HTTPD won't start after Amazon Linux Update

That says port 80 !?!?!?!

1 Like

Why does a port 80 virtual host have SSL enabled? :confused:

1 Like

I have a port 80 entry in the virtual hosts of httpd.conf removing that now

Ok I removed that port 80 reference, seems to still reporting the same error in the log. I do have 4 other virtual hosts that are on port 80, no SSL setup or required.

Starting httpd: AH00526: Syntax error on line 103 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/blog.ohanacruises.com/fullchain.pem’ does not exist or is empty

I can’t seem to find where there is still a reference to blog.ohanacruises.com:80

Where else should I look other than the httpd.conf file?

You can run this to get a list of virtual hosts and where they're located:

apachectl -S

Nonetheless, the real error appears to have been revealed:

What's this show?

ls -laH /etc/letsencrypt/live/blog.ohanacruises.com/fullchain.pem

*:80 is a NameVirtualHost
default server thelazofamily.com (/etc/httpd/conf/httpd.conf:354)
port 80 namevhost thelazofamily.com (/etc/httpd/conf/httpd.conf:354)
port 80 namevhost randyandjoaniehurst.com (/etc/httpd/conf/httpd.conf:362)
port 80 namevhost photos.thelazofamily.com (/etc/httpd/conf/httpd.conf:370)
*:443 is a NameVirtualHost
default server ip-172-31-34-93.ec2.internal (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost ip-172-31-34-93.ec2.internal (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost blog.ohanacruises.com (/etc/httpd/conf/httpd.conf:378)

-rw-r–r-- 1 root root 3461 Mar 4 18:00 /etc/letsencrypt/live/blog.ohanacruises.com/fullchain.pem

I don’t know how that error could be happening, the certificate file clearly exists. Do you have SELinux enabled?

sestatus
grep letsencrypt /var/log/audit/audit.log

SELinux status: disabled
[root@ip-172-31-34-93 conf]# grep letsencrypt /var/log/audit/audit.log
type=USER_CMD msg=audit(1526690066.987:119): pid=3263 uid=0 auid=500 ses=1 msg='cwd="/etc/letsencrypt/live/blog.ohanacruises.com" cmd=79756D20757064617465 terminal=pts/0 res=success'
type=USER_CMD msg=audit(1526690126.399:130): pid=3280 uid=0 auid=500 ses=1 msg='cwd="/etc/letsencrypt/live/blog.ohanacruises.com" cmd="upgrade" terminal=pts/0 res=failed'
type=USER_CMD msg=audit(1526693594.824:370): pid=3511 uid=0 auid=500 ses=1 msg='cwd="/etc/letsencrypt/live/blog.ohanacruises.com" cmd=79756D20757064617465 terminal=pts/0 res=success'
type=USER_CMD msg=audit(1526694442.986:432): pid=5201 uid=0 auid=500 ses=1 msg='cwd="/etc/letsencrypt/live/blog.ohanacruises.com" cmd="reboot" terminal=pts/0 res=success'
[root@ip-172-31-34-93 conf]#

Very strange, now when I revert back to a snapshot BEFORE the updates, I am getting the same error. Could something be wrong with the certificate?

Starting httpd: AH00526: Syntax error on line 103 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/blog.ohanacruises.com/fullchain.pem’ does not exist or is empty

You can check if the certificate file is valid with:

openssl x509 -in /etc/letsencrypt/live/blog.ohanacruises.com/fullchain.pem -noout -text

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:50:79:b7:e7:c5:22:de:9f:45:d9:75:6e:f9:6d:07:3f:9c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Mar 4 17:00:14 2018 GMT
Not After : Jun 2 17:00:14 2018 GMT
Subject: CN=blog.ohanacruises.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cf:e6:c4:75:4f:0d:0e:e5:f5:0c:c1:10:ea:0a:
77:af:72:82:e9:67:47:2f:08:d7:e0:17:83:5b:14:
ce:da:c4:de:7f:18:cf:f2:43:4a:9a:5c:61:10:2e:
66:f6:44:f2:36:c1:35:ea:30:c0:2f:ee:29:c5:10:
2e:dd:61:3d:2d:3b:e5:81:ca:b2:ea:bc:f7:9d:18:
d0:d3:62:88:03:42:f2:d9:bb:b7:07:6c:5b:b0:ec:
fc:37:08:c8:41:e6:35:6e:87:32:d0:c2:d9:a8:12:
60:9e:21:f3:73:12:1c:52:36:e9:70:ce:f5:64:72:
5a:5a:d7:98:56:a4:c8:79:0f:7d:56:ff:38:a6:03:
bc:c5:7f:05:d4:67:29:6a:ed:67:9f:13:d1:11:6d:
8b:9a:40:dc:6f:c6:96:18:19:83:aa:1c:4f:e8:57:
72:0b:45:87:93:9c:bf:2b:52:51:9e:16:54:c5:50:
2b:cf:d4:8b:35:d6:b4:17:c7:63:c6:84:ce:b5:e4:
ec:8e:1b:c1:1a:87:db:81:ff:0b:0a:a5:1c:bd:59:
6f:91:af:c2:90:61:82:00:34:33:21:72:5f:5d:2b:
b9:85:48:61:63:fa:93:24:7e:5d:db:60:f3:83:10:
b4:1d:e3:9e:26:41:e2:30:82:84:64:d6:de:7d:b5:
d4:cd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
97:8F:67:70:3A:A1:B0:39:09:DF:52:78:D9:24:F1:B4:5F:E2:94:A2
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

        Authority Information Access:
            OCSP - URI:http://ocsp.int-x3.letsencrypt.org
            CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

        X509v3 Subject Alternative Name:
            DNS:blog.ohanacruises.com
        X509v3 Certificate Policies:
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.letsencrypt.org
              User Notice:
                Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

Signature Algorithm: sha256WithRSAEncryption
     6d:49:99:6c:1a:c9:2c:d5:a0:c7:25:57:e3:a2:cd:36:b9:67:
     16:04:6c:e7:ce:32:79:49:a7:49:e0:e3:7b:a7:08:2a:c6:cd:
     92:07:70:20:48:a3:93:ec:ee:38:a3:b9:1d:20:ab:39:40:9f:
     ed:d9:4e:00:14:18:6b:20:08:e9:95:5c:22:91:c1:20:de:6f:
     b7:25:3b:ea:38:2f:51:5f:ca:58:19:5b:53:e6:fb:1a:19:3a:
     f3:92:89:9b:a5:fa:f1:ed:7c:52:e7:2e:84:7b:cd:b3:8f:1f:
     ce:92:3d:5a:7b:47:f2:a8:43:f5:79:ca:82:f2:bd:c4:3a:b1:
     15:72:43:42:df:6d:36:81:64:75:3e:2d:39:31:2a:9c:99:78:
     01:38:be:dd:40:ad:6f:9f:8a:c4:0c:4e:c9:46:5f:1a:cf:2c:
     b7:86:e6:32:bd:86:b9:5e:70:d4:ed:c9:68:c5:3c:21:8f:fe:
     84:c5:3f:84:4c:23:e8:9e:ad:5e:26:69:66:24:45:4a:39:e3:
     0f:a8:b7:1a:1a:cd:a1:74:22:34:38:73:23:df:29:85:7c:6b:
     cc:76:91:50:23:a4:4e:a6:4f:e2:a5:46:42:48:83:f9:5e:d4:
     5c:1e:71:a8:f7:9e:2d:f8:13:7c:07:ee:89:89:2b:04:6c:f3:
     c2:f8:a2:78

Looks valid from what I can see.

It might be good to check

  • are you running the web server inside a container or jail?
  • are you running the web server as a user that can’t read that file?
  • are you using a security system like SELinux that sometimes controls which processes can read or access particular files?
  • is there any hidden character in the web server configuration that means that the configuration doesn’t point at the exact file that you expect?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.