Bug#541607: apache2: fails to start because of SSL configuration changes
Thanks for the info. On Saturday 05 September 2009, Julian Mehnle wrote: /etc/apache2/apache2.conf:NameVirtualHost *:80 /etc/apache2/apache2.conf:NameVirtualHost *:443 /etc/apache2/sites-enabled/00default:VirtualHost *:80 /etc/apache2/sites-enabled/00default:SSLEngine off /etc/apache2/sites-enabled/00default:/VirtualHost /etc/apache2/sites-enabled/00default:VirtualHost *:443 /etc/apache2/sites-enabled/00default:SSLEngine on /etc/apache2/sites-enabled/00default:SSLCertificateFile /etc/ssl/certs/www.cer.pem /etc/apache2/sites-enabled/00default: SSLCertificateKeyFile /etc/ssl/private/www.cer+key.pem /etc/apache2/sites-enabled/00default:/VirtualHost ... /etc/apache2/sites-enabled/SITE01.A:VirtualHost *:80 *:443 /etc/apache2/sites-enabled/SITE01.A:/VirtualHost That's a rather interesting abuse of the apache configuration. I would not have thought that it worked, but I immediately see how it is useful. But I am pretty sure it only worked by accident. You are relying on the fact that a virtual host inherits the SSL* settings from its corresponding default virtual host There is nothing in the documentation that this is an intended behaviour. Virtual hosts should only inherit from the main server configuration. Now, since there is proper support for ssl name based virtual hosts since 2.2.12, this broke. The fix would be to use something like this: Put the contents of SITE01.A without the VirtualHost lines into some file outside of sites-enabled. Then in sites-enabled/SITE01.A, put something like: VirtualHost *:80 Include /etc/apache2/sites-includes/SITE01.A /VirtualHost VirtualHost *:443 Include /etc/apache2/sites-includes/SITE01.A SSLEngine on SSLCertificateFile /etc/ssl/certs/www.cer.pem SSLCertificateKeyFile /etc/ssl/private/www.cer+key.pem /VirtualHost You will also need to add the SSL* directives to the other *:443 virtual hosts. Can you try that? Cheers, Stefan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#541607: apache2: fails to start because of SSL configuration changes
On Friday 04 September 2009, Stefan Fritsch wrote: egrep -ir '^[^#]*(sslcertificate|sslengine|virtualhost)' /etc/apache2/*conf* /etc/apache2/*enabled One configuration where I see this error is with: NameVirtualHost *:443 and several *:443 virtual hosts, where one of them has sslengine on but is missing the sslcertificatefile/sslcertificatekeyfile. The grep above can help find such virtual hosts. Does this help for you? BTW, for those needing to downgrade, I put old i386 builds at: http://people.debian.org/~sf/2.2.11-6/ That version lacks some DoS security fixes, though. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#541607: apache2: fails to start because of SSL configuration changes
Stefan Fritsch wrote: I can't reproduce that problem. Can one of you please provide some more detailed information about his configuration? The output of egrep -ir '^[^#]*(sslcertificate|sslengine|virtualhost)' /etc/apache2/*conf* /etc/apache2/*enabled would be nice. I cannot disclose the set of web sites I'm hosting, so I have to mask some of the information, but I think the following should give you an idea of my configuration: $ egrep -ir '^[^#]*(sslcertificate|sslengine|virtualhost)' /etc/apache2/*conf* /etc/apache2/*enabled /etc/apache2/apache2.conf:NameVirtualHost *:80 /etc/apache2/apache2.conf:NameVirtualHost *:443 /etc/apache2/sites-enabled/00default:VirtualHost *:80 /etc/apache2/sites-enabled/00default:SSLEngine off /etc/apache2/sites-enabled/00default:/VirtualHost /etc/apache2/sites-enabled/00default:VirtualHost *:443 /etc/apache2/sites-enabled/00default:SSLEngine on /etc/apache2/sites-enabled/00default:SSLCertificateFile /etc/ssl/certs/www.cer.pem /etc/apache2/sites-enabled/00default:SSLCertificateKeyFile /etc/ssl/private/www.cer+key.pem /etc/apache2/sites-enabled/00default:/VirtualHost /etc/apache2/sites-enabled/SITE01:VirtualHost *:80 /etc/apache2/sites-enabled/SITE01:/VirtualHost /etc/apache2/sites-enabled/SITE01:VirtualHost *:443 /etc/apache2/sites-enabled/SITE01:/VirtualHost /etc/apache2/sites-enabled/SITE01:VirtualHost *:80 /etc/apache2/sites-enabled/SITE01:/VirtualHost /etc/apache2/sites-enabled/SITE01:VirtualHost *:443 /etc/apache2/sites-enabled/SITE01:/VirtualHost /etc/apache2/sites-enabled/SITE01.A:VirtualHost *:80 *:443 /etc/apache2/sites-enabled/SITE01.A:/VirtualHost /etc/apache2/sites-enabled/SITE01.B:VirtualHost *:80 *:443 /etc/apache2/sites-enabled/SITE01.B:/VirtualHost /etc/apache2/sites-enabled/SITE01.C:VirtualHost *:80 *:443 /etc/apache2/sites-enabled/SITE01.C:/VirtualHost /etc/apache2/sites-enabled/SITE01.D:VirtualHost *:80 *:443 /etc/apache2/sites-enabled/SITE01.D:/VirtualHost /etc/apache2/sites-enabled/SITE01.E:VirtualHost *:80 *:443 /etc/apache2/sites-enabled/SITE01.E:/VirtualHost /etc/apache2/sites-enabled/SITE02:VirtualHost *:80 /etc/apache2/sites-enabled/SITE02:/VirtualHost /etc/apache2/sites-enabled/SITE02:VirtualHost *:443 /etc/apache2/sites-enabled/SITE02:/VirtualHost /etc/apache2/sites-enabled/SITE02.A:VirtualHost *:80 *:443 /etc/apache2/sites-enabled/SITE02.A:/VirtualHost /etc/apache2/sites-enabled/SITE02.B:VirtualHost *:80 /etc/apache2/sites-enabled/SITE02.B:/VirtualHost /etc/apache2/sites-enabled/SITE02.B:VirtualHost *:443 /etc/apache2/sites-enabled/SITE02.B:/VirtualHost /etc/apache2/sites-enabled/SITE02.C:VirtualHost *:80 *:443 /etc/apache2/sites-enabled/SITE02.C:/VirtualHost /etc/apache2/sites-enabled/SITE03:VirtualHost *:80 /etc/apache2/sites-enabled/SITE03:/VirtualHost /etc/apache2/sites-enabled/SITE03:VirtualHost *:443 /etc/apache2/sites-enabled/SITE03:/VirtualHost /etc/apache2/sites-enabled/SITE03.A:VirtualHost *:80 *:443 /etc/apache2/sites-enabled/SITE03.A:/VirtualHost /etc/apache2/sites-enabled/SITE04:VirtualHost *:80 *:443 /etc/apache2/sites-enabled/SITE04:/VirtualHost /etc/apache2/sites-enabled/SITE04.A:VirtualHost *:80 /etc/apache2/sites-enabled/SITE04.A:/VirtualHost /etc/apache2/sites-enabled/SITE04.B:VirtualHost *:80 /etc/apache2/sites-enabled/SITE04.B:/VirtualHost /etc/apache2/sites-enabled/SITE04.C:VirtualHost *:80 *:443 /etc/apache2/sites-enabled/SITE04.C:/VirtualHost /etc/apache2/sites-enabled/SITE05:VirtualHost *:80 /etc/apache2/sites-enabled/SITE05:/VirtualHost /etc/apache2/sites-enabled/SITE05:VirtualHost *:443 /etc/apache2/sites-enabled/SITE05:/VirtualHost /etc/apache2/sites-enabled/SITE05.A:VirtualHost *:80 /etc/apache2/sites-enabled/SITE05.A:/VirtualHost /etc/apache2/sites-enabled/SITE05.A:VirtualHost *:80 /etc/apache2/sites-enabled/SITE05.A:/VirtualHost /etc/apache2/sites-enabled/SITE05.B:VirtualHost *:80 /etc/apache2/sites-enabled/SITE05.B:/VirtualHost /etc/apache2/sites-enabled/SITE05.B:VirtualHost *:80 /etc/apache2/sites-enabled/SITE05.B:/VirtualHost /etc/apache2/sites-enabled/SITE05.C:VirtualHost *:80 /etc/apache2/sites-enabled/SITE05.C:/VirtualHost /etc/apache2/sites-enabled/SITE05.C:VirtualHost *:80 /etc/apache2/sites-enabled/SITE05.C:/VirtualHost /etc/apache2/sites-enabled/SITE06:VirtualHost *:80 /etc/apache2/sites-enabled/SITE06:/VirtualHost /etc/apache2/sites-enabled/SITE06:VirtualHost *:443 /etc/apache2/sites-enabled/SITE06:/VirtualHost /etc/apache2/sites-enabled/SITE06.A:VirtualHost *:80 *:443 /etc/apache2/sites-enabled/SITE06.A:/VirtualHost /etc/apache2/sites-enabled/SITE07:VirtualHost *:80 /etc/apache2/sites-enabled/SITE07:/VirtualHost /etc/apache2/sites-enabled/SITE07:VirtualHost *:443 /etc/apache2/sites-enabled/SITE07:/VirtualHost /etc/apache2/sites-enabled/SITE07.A:VirtualHost *:80 *:443 /etc/apache2/sites-enabled/SITE07.A:/VirtualHost /etc/apache2/sites-enabled/SITE07.B:VirtualHost *:80 *:443 /etc/apache2/sites-enabled/SITE07.B:/VirtualHost /etc/apache2/sites-enabled/SITE07.C:VirtualHost *:80
Bug#541607: apache2: fails to start because of SSL configuration changes
Hi, On Friday 14 August 2009, Marc Dequènes (Duck) wrote: I just upgraded from 2.2.11-6 to 2.2.12-1, and my server failed to start with the following error: [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] I can't reproduce that problem. Can one of you please provide some more detailed information about his configuration? The output of egrep -ir '^[^#]*(sslcertificate|sslengine|virtualhost)' /etc/apache2/*conf* /etc/apache2/*enabled would be nice. Cheers, Stefan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#541607: apache2: fails to start because of SSL configuration changes
I, too, can confirm this for 2.2.12-1. I wasted two hours trying to figure out if there was *some* way to adjust my configuration to make it work, to no avail. After all, I was forced to downgrade to 2.2.11, which I was using before. Luckily I still had the packages in my cache, or I would have been doomed, as snapshot.debian.net seems to carry only rather old versions of apache2 (2.2.8 or something). Surprisingly, this issue seems to be unknown upstream, so I'm not sure if this actually occurs in upstream or is rather caused by one of the Debian specific patches in this package. signature.asc Description: This is a digitally signed message part.
Bug#541607: apache2: fails to start because of SSL configuration changes
Hi, Same problem here. I managed to get rid of it by declaring SSLCertificateFile and SSLCertificateKeyFile only once (I put it in ssl.conf) and having only SSLEngine on in all SSL vhosts configurations. Looks like apache is more strict on configuration files now. So, it may not be a bug but it's really disturbing to have a working configuration failing that way after an upgrade. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#541607: apache2: fails to start because of SSL configuration changes
Package: apache2 Version: 2.2.12-1 Severity: grave Justification: apache2 with a (quite common) SSL configuration won't work Coin, I just upgraded from 2.2.11-6 to 2.2.12-1, and my server failed to start with the following error: [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] This configuration is working (unchanged) since months without any problem, and all the SSL-aware vhosts have proper SSLCertificateFile-and-friends parameters. My SSL certificate is not expired and openssl verify is perfectly happy with it. There is no indication in NEWS.Debian of any important configuration change. I tried to add SSL parameters from a working SSL vhost at the global configuration level, and the error disappeared, but the server still fails to start. Without any other error message, i then don't know what to do next to please this new version. I reverted to 2.2.11-6 for the time being. -- Marc Dequènes (Duck) pgpcdPt8x5h9x.pgp Description: PGP Digital Signature