AH00534: httpd: Configuration error: No MPM loaded

Hi All,

Have a nice day!

My domain is: av.gds.vn

I ran this command: certbot renew and certbot --apache -d av.gds.vn

It shows the following error:
Error while running apachectl configtest.

AH00534: httpd: Configuration error: No MPM loaded.

Please help me to check it

Thanks and best regards,

Trinh Minh Duc

Please show the output of:
apachectl -S

Hi rg305,
Thanks for your help.
I run "apachectl -S" but it doesn't show any results

Try it with sudo:
sudo apachectl -S

Something has changed since your last cert issuance (in Sept 16).

1. HTTP port 80 is now closed and that is required for HTTP authenticated renewals.
2. Your current cert also contains the "www" name.

I'm preeeetty sure (99 % sure) that a "No MPM loaded" error doesn't have anything to do with Let's Encrypt.

Hi rg305,

The result doesn't show anything with "sudo apachectl -S"

I still renew certificate normally since September 16.

1. Port 80 still opening.
   [root@av ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent
   Warning: ALREADY_ENABLED: 80:tcp
   success

Hi Osiris,

Thanks for your help.

Do you know the cause?

curl -v http://av.gds.vn/
*   Trying 113.52.35.27...
* TCP_NODELAY set
* connect to 113.52.35.27 port 80 failed: Connection refused
* Failed to connect to av.gds.vn port 80: Connection refused
* Closing connection 0
curl: (7) Failed to connect to av.gds.vn port 80: Connection refused

Is there another firewall in front of your server?

Please show all outputs:
sudo apachectl -S
find / -name apachectl
which apache2
apache2 -version

I suspect this is a CentOS 7 or RHEL server, so this might work instead:

httpd -S

Does the file /etc/httpd/conf.modules.d/00-mpm.conf exist?

Is one of the LoadModule lines in it uncommented?

Hi rg305, _az

In fact my server uses 2 versions of apache:

1. Apache service I installed.
2. My software has its own httpd (apache) service.
   I deleted the apache1 in recent installation.
   So the certbot standard renewal procedure may not work.

[root@av ~]# vi /etc/httpd/conf.modules.d/00-mpm.conf
# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines:

# prefork MPM: Implements a non-threaded, pre-forking web server
# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

# worker MPM: Multi-Processing Module implementing a hybrid
# multi-threaded multi-process web server
# See: http://httpd.apache.org/docs/2.4/mod/worker.html
#
#LoadModule mpm_worker_module modules/mod_mpm_worker.so

# event MPM: A variant of the worker MPM with the goal of consuming
# threads only for connections with active processing
# See: http://httpd.apache.org/docs/2.4/mod/event.html
#
#LoadModule mpm_event_module modules/mod_mpm_event.so

The MPM message is not the problem that is breaking your renewal.
Apache was running on port 443 only.
[now both 80 and 443 are not responding]

curl -v http://av.gds.vn/
*   Trying 113.52.35.27...
* TCP_NODELAY set
* connect to 113.52.35.27 port 80 failed: Connection refused
* Failed to connect to av.gds.vn port 80: Connection refused
* Closing connection 0
curl: (7) Failed to connect to av.gds.vn port 80: Connection refused

curl -v https://av.gds.vn/
*   Trying 113.52.35.27...
* TCP_NODELAY set
* connect to 113.52.35.27 port 443 failed: Connection refused
* Failed to connect to av.gds.vn port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to av.gds.vn port 443: Connection refused

The problem is with your new configuration.
Which you haven't been able to show (yet).

Yes, this is probably the issue.

Certbot's --apache plugin is designed only to work with the standard Apache installation that comes with your Linux distribution.

If you are using an externally built/installed Apache deployment, then you won't be able to use it.

Instead, you will need to use certbot certonly --webroot and then manually configure the resulting certificate in your custom Apache installation.

This looks fine to me, but that's assuming that you're using the standard Apache server, rather than your custom one.

Hi rg305,

port 80 and port 443 still opening.

[root@av ~]# iptables-save | grep 443
-A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
[root@av ~]# iptables-save | grep 80
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT

Despite that iptables output, it can't be reached "CONNECTIONS REFUSED":

curl -v http://av.gds.vn/
*   Trying 113.52.35.27...
* TCP_NODELAY set
* connect to 113.52.35.27 port 80 failed: Connection refused
* Failed to connect to av.gds.vn port 80: Connection refused
* Closing connection 0
curl: (7) Failed to connect to av.gds.vn port 80: Connection refused

curl -v https://av.gds.vn/
*   Trying 113.52.35.27...
* TCP_NODELAY set
* connect to 113.52.35.27 port 443 failed: Connection refused
* Failed to connect to av.gds.vn port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to av.gds.vn port 443: Connection refused

Please show the output from:
curl -4 ifconfig.co

[root@av ~]# curl -4 ifconfig.co
113.52.35.27

OK that's a good start.
Your external IP matches the DNS resolved IP.

Now show us the real IPs used:
ifconfig | grep -Ei 'add|inet'

[root@av ~]# ifconfig | grep -Ei 'add|inet'
        inet 113.52.35.27  netmask 255.255.255.0  broadcast 113.52.35.255
        inet6 fe80::1cd1:bb08:1a13:27a3  prefixlen 64  scopeid 0x20<link>
        inet 192.168.242.53  netmask 255.255.255.0  broadcast 192.168.242.255
        inet6 fe80::250:56ff:fe8e:f845  prefixlen 64  scopeid 0x20<link>
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>

OK this is also good news.

Now we need to see:

apachectl -S
    or
httpd -S

[whichever is used by your new Apache software]