Topic: updating apache from 2.4.6 to 2.4.9 breaks the openSSL

[rks4sm]

Hi,

Last week I have updated the apache from 2.4.6 to 2.4.9 version in Win 2008, 64-bit server.
There was no openSSL and update was successful.

Later I did the update in QA with openSSL
and again the updte was successfully completed. Apache services was running fine and everything looked nice.

When I did the same update in the prd where openSSL is also there, it failed to start the service.


steps to update the apache from 2.4.6 to 2.4.9
----------------------------------------------
1> stop the apache services
2> Take the backup by copying original Apache installation directory and rename it . (eg I:\Program Files (x86)\Apache Software Foundation\Apache2.2 to Apache2.2_old)
3> Unzip the latest binaries to the temp directory
4> Copy the following files apache\bin , apache\modules to the Apache Inst Directory ( I:\Program Files (x86)\Apache Software Foundation\Apache2.2)
5> start the apache service

----------------------------------------------------

QA and PRD both has enabled openSSL but it was prd where we got the issue , and the apache services couldnt be started.
We have had to revert the change.

Find the error log in the apache directory
--------------------------

[Tue Jun 24 21:12:12.665632 2014] [ssl:emerg] [pid 3336:tid 320] AH02561: Failed to configure certificate

RGWEB58V.brotherdc.eu:443:0, check G:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/server.crt
[Tue Jun 24 21:12:12.665632 2014] [ssl:emerg] [pid 3336:tid 320] SSL Library Error: error:0906D06C:PEM

routines:PEM_read_bio:no start line (Expecting: CERTIFICATE) -- Bad file contents or format - or even just a

forgotten SSLCertificateKeyFile?
[Tue Jun 24 21:12:12.665632 2014] [ssl:emerg] [pid 3336:tid 320] SSL Library Error: error:140AD009:SSL

routines:SSL_CTX_use_certificate_file:PEM lib

---------------------------------------

I read somewhere that there is bug in 2.4.9 as this version breaks the openSSL.
Also read on this forum that someone resolved the issu by changing the server certificate from DER to PEM.

Can you please help this issue to resolve?

[jraute]

Is it a typo or why is the installation-path I:\Program Files (x86)\Apache Software Foundation\Apache2.2... and your certificate-path G:\Program Files (x86)\Apache Software Foundation\Apache2.2... ?

Pls check the pathes!

[rks4sm]

No, that is just because I and G are drives from two different systems.

That is perfectly fine.

[jraute]

Is your apache installation in your production environment a copy of your qa-system? if not try that and check the pathes.

Greets
JR

[rks4sm]

Hi,

No There is no path issues for two different systems.

I just replaced bin and modules from the latest binaries to the Apache directory (G:\Program Files (x86)\Apache Software Foundation\Apache2.2) and re started the apache service.

But couldn't start the Apache service.

[timo]

Is SSLCertificateFile PEM-coded?

[rks4sm]

Hi ,

No it's DER coded.

I tried to convert DER to PEM and but that did not work either.

See the error I saw during the issue:
----------------------------------------
[Wed Jul 02 21:14:21.509234 2014] [ssl:warn] [pid 2428:tid 320] AH01909: RSA certificate configured for abc.xyz.eu:443 does NOT include an ID which matches the server name
[Wed Jul 02 21:14:21.899237 2014] [ssl:warn] [pid 2428:tid 320] AH01909: RSA certificate configured for abc.xyz.eu:443 does NOT include an ID which matches the server name

--------------------------------------------

Is this warning trivial or related to my issue?

Thanks,
Rakesh

[Steffen]

Maybe you can post your issues also at http://httpd.apache.org/userslist.html .

Httpd developers are following also this list.