ssl_engine_init.c function
ssl_init_GetCertAndKey() about line 550.

Here's what I think the problem is. The code in ssl_init_GetCertAndKey() just
grabs the certificate and key from the mc->tPrivateKey table. The only place
which adds to the mc->tPrivateKey table is the ssl_pphrase_Handle() function in
pkg.sslmod/ssl_engine_pphrase.c. And.. the only time ssl_pphrase_Handle() is
called is the first initialization around in ssl_init_Module() from
pkg.sslmod/ssl_engine_init.c. Therefore, when we do a graceful restart and add
new certificate and key files, they are not added to the mc->tPrivateKey table.
So, when ssl_init_GetCertAndKey() goes looking for the certificate/key it
bombs.

The solution would be to check for any new certificate and key files to be read
on the module initializations caused by graceful restarts. Of course, the
passphrase prompt would have to be disabled for this read, but that's not
really a problem.

The below problem report cites a setup with multiple VirtualHosts which are all
sharing the same key and certificate directives from the main server. So, one
might think that having read the key and certificate files once, there would be
no need to re-read them for new VirtualHosts. However, the mc->tPrivateKey
table is keyed by the name of the VirtualHost, not the certificate/key
filename, so they certificate can't be found.

I'll have some time to hack this on the fourth, so I'll attack it then.
Perhaps, I can save you some time, Ralf, and get a fix working then. This bug
report is already a month old, so I don't think anyone is in a big rush.

 - David Harris
   Principal Engineer, DRH Internet Services


-----Original Message-----
From:   [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of [EMAIL PROTECTED]
Sent:   Monday, May 31, 1999 11:15 AM
To:     [EMAIL PROTECTED]
Cc:     [EMAIL PROTECTED]
Subject:        [BugDB] graceful restart and changing virtualhost domain (PR#183)

Full_Name: V. Burwitz
Version: 2.2.8
OS: Linux
Submission from: webcache1.hrz.tu-darmstadt.de (130.83.244.129)


I am running a Machine with a lot of Virtual Hosts (150+),
every Domain is using the same certificat (*.domain).
All the Virtual Hosts are running on subdomains (dom1.domain,
dom2.domain, ...).
When changing the domainname of one Virtual Host and restarting
Apache graceful after the change it crashes with
the following error:

[Mon May 31 15:03:45 1999] [error] mod_ssl: Init: (test.thedomain.de:443) Ops,
can't find server certificate?!


In my httpd.conf file I have the following global configurations:

Listen <the IP>:80
Listen <the IP>:443
SSLCertificateFile    /usr/local/apache_1.3.6/etc/ssl.crt/all.crt
SSLCertificateKeyFile /usr/local/apache_1.3.6/etc/ssl.key/all.key
SSLPassPhraseDialog
exec:/usr/local/apache_1.3.6/etc/ssl.key/all-ssl-pass-phrase
SSLMutex    file:/usr/local/apache_1.3.6/var/run/ssl_mutex
SSLLog      /serv/data/http/apache_1.3.6/logs/ssl_engine_log
SSLLogLevel info


And for every Virtual Host i turn SSLEngine on.
Everything works fine when I stop Apache and start it after that
(sometimes I have to start apache twice to start apache, the
first time I get a error message pid-file related, but everything
is ok with ALL the pid-file settings).
/etc/rc.d/init.d/apache stop
/etc/rc.d/init.d/apache start

Doing the the following from a script (running under root)
fails from time to time:
/etc/rc.d/init.d/apache stop;/etc/rc.d/init.d/apache stop

even

/etc/rc.d/init.d/apache stop;sleep 5;/etc/rc.d/init.d/apache start

hangs.

Doing graceful (the preferred thing) is also a problem.


I already asked this Question some time ago, I was told
that the problems would propably disappear with version 2.2.6 and
above (I am now using 2.2.8 with Apache 1.3.6) but the
problems are still present.


I know this is a very complex situation specially because one in the
first situation easily thinks its a configuration problem.
But everything works fine just doing restart or a stop start
sequence creates a problem and I have already compiled configured
dozends of Apache on kind of platforms.
Without mod_ssl the graceful restart is no problem.

Help is needed very urgently, has anyone an idea, or is there a
bugfix.


V. Burwitz


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to