Certbot - Custom MPM Stanza in Apache Configs on RHEL7 Means Certbot Apache Plugin Isn't Working

waynel · May 22, 2017, 9:59am

Hello world !!!

Maybe I am too dumb, but I cannot get this thing to work on a RHEL7 server.
It uses httpd with the connected diretory structure which is different from apache2.
When I try sudo certbot --apache --apache-server-root /etc/httpd/conf --apache-vhost-root /etc/httpd/conf -vv --apache-le-vhost-ext ''
I get

Error while running apachectl configtest.

AH00534: httpd: Configuration error: No MPM loaded

Manually running apachectl configtest gives me Syntax OK

I think I need to use the --apache-enmod switch, but there is not equivalent to RHEL´s httpd.

Is there any solution for this ?

TIA

wayne

ahaw021 · May 22, 2017, 12:15pm

Hi @waynel

I would suggest writing your own script and using HOOKs to complete the challenges (instead of the Apache Plugin).

Andrei

waynel · May 22, 2017, 12:18pm

Maybe some more information my help :

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Reporting to user: Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/XYZ.com/fullchain.pem. Your cert will expire on 2017-08-20. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew all of your certificates, run "certbot renew"
Deploying Certificate to VirtualHost /etc/httpd/conf/XYZ.com.conf
Apache version is 2.4.6
Creating backup of /etc/httpd/conf/httpd.conf
Creating backup of /etc/httpd/conf/XYZ.com.conf
Error while running apachectl configtest.

AH00534: httpd: Configuration error: No MPM loaded.

Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 399, in deploy_certificate
self.installer.restart()
File "/usr/lib/python2.7/site-packages/certbot_apache/configurator.py", line 1657, in restart
self.config_test()
File "/usr/lib/python2.7/site-packages/certbot_apache/configurator.py", line 1680, in config_test
raise errors.MisconfigurationError(str(err))
MisconfigurationError: Error while running apachectl configtest.

AH00534: httpd: Configuration error: No MPM loaded.

Calling registered functions
Rolling back to previous server configuration...
Reporting to user: We were unable to install your certificate, however, we successfully restored your server to its prior configuration.
Exiting abnormally:
Traceback (most recent call last):
File "/bin/certbot", line 9, in
load_entry_point('certbot==0.12.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 896, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 613, in run
_install_cert(config, le_client, domains, new_lineage)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 478, in _install_cert
path_provider.cert_path, path_provider.chain_path, path_provider.fullchain_path)
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 399, in deploy_certificate
self.installer.restart()
File "/usr/lib/python2.7/site-packages/certbot_apache/configurator.py", line 1657, in restart
self.config_test()
File "/usr/lib/python2.7/site-packages/certbot_apache/configurator.py", line 1680, in config_test
raise errors.MisconfigurationError(str(err))
MisconfigurationError: Error while running apachectl configtest.

AH00534: httpd: Configuration error: No MPM loaded.

Error while running apachectl configtest.

AH00534: httpd: Configuration error: No MPM loaded.

IMPORTANT NOTES:

We were unable to install your certificate, however, we
successfully restored your server to its prior configuration.

Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/XYZ.com/fullchain.pem. Your cert will
expire on 2017-08-20. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew all of your
certificates, run "certbot renew"

This is what I get after selecting the domain to update.

waynel · May 22, 2017, 12:21pm

Hi Andrei,

I do not know exactly how to do that, but I will
take a look.

Thank you.

ahaw021 · May 22, 2017, 12:33pm

Hi @waynel

This is what I expect is happening

your apache configuration file needs an extra stanza for MPM configurations (reading on the redhat documentation https://access.redhat.com/solutions/94773)

When certbot builds it’s apahce configuration file (pointing to the new certificates) it doesn’t include the MPM configs

This means apache can’t be started and certbot rolls back to a previously good state (your original config)

There are 2 ways I can think of fixing this

A) Update your existing Apache configuration file to point to the certificates in the etc/letesecypt/live folder and use the webroot plugin: https://certbot.eff.org/docs/using.html#webroot
B) Create a custom hook that manages the configuration for you

Overall I think using webroot plugin with apache is the path of less resistance

@schoen @sahsanu @mnordhoff - your linux and apache are bettern than mine - any other suggestions?

Andrei

sahsanu · May 22, 2017, 1:11pm

@waynel and @ahaw021, I’ve just installed a fresh RHEL 7.3 to test this issue:

I’ve apache (httpd) from the DVD (I’ve no subscription to RH repos).

yum install httpd

I’ve enabled httpd and started it.

systemctl enable httpd
systemctl start httpd

I’ve created a conf file inside /etc/httpd/conf.d/

cat /etc/httpd/conf.d/test.conf
<VirtualHost *:80>
  ServerAdmin webmaster@27a.net
  DocumentRoot /tmp
  ServerName test.example.com
  ErrorLog /tmp/test.example.com.error.log
  CustomLog /tmp/test.example.com.access.log combined
  <Directory "/tmp">
    Options Indexes Includes FollowSymLinks ExecCGI
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>

Reload httpd.

systemctl reload httpd

Just in case this is useful to you, this is my apache version:

apachectl -V
Server version: Apache/2.4.6 (Red Hat Enterprise Linux)
Server built:   Aug  3 2016 08:33:27
Server's Module Magic Number: 20120211:24
Server loaded:  APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture:   64-bit
Server MPM:     prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

I don’t know where you get the certbot package but I like the certbot-auto so I installed it.

mkdir /root/certbot
cd /root/certbot
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto --apache
[Here it will install several packages and their dependencies]
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: test.example.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

So, I don’t need to use any other option to specify the apache root server… if your virtualhost conf is in /etc/httpd/conf instead of /etc/httpd/conf.d you need to provide the option --apache-vhost-root /etc/httpd/conf.

Just in case there is some issue with sudo, I tested it too giving the right perms to /root/certbot dir and /root/certbot/certbot-auto executable and launched the command with another user and sudo.

sudo /root/certbot/certbot-auto --apache

and it worked without issues.

My advice, try the last certbot-auto version.

Cheers,
sahsanu

waynel · May 22, 2017, 1:55pm

Hi sahsanu,

just did what you described, but it still does not work :

./certbot-auto certonly --apache  --apache-vhost-root /etc/httpd/conf/ --apache-server-root /etc/httpd/conf/
Requesting root privileges to run certbot...
  /home/r00t/.local/share/letsencrypt/bin/letsencrypt certonly --apache --apache-vhost-root /etc/httpd/conf/ --apache-server-root /etc/httpd/conf/
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: XYZ.com
2: www.XYZ.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):2
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/www.XYZ.com.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.XYZ.com
Error while running apachectl configtest.

AH00534: httpd: Configuration error: No MPM loaded.

Cleaning up challenges
Error while running apachectl graceful.

Job for httpd.service invalid.

Encountered exception during recovery
Error while running apachectl graceful.

Job for httpd.service invalid.
Traceback (most recent call last):
  File "/home/r00t/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/error_handler.py", line 99, in _call_registered
    self.funcs[-1]()
  File "/home/r00t/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/auth_handler.py", line 284, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/home/r00t/.local/share/letsencrypt/lib/python2.7/site-packages/certbot_apache/configurator.py", line 1908, in cleanup
    self.restart()
  File "/home/r00t/.local/share/letsencrypt/lib/python2.7/site-packages/certbot_apache/configurator.py", line 1797, in restart
    self._reload()
  File "/home/r00t/.local/share/letsencrypt/lib/python2.7/site-packages/certbot_apache/configurator.py", line 1808, in _reload
    raise errors.MisconfigurationError(str(err))
MisconfigurationError: Error while running apachectl graceful.

Job for httpd.service invalid.

Error while running apachectl configtest.

AH00534: httpd: Configuration error: No MPM loaded.

When I look at httpd -V, it looks like MPM is loaded, and now there are new messages
Error while running apachectl graceful.
Job for httpd.service invalid.

httpd -V
Server version: Apache/2.4.6 (Red Hat Enterprise Linux)
Server built: Mar 8 2017 05:09:47
Server’s Module Magic Number: 20120211:24
Server loaded: APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture: 64-bit
Server MPM: prefork
threaded: no
forked: yes (variable process count)
Server compiled with…
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
-D DEFAULT_SCOREBOARD=“logs/apache_runtime_status”
-D DEFAULT_ERRORLOG=“logs/error_log”
-D AP_TYPES_CONFIG_FILE=“conf/mime.types”
-D SERVER_CONFIG_FILE=“conf/httpd.conf”

sahsanu · May 22, 2017, 2:20pm

@waynel, could you please show me the output of these commands?:

grep -Ei '^Include' /etc/httpd/conf/httpd.conf

grep -Ei '^[a-z]' /etc/httpd/conf.modules.d/00-mpm.conf

grep -Ei '^[a-z]' /etc/httpd/conf.modules.d/00-ssl.conf

waynel · May 22, 2017, 2:39pm

Include conf.modules.d/*.conf
Include conf.d/*.conf

LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

LoadModule ssl_module modules/mod_ssl.so

a-z ↩︎
a-z ↩︎

sahsanu · May 22, 2017, 2:44pm

@waynel, finally I was able to reproduce the error AH00534: httpd: Configuration error: No MPM loaded. The reason is because your have left your virtualhost conf inside /etc/httpd/conf/ instead of /etc/httpd/conf.d/ so the virtual host conf is loaded BEFORE the modules and it needs to be loaded AFTER the modules.

To solve the problem, move you virtualhost conf files from conf to conf.d, reload your apache and it will work, you don’t need to specify the other apache options for certbot-auto, just this command:

./certbot-auto --apache

Good luck,
sahsanu

waynel · May 22, 2017, 3:28pm

Looks much better now.
Thank you sahsanu

system · June 21, 2017, 3:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.