HTTPD won't start after Amazon Linux Update

jeffreylazo · May 19, 2018, 1:25am

I recently did security updates and I can’t seem to launch HTTPD services after these updates were completed:

I get this error in the log:
[Sat May 19 01:16:24.719582 2018] [ssl:emerg] [pid 3262] AH02572: Failed to configure at least one certificate a$
[Sat May 19 01:16:24.719635 2018] [ssl:emerg] [pid 3262] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_$
[Sat May 19 01:16:24.719640 2018] [ssl:emerg] [pid 3262] AH02311: Fatal error initialising mod_ssl, exiting. See$
AH00016: Configuration Failed

Everything worked fine included auto renews prior to updating. I am just not sure where to start to fix the issue. For the time being I have rolled by the server to a state before the updates. I am testing on another server.

These are the updates that ran:

Installing:

httpd24 x86_64 2.4.33-2.78.amzn1 amzn-updates 1.5 M
httpd24-tools x86_64 2.4.33-2.78.amzn1 amzn-updates 96 k

mod24_ssl x86_64 1:2.4.33-2.78.amzn1 amzn-updates 124 k

openssl x86_64 1:1.0.2k-12.109.amzn1 amzn-updates 1.8 M
openssl-devel x86_64 1:1.0.2k-12.109.amzn1 amzn-updates 1.6 M

rg305 · May 19, 2018, 1:33am

Several things were updated that might come into play...
My money is on the mod24_ssl update.

Maybe you can try installing them one at a time until it breaks?

_az · May 19, 2018, 1:39am

It looks like these errors are truncated. Can you post the full lines?

From previous experience working with EL distros, it is possible that the package upgrades may have overwritten your conf files back to the package defaults. I don't really remember what the exact behavior is but it's bitten me before.

Can you check:

apachectl -t
grep -REi "(sslcertificatefile|sslcertificatekeyfile)" /etc/httpd

jeffreylazo · May 19, 2018, 1:55am

I am currently going through them one by one. So far the httpd24 broke it.

rg305 · May 19, 2018, 1:57am

@_az makes a lot of sense.
Backup all your conf files then restore them after the update.

jeffreylazo · May 19, 2018, 2:01am

mod24_ssl
httpd24

Both kill it.

rg305 · May 19, 2018, 2:19am

hmm…
There may be more to it that just conf file restores.
But have you tried that yet?

jeffreylazo · May 19, 2018, 2:24am

Binary file /etc/httpd/modules/mod_ssl.so matches
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/letsencrypt/live/blog.ohanacruises.com/fullchain.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/blog.ohanacruises.com/privkey.pem
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile

rg305 · May 19, 2018, 2:26am

Does that file ("/etc/httpd/conf.d/ssl.conf") remain that way after the updates?

jeffreylazo · May 19, 2018, 2:27am

Yes, from what I can see that file stays exactly the same.

rg305 · May 19, 2018, 2:29am

Or does this yield more results after the update?
grep -REi “(sslcertificatefile|sslcertificatekeyfile)” /etc/httpd

jeffreylazo · May 19, 2018, 2:30am

Should I run all of the updates, then compare the ssl.conf file?

httpd24
mod24_ssl
openssl

jeffreylazo · May 19, 2018, 2:40am

After all updates:

[root@ip-172-31-34-93 ec2-user]# grep -REi "(sslcertificatefile|sslcertificatekeyfile)" /etc/httpd
Binary file /etc/httpd/modules/mod_ssl.so matches
/etc/httpd/conf.d/ssl.conf.rpmnew:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf.rpmnew:SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf.rpmnew:SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
/etc/httpd/conf.d/ssl.conf.rpmnew:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/letsencrypt/live/blog.ohanacruises.com/fullchain.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/blog.ohanacruises.com/privkey.pem
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile

rg305 · May 19, 2018, 2:41am

Try moving that new file out.

jeffreylazo · May 19, 2018, 2:42am

just delete it? or move it from the DIR

rg305 · May 19, 2018, 2:42am

It should be safe to delete.

jeffreylazo · May 19, 2018, 2:45am

ok, moved:

Binary file /etc/httpd/modules/mod_ssl.so matches
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/letsencrypt/live/blog.ohanacruises.com/fullchain.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/blog.ohanacruises.com/privkey.pem
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile

Error from log:

[Sat May 19 02:42:53.482749 2018] [ssl:emerg] [pid 8508] AH02572: Failed to configure at least one certificate and key for blog.ohanacruises.com:80
[Sat May 19 02:42:53.482804 2018] [ssl:emerg] [pid 8508] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sat May 19 02:42:53.482809 2018] [ssl:emerg] [pid 8508] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/httpd/error_log for more information
AH00016: Configuration Failed

rg305 · May 19, 2018, 2:46am

Show:
ls -l /etc/letsencrypt/live/blog.ohanacruises.com/
ls -l /etc/letsencrypt/live/blog.ohanacruises.com/privkey.pem

jeffreylazo · May 19, 2018, 2:46am

lrwxrwxrwx 1 root root 45 Mar 4 18:00 cert.pem -> ../../archive/blog.ohanacruises.com/cert3.pem
lrwxrwxrwx 1 root root 46 Mar 4 18:00 chain.pem -> ../../archive/blog.ohanacruises.com/chain3.pem
lrwxrwxrwx 1 root root 50 Mar 4 18:00 fullchain.pem -> ../../archive/blog.ohanacruises.com/fullchain3.pem
lrwxrwxrwx 1 root root 48 Mar 4 18:00 privkey.pem -> ../../archive/blog.ohanacruises.com/privkey3.pem
-rw-r--r-- 1 root root 543 Oct 28 2017 README

jeffreylazo · May 19, 2018, 2:47am

lrwxrwxrwx 1 root root 48 Mar 4 18:00 /etc/letsencrypt/live/blog.ohanacruises.com/privkey.pem -> ../../archive/blog.ohanacruises.com/privkey3.pem