HTTPD won't start after Amazon Linux Update


#1

I recently did security updates and I can’t seem to launch HTTPD services after these updates were completed:

I get this error in the log:
[Sat May 19 01:16:24.719582 2018] [ssl:emerg] [pid 3262] AH02572: Failed to configure at least one certificate a$
[Sat May 19 01:16:24.719635 2018] [ssl:emerg] [pid 3262] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_$
[Sat May 19 01:16:24.719640 2018] [ssl:emerg] [pid 3262] AH02311: Fatal error initialising mod_ssl, exiting. See$
AH00016: Configuration Failed

Everything worked fine included auto renews prior to updating. I am just not sure where to start to fix the issue. For the time being I have rolled by the server to a state before the updates. I am testing on another server.

These are the updates that ran:

Installing:

httpd24 x86_64 2.4.33-2.78.amzn1 amzn-updates 1.5 M
httpd24-tools x86_64 2.4.33-2.78.amzn1 amzn-updates 96 k

mod24_ssl x86_64 1:2.4.33-2.78.amzn1 amzn-updates 124 k

openssl x86_64 1:1.0.2k-12.109.amzn1 amzn-updates 1.8 M
openssl-devel x86_64 1:1.0.2k-12.109.amzn1 amzn-updates 1.6 M


#2

Several things were updated that might come into play…
My money is on the mod24_ssl update.

Maybe you can try installing them one at a time until it breaks?


#3

It looks like these errors are truncated. Can you post the full lines?

From previous experience working with EL distros, it is possible that the package upgrades may have overwritten your conf files back to the package defaults. I don’t really remember what the exact behavior is but it’s bitten me before.

Can you check:

apachectl -t
grep -REi "(sslcertificatefile|sslcertificatekeyfile)" /etc/httpd

#4

I am currently going through them one by one. So far the httpd24 broke it.


#5

@_az makes a lot of sense.
Backup all your conf files then restore them after the update.


#6

mod24_ssl
httpd24

Both kill it.


#7

hmm…
There may be more to it that just conf file restores.
But have you tried that yet?


#8

Binary file /etc/httpd/modules/mod_ssl.so matches
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/letsencrypt/live/blog.ohanacruises.com/fullchain.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/blog.ohanacruises.com/privkey.pem
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile


#9

Does that file ("/etc/httpd/conf.d/ssl.conf") remain that way after the updates?


#10

Yes, from what I can see that file stays exactly the same.


#11

Or does this yield more results after the update?
grep -REi “(sslcertificatefile|sslcertificatekeyfile)” /etc/httpd


#12

Should I run all of the updates, then compare the ssl.conf file?

httpd24
mod24_ssl
openssl


#13

After all updates:

[root@ip-172-31-34-93 ec2-user]# grep -REi “(sslcertificatefile|sslcertificatekeyfile)” /etc/httpd
Binary file /etc/httpd/modules/mod_ssl.so matches
/etc/httpd/conf.d/ssl.conf.rpmnew:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf.rpmnew:SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf.rpmnew:SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
/etc/httpd/conf.d/ssl.conf.rpmnew:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/letsencrypt/live/blog.ohanacruises.com/fullchain.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/blog.ohanacruises.com/privkey.pem
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile


#14

Try moving that new file out.


#15

just delete it? or move it from the DIR


#16

It should be safe to delete.


#17

ok, moved:

Binary file /etc/httpd/modules/mod_ssl.so matches
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/letsencrypt/live/blog.ohanacruises.com/fullchain.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/blog.ohanacruises.com/privkey.pem
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile

Error from log:

[Sat May 19 02:42:53.482749 2018] [ssl:emerg] [pid 8508] AH02572: Failed to configure at least one certificate and key for blog.ohanacruises.com:80
[Sat May 19 02:42:53.482804 2018] [ssl:emerg] [pid 8508] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sat May 19 02:42:53.482809 2018] [ssl:emerg] [pid 8508] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/httpd/error_log for more information
AH00016: Configuration Failed


#18

Show:
ls -l /etc/letsencrypt/live/blog.ohanacruises.com/
ls -l /etc/letsencrypt/live/blog.ohanacruises.com/privkey.pem


#19

lrwxrwxrwx 1 root root 45 Mar 4 18:00 cert.pem -> …/…/archive/blog.ohanacruises.com/cert3.pem
lrwxrwxrwx 1 root root 46 Mar 4 18:00 chain.pem -> …/…/archive/blog.ohanacruises.com/chain3.pem
lrwxrwxrwx 1 root root 50 Mar 4 18:00 fullchain.pem -> …/…/archive/blog.ohanacruises.com/fullchain3.pem
lrwxrwxrwx 1 root root 48 Mar 4 18:00 privkey.pem -> …/…/archive/blog.ohanacruises.com/privkey3.pem
-rw-r–r-- 1 root root 543 Oct 28 2017 README


#20

lrwxrwxrwx 1 root root 48 Mar 4 18:00 /etc/letsencrypt/live/blog.ohanacruises.com/privkey.pem -> …/…/archive/blog.ohanacruises.com/privkey3.pem