Author |
|
ShaneMeluck
Joined: 23 Nov 2006 Posts: 2 Location: Vernon, British Columbia
|
Posted: Thu 23 Nov '06 21:48 Post subject: Apache Service Won't Start after openSSL setup |
|
|
Hello Everyone,
I am new to Apache and SSL (and Subversion). I managed to get the Apache 2.0.59 and the Subversion 1.4.2 working together (on Windows Server 2003 with IIS) utilizing the AuthType Basic and was quite happy with how it was working.
What I need now though is Windows Authentication so I followed the various steps posted on the internet regarding how to set up Apache with openSSL. I used the openssl-0.9.8d (copied the file as needed). I modified the httpd.conf by adding the mod_auth_sspi to the end of the load modules section and moved the mod_auth after that as many sites suggested:
...
LoadModule sspi_auth_module modules/mod_auth_sspi.so
LoadModule auth_module modules/mod_auth.so
#end of Load Modules
then added the following to the end of the file
...
<Location /svn>
SSPIAuth On
SSPIAuthoritative On
SSPIDomain <domain name>
SSPIOfferBasic On
DAV svn
SVNListParentPath on
SVNParentPath C:\svnroot
AuthType SSPI
AuthName "Subversion repositories"
#AuthUserFile passwd
#AuthzSVNAccessFile svnaccessfile
Require valid-user
</Location>
When I attempt to start the Apache service I get the following service error:
The Apache2 service terminated with service-specific error 1 (0x1)
There is no information in the Apache error log regarding this. No entry at all in fact.
So I am stumped as I can't seem to find any information on what the error was so it makes it difficult to troubleshoot. Has anyone had a similar experience who could shed some light on what is happening or point me in a direction to troubleshoot?
Much appreciated.
Shane |
|
Back to top |
|
ShaneMeluck
Joined: 23 Nov 2006 Posts: 2 Location: Vernon, British Columbia
|
Posted: Thu 23 Nov '06 23:17 Post subject: Found the Problem |
|
|
Hello everyone. Thanks for looking at the post.
I found the problem. Seems the IT department decided to change the DC for this machine without telling me. Once I changed that, the service started no problem.
Cheers. |
|
Back to top |
|
CameronY
Joined: 16 Nov 2006 Posts: 13 Location: Brisbane, Australia
|
Posted: Fri 24 Nov '06 16:31 Post subject: |
|
|
I too got this error this afternoon, attempting to install Apache 2.2.3/OpenSSL 0.9.8d/mod_ssl 2.2.3 using the ZIP (Win32) via the download page.
Being very new to all this stuff has now got me on a bit of an edge.
Uninstalled Apache 2.0.59 (MSI install) prior, then installed VC++ 2005 and the ZIP. Updated hhtpd.conf/httpd-ssl.conf/httpd-vhosts.conf, I did reconfigure the httpd.conf to find the ssl & vhosts conf's in the ~/conf/ directory. Performed a 'httpd -t' and came back "Syntax OK".
The only things that I've done outside the norm is the installation directory ("C:\Program Files\Apache Group\Apache2.2.3"). When I installed the app I did 'httpd -k install -n "Apache2.2.3" ', then 'httpd -k start -n "Apache2.2.3" '.
In the System Event "The Apache2.2.3 service terminated with service-specific error 1 (0x1)."
I do get the following message while trying to find answers...
Code: | C:\Program Files\Apache Group\Apache2.2.3\bin>sc query Apache2.2.3
SERVICE_NAME: Apache2.2.3
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))
WIN32_EXIT_CODE : 1066 (0x42a)
SERVICE_EXIT_CODE : 1 (0x1)
CHECKPOINT : 0x0
WAIT_HINT : 0x0 |
I'm absolutely stumped?
Are there any suggestions for a resolution or details as to the cause?
Cheers,
Cameron Young |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Fri 24 Nov '06 17:15 Post subject: |
|
|
CameronY,
Try starting Apache with: Quote: | httpd -n "Apache2.2.3" -w -e debug -k start |
This should display more detailed messages while Apache starts up.
FYI - the extra switches mean:-w keep console window open on error (so you can inspect it)
-e debug show debug-level messages
Another thing you might try is starting Apache as a console application rather than as a Windows Service.
To do this, omit the -k start switch.
When Apache is running as a console application, you must type Ctrl-C in the console window to shut it down.
-tom- |
|
Back to top |
|
CameronY
Joined: 16 Nov 2006 Posts: 13 Location: Brisbane, Australia
|
Posted: Fri 24 Nov '06 17:29 Post subject: |
|
|
Many thanks tdonovan for the response.
Below was the resulting output. What exactly should I be trying to identify? Code: | C:\Program Files\Apache Group\Apache2.2.3\bin>httpd -n "Apache2.2.3" -k install
Installing the Apache2.2.3 service
The Apache2.2.3 service is successfully installed.
Testing httpd.conf....
Errors reported here must be corrected before the service can be started.
C:\Program Files\Apache Group\Apache2.2.3\bin>httpd -n "Apache2.2.3" -w -e debug -k start
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module actions_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module alias_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module asis_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module auth_basic_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module authn_default_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module authn_file_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module authz_default_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module authz_groupfile_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module authz_host_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module authz_user_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module autoindex_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module cgi_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module deflate_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module dir_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module env_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module imagemap_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module include_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module isapi_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module log_config_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module mime_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module proxy_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module proxy_connect_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module proxy_http_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module proxy_ftp_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module negotiation_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module rewrite_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module setenvif_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module userdir_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module vhost_alias_module
[Sat Nov 25 01:24:02 2006] [debug] mod_so.c(246): loaded module ssl_module |
Still no success |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Fri 24 Nov '06 17:39 Post subject: |
|
|
Is there a firewall? (included the windows firewall!!!)
What is when you try httpd -w -e debug Any error in error.log? Any error in the windows event log? |
|
Back to top |
|
CameronY
Joined: 16 Nov 2006 Posts: 13 Location: Brisbane, Australia
|
Posted: Fri 24 Nov '06 17:47 Post subject: |
|
|
Thanks again for the quick reply ...
Same output to the console.
Still nothing in the error.log.
No Windows Firewall on the server.
Gotta get some sleep ..... ZZzzzzz |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Fri 24 Nov '06 20:14 Post subject: |
|
|
It looks like it is indeed SSL which is causing your problems, since it only gets this far at startup.
Some suggestions:
1. Check your .conf files. extra\httpd-ssl.conf should contain these directives for Windows (along with many others): Quote: | SSLPassPhraseDialog builtin
SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLMutex default
SSLCertificateFile conf/server.crt
SSLCertificateKeyFile conf/server.key
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin | where conf/server.crt and conf/server.key point to wherever you put your server's certificate and key files.
2. Check that the OpenSSL version 0.9.8d shareable libraries in your Apache \bin directory are the ones actually being used (the timestamps are US EDT timezone):ssleay32.dll 09/28/2006 08:52p 196,608
libeay32.dll 09/28/2006 08:51p 1,028,096
An incorrect version of these libraries in your System32 directory could get loaded instead of the correct ones and cause problems.
3. In [Control Panel] [Administrative tools] [Services], open the [Properties] for your Apache service, click on the [Log On] tab, and enable "Allow service to interact with desktop".This may enable a dialog for your password if your key file was created to require one.
Hope this helps!
-tom- |
|
Back to top |
|
CameronY
Joined: 16 Nov 2006 Posts: 13 Location: Brisbane, Australia
|
Posted: Sat 25 Nov '06 15:58 Post subject: |
|
|
Thanks for the reply tdonovan.
In my httpd.conf I have the following... Code: | # Virtual hosts
#Include conf/extra/httpd-vhosts.conf
Include conf/httpd-vhosts.conf
....
# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
Include conf/httpd-ssl.conf |
Just to keep the config files together. Also the last lines are ... Code: | <IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule> |
In my http-ssl.conf I have the following... Code: | #SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
#SSLSessionCache dbm:logs/ssl_scache
SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "C:/Program Files/Apache Group/Apache2.2.3/htdocs"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog "C:/Program Files/Apache Group/Apache2.2.3/logs/error.log"
TransferLog "C:/Program Files/Apache Group/Apache2.2.3/logs/access.log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "C:/Program Files/Apache Group/Apache2.2.3/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "C:/Program Files/Apache Group/Apache2.2.3/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost> |
In my httpd-vhosts.conf I have the following (edited)... Code: | SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:logs/ssl_scache(512000)
####SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex default
NameVirtualHost 202.x.x.x:80
NameVirtualHost 202.x.x.x:443
#qa.sitename.com.au
<VirtualHost 202.x.x.x:80>
ServerAdmin webmaster@sitename.com.au
# DocumentRoot /dummy
ServerName qa.sitename.com.au
ErrorLog logs/qa.sitename.com.au/error.log
CustomLog logs/qa.sitename.com.au/access.log combined env=!image
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R,NC]
</VirtualHost>
#qa.sitename.com.au
<VirtualHost 202.x.x.x:443>
ServerAdmin webmaster@sitename.com.au
# DocumentRoot /dummy
ServerName qa.sitename.com.au
ErrorLog logs/qa.sitename.com.au/error.log
CustomLog logs/qa.sitename.com.au/access.log combined env=!image
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/ssl/qa.sitename.com.au.cert
SSLCertificateKeyFile conf/ssl/qa.sitename.com.au.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "c:/apache/cgi">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
ProxyPass / http://10.x.x.x:8008/
ProxyPassReverse / http://10.x.x.x:8008/
</VirtualHost> |
The dll's in the ~\bin\ directory are the correct files and have additionally copied them into the ~\system32\ directory for no reason other than I could.
The SSLCertificateFile and SSLCertificateKeyFile are not present in the httpd-ssl.conf as they are only referenced in the httpd-vhosts.conf. Is this a misinterpretation of the how it should be?
I ask, as in our other installation Apache2.0.54, the ~\ssl.conf file has the following... Code: | SSLCertificateFile conf/ssl.crt/server.crt
SSLCertificateKeyFile conf/ssl.key/server.key |
Yet neither file or the ~\ssl.key\ directory exists. And no errors are reported in any of the error.log(s) relating to either. So I excluded them from the httpd-ssl.conf file.
Cheers & advanced thanks,
Cameron |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Sat 25 Nov '06 18:53 Post subject: |
|
|
re: "The SSLCertificateFile and SSLCertificateKeyFile are not present in the httpd-ssl.conf"
In general, you cannot use named virtual hosts (NameVirtualHost) with SSL.
This is because the sequence of events is:A secure SSL connection is established from the browser to the server by IP address.
Establishing this connection uses the key and cert files.
The HTTP request headers arrive, encrypted via SSL.
These headers include the Host header
The Host header is then used to select the appropriate virtual host by its ServerName Since it is impossible to know which host name will be in the Host header before establishing the secure connection,
the encryption key and cert must be located by Apache before the SSL connection is established.
This is true for all versions of Apache (...and for all other web servers...),
so it is a puzzle how Apache 2.0.54 ever worked for you if you relied on NameVirtualHost to select your key and cert!
Perhaps your virtual hosts were selected by IP address rather than by name with Apache 2.0.54?
This could work, since - unlike the Host header - the IP address and port number are known at the point the connection is established.
You would use <VirtualHost> without any <NameVirtualHost> directives to do this.
Check out the docs for <VirtualHost> and <NameVirtualHost> and Name-based Virtual Host Support. Admittedly, these docs can be a bit confusing.
It still isn't clear why this makes your Apache startup fail to report useful error messages, so it probably isn't your whole problem.
I suggest you diagnose this by starting with a simpler setup; with a single host and everything in httpd.conf and http-ssl.conf just to get it working.
Then re-introduce any other virtual hosts (if you need them), your proxy to 10.x.x.x:8008, etc. one-by-one to see which causes the problem.
-tom- |
|
Back to top |
|
CameronY
Joined: 16 Nov 2006 Posts: 13 Location: Brisbane, Australia
|
Posted: Sun 26 Nov '06 2:53 Post subject: |
|
|
Cheers for the reply Tom.
I'll read up on the links you provided to see what and in which direction I shall take this.
We listen to traffic only from a LoadBalanced IP (202.x.x.x) ports 80 & 443. And the web servers are clustered. The server I'm currently trying to install is out of the cluster. Not that it should make much difference with the issue I'm working through.
You'll need to excuse me, my networking knowledge is pretty basic. |
|
Back to top |
|
CameronY
Joined: 16 Nov 2006 Posts: 13 Location: Brisbane, Australia
|
Posted: Mon 27 Nov '06 3:57 Post subject: Issue Resolved... |
|
|
Just an FYI about my success (joy!)
After reading the links you provided, I updated the httpd-ssl.conf's SSLCertificateFile and SSLCertificateKeyFile references to point to the same cert/key files used for the primary website of that declared as ServerName in httpd.conf.
Once that was done, attempted the install, then started Apache successfully. Did a test to the primary website (locally) as a http:// entry and it resolved to the https:// entry as expected.
Afterwards, created a shortcut for the ApacheMonitor.exe and bounced the box, all looking good.
Many thanks for your time, comments and patience Tom.
Still unable to see why our preexisting 2.0.54 versions works without entried for SSLCertificateFile and SSLCertificateKeyFile references, but it won't be that way for too much longer.
Cheers,
Cameron Young |
|
Back to top |
|