Today I came across a very annoying problem which seemed so simple yet I was looking way too far to see the solution right in front of me.
When I set up a new virtual host on an Apache 2.4 webserver (running on Ubuntu 14.04). Besides the normal http vhost, I also added a second virtual host for SSL with the following ssl configuration:
ServerName my.example.com
DocumentRoot /srv/www/example
<Directory /srv/www/example>
Require all granted
Options +FollowSymLinks
AllowOverride All
</Directory>
# Logging
ErrorLog /var/log/apache2/example.error.log
CustomLog /var/log/apache2/example.access.log combined
<IfModule mod_ssl.c>
# SSL
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl.crt/mycert.crt"
SSLCertificateKeyFile "/etc/apache2/ssl.key/mycert.key"
SSLCACertificateFile "/etc/apache2/ssl.crt/mycert.ca.crt"
</IfModule>
</VirtualHost>
I then realized that this was the first SSL config on this Apache webserver, so I still had to enable the ssl module. And this is where the problems started.
# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restart
# service apache2 restart
* Restarting web server apache2
Action 'start' failed.
The Apache error log may have more information.
I checked the error log and found the following information:
[Wed Sep 14 08:29:27.585173 2016] [ssl:emerg] [pid 28482] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Wed Sep 14 08:29:27.585183 2016] [ssl:emerg] [pid 28482] AH02312: Fatal error initialising mod_ssl, exiting.
I immediately disabled the ssl module again and started to scratch my head. I did A LOT of Apache SSL configurations over the past 10 years, yet I've never seen this one before. I googled and there are a lot of different solutions - yet all point out that there must be a problem in the SSL configuration. I triple-checked my ssl config, even copy-pasted a working SSL config from another Apache webserver. No success.
I then modified ports.conf to make sure the listener port 443 is also enabled for mod_ssl.c. Turned out it was already enabled for ssl_module, which got me confused because, If I remember correctly, this was called mod_ssl in Apache 2.2.
So no results from ports.conf, the default seems to be correct already. Talking of default, I checked out the default vhosts and indeed, the default-ssl.conf was not enabled. I checked that file out but didn't see anything which would explain why THIS would make it work compared to my vhost config but I enabled it anyway:
/etc/apache2/sites-enabled # ln -s ../sites-available/default-ssl.conf 001-default-ssl.conf
# apache2ctl configtest
Syntax OK
# service apache2 restart
* Restarting web server apache2
I enabled the ssl module again, restarted Apache and here we go again:
# service apache2 restart
* Restarting web server apache2
Action 'start' failed.
The Apache error log may have more information.
WTF?! This is the point where I asked myself what exactly am I missing. I must be missing something obvious, yet I wasn't able to see it. Even when I set Apache's logging to trace2, there was not really any helpful hint in the error logs:
[Wed Sep 14 08:37:29.170593 2016] [ssl:trace2] [pid 29664] ssl_engine_rand.c(124): Init: Seeding PRNG with 656 bytes of entropy
[Wed Sep 14 08:37:29.170663 2016] [ssl:info] [pid 29664] AH02200: Loading certificate & private key of SSL-aware server 'webserver.example.com:443'
[Wed Sep 14 08:37:29.170667 2016] [ssl:emerg] [pid 29664] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Wed Sep 14 08:37:29.170671 2016] [ssl:emerg] [pid 29664] AH02312: Fatal error initialising mod_ssl, exiting.
Eventually I came across yet another serverfault question which basically mentions the same ssl problem. Although I couldn't find a solution there, I picked up a hint, to verify all existing (other) virtual hosts with apache2ctl:
# apache2ctl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 somethingelse.example.com (/etc/apache2/sites-enabled/somethingelse.example.com.conf:1)
*:80 is a NameVirtualHost
default server webserver.example.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost webserver.example.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost www.example.com (/etc/apache2/sites-enabled/example.com.conf:1)
alias test.example.com
[...]
And there we had it. In the very first line a SSL-listener 443 for somethingelse.example.com was defined.
I checked the this virtual host configuration and it looked like this:
# cat /etc/apache2/sites-enabled/somethingelse.example.com.conf
ServerName somethingelse.example.com
<ifmodule mod_rewrite.c="">
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
</ifmodule>
</VirtualHost>
[...]
I immediately saw that this is not at all a correct ssl configuration. I removed that whole section after confirmation from my colleague that he was working on it but it's not needed anymore (because it didn't work, duh) and tried again:
# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restart
# service apache2 restart
* Restarting web server apache2
Yes! Now it worked.
Conclusion: The error message "AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)" indeed tells you there is something wrong in your SSL configuration but unfortunately doesn't point you to the very file which is causing the error. Dig (or better grep in this case) through all config files to find the bad one.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder