Topic: purchased SSL cert, installed it, now web is down

[rshiras]

I followed instructions at:
http://wiki.contribs.org/Certificates_Concepts
and I have also tried the methods at:
http://forums.contribs.org/index.php?topic=45081.0
My web pages do not come up.  It looks like httpd is not running:
# ps -A |grep http
 4505 ?        00:00:00 httpd-admin
 4625 ?        00:00:00 httpd-admin
# /etc/rc.d/init.d/httpd start
Starting httpd:                                            [FAILED]
#
Here's some info on my server:
# cat /etc/e-smith-release
SME Server release 7.4
# httpd -v
Server version: Apache/2.0.52
Server built:   Nov 12 2009 06:54:45
# ps -A
  PID TTY          TIME CMD
    1 ?        00:00:00 init
    2 ?        00:00:00 migration/0
    3 ?        00:00:00 ksoftirqd/0
    4 ?        00:00:00 migration/1
    5 ?        00:00:00 ksoftirqd/1
    6 ?        00:00:00 events/0
    7 ?        00:00:00 events/1
    8 ?        00:00:00 khelper
    9 ?        00:00:00 kthread
   10 ?        00:00:00 kacpid
   31 ?        00:00:00 kblockd/0
   32 ?        00:00:00 kblockd/1
   33 ?        00:00:00 khubd
   50 ?        00:00:00 pdflush
   51 ?        00:00:00 pdflush
   52 ?        00:00:00 kswapd0
   53 ?        00:00:00 aio/0
   54 ?        00:00:00 aio/1
  200 ?        00:00:00 kseriod
  454 ?        00:00:00 md1_raid1
  456 ?        00:00:00 md2_raid1
  461 ?        00:00:01 kjournald
 1045 ?        00:00:00 kauditd
 1150 ?        00:00:00 udevd
 2046 ?        00:00:00 ata/0
 2047 ?        00:00:00 ata/1
 2048 ?        00:00:00 ata_aux
 2051 ?        00:00:00 scsi_eh_0
 2052 ?        00:00:00 scsi_eh_1
 2411 ?        00:00:00 scsi_eh_2
 2412 ?        00:00:00 usb-storage
 2602 ?        00:00:00 kjournald
 2881 tty2     00:00:00 mingetty
 2887 tty3     00:00:00 mingetty
 2894 ?        00:00:00 runsvdir
 3201 ?        00:00:00 runsv
 3202 ?        00:00:00 runsv
 3215 ?        00:00:00 runsv
 3229 ?        00:00:00 runsv
 3230 ?        00:00:00 runsv
 3231 ?        00:00:00 runsv
 3232 ?        00:00:00 runsv
 3233 ?        00:00:00 runsv
 3234 ?        00:00:00 runsv
 3235 ?        00:00:00 runsv
 3236 ?        00:00:00 runsv
 3237 ?        00:00:00 runsv
 3238 ?        00:00:00 runsv
 3239 ?        00:00:00 runsv
 3240 ?        00:00:00 runsv
 3241 ?        00:00:00 runsv
 3242 ?        00:00:00 runsv
 3243 ?        00:00:00 runsv
 3244 ?        00:00:00 runsv
 3245 ?        00:00:00 runsv
 3246 ?        00:00:00 runsv
 3247 ?        00:00:00 runsv
 3248 ?        00:00:00 runsv
 3249 ?        00:00:00 runsv
 3250 ?        00:00:00 runsv
 3251 ?        00:00:00 runsv
 3252 ?        00:00:00 runsv
 3253 ?        00:00:00 runsv
 3254 ?        00:00:00 runsv
 3255 ?        00:00:00 runsv
 3256 ?        00:00:00 runsv
 3257 ?        00:00:00 runsv
 3258 ?        00:00:00 runsv
 3259 ?        00:00:00 runsv
 3260 ?        00:00:00 runsv
 3261 ?        00:00:00 multilog
 3262 ?        00:00:00 multilog
 3263 ?        00:00:00 multilog
 3264 ?        00:00:00 multilog
 3265 ?        00:00:00 multilog
 3266 ?        00:00:00 multilog
 3267 ?        00:00:00 multilog
 3268 ?        00:00:00 multilog
 3269 ?        00:00:00 multilog
 3270 ?        00:00:00 multilog
 3271 ?        00:00:00 multilog
 3272 ?        00:00:00 multilog
 3273 ?        00:00:00 multilog
 3274 ?        00:00:00 multilog
 3276 ?        00:00:00 multilog
 3277 ?        00:00:00 ulogd
 3278 ?        00:00:00 multilog
 3279 ?        00:00:00 multilog
 3280 ?        00:00:00 smtp-auth-proxy
 3281 ?        00:00:00 multilog
 3282 ?        00:00:00 multilog
 3283 ?        00:00:00 multilog
 3284 ?        00:00:00 multilog
 3285 ?        00:00:00 multilog
 3286 ?        00:00:00 multilog
 3287 ?        00:00:00 multilog
 3288 ?        00:00:00 multilog
 3289 ?        00:00:00 multilog
 3290 ?        00:00:00 cvm-unix
 3291 ?        00:00:00 multilog
 3292 ?        00:00:00 multilog
 3293 ?        00:00:00 multilog
 3294 ?        00:00:00 multilog
 3295 ?        00:00:00 multilog
 3296 ?        00:00:00 multilog
 3374 ?        00:00:00 syslogd
 3378 ?        00:00:00 klogd
 3424 ?        00:00:00 mdadm
 3455 ?        00:00:00 oidentd
 4016 ?        00:00:00 run.static
 4046 ?        00:00:00 irqbalance
 4078 ?        00:00:00 crond
 4101 ?        00:00:00 acpid
 4129 ?        00:00:00 mysqld
 4138 ?        00:00:00 dnscache
 4165 ?        00:00:00 tcpsvd
 4173 ?        00:00:00 tcpsvd
 4205 ?        00:00:00 tcpsvd
 4217 ?        00:00:00 tcpsvd
 4226 ?        00:00:00 dnscache
 4245 ?        00:00:00 tinydns
 4255 ?        00:00:00 lpd
 4275 ?        00:00:00 dhcpd
 4302 ?        00:00:14 clamd
 4321 ?        00:00:00 freshclam
 4347 ?        00:00:00 slapd
 4360 ?        00:00:00 ntpd
 4412 ?        00:00:00 qmail-send
 4419 ?        00:00:00 lpd
 4463 ?        00:00:00 tcpsvd
 4474 ?        00:00:00 qmail-lspawn
 4475 ?        00:00:00 qmail-rspawn
 4476 ?        00:00:00 qmail-clean
 4477 ?        00:00:00 tcpsvd
 4487 ?        00:00:00 sshd
 4505 ?        00:00:00 httpd-admin
 4516 ?        00:00:00 qpsmtpd-forkser
 4584 ?        00:00:05 spamd
 4603 ?        00:00:01 squid
 4625 ?        00:00:00 httpd-admin
 4644 ?        00:00:00 nmbd
 4646 ?        00:00:00 atalkd
 4664 ?        00:00:00 smbd
 4735 ?        00:00:00 dbus-daemon-1
 4753 ?        00:00:00 unlinkd
 4760 ?        00:00:00 smbd
 4761 ?        00:00:00 sme7admind
 4790 ?        00:00:01 hald
 4856 ?        00:00:05 java
 5303 ?        00:00:04 spamd
 5304 ?        00:00:00 spamd
 5435 ?        00:00:00 papd
 5442 ?        00:00:00 cnid_metad
 5446 ?        00:00:00 afpd
 5753 tty1     00:00:00 mingetty
 7327 ?        00:00:00 sshd
 7348 pts/0    00:00:00 bash
12153 ?        00:00:00 smbd
13545 pts/0    00:00:00 ps
#
What am I missing? 

[Curly]

Check the logs:
/var/log/httpd/error_log, it should contain an error message indicating what;s going wrong.

[rshiras]

# less /var/log/httpd/error_log
[Sun Dec 13 12:24:32 2009] [crit] (28)No space left on device: mod_rewrite: could not create rewrite_log_lock
Configuration Failed

Does this mean that I am getting so many errors that it has filled up my drive with logs?

[rshiras]

# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/vg_primary-lv_root
                      182G  134G   39G  78% /
/dev/md1               99M   40M   54M  43% /boot
none                 1013M     0 1013M   0% /dev/shm

[rshiras]

Do I need something to be in /home/e-smith/ssl.pem for httpd to work?
How do I generate the pem?
I'm just stabbing in the dark as to how to fix this problem at this point.
I'm about to go back to a self-signed key because I am down and this means trouble for me.

[rshiras]

Also found this to be of interest:
http://bugs.contribs.org/show_bug.cgi?id=154

But I am still floundering here and desperate for a solution.
I'm thinking I must have done something wrong to generate my cert.
Here are the steps I took:
# openssl genrsa -des3 -out bastion.key 2048
# openssl req -new -key bastion.key -out bastion.csr
Copied contents of bastion.csr to the re-key dialog at godaddy to re-key the cert
Downloaded the resulting crt key from godaddy to my PC
Copied the crt from my PC to /home/e-smith/ssl.crt using WinSCP
# config setprop modSSL crt /home/e-smith/ssl.crt/mydomain.net.crt
where mydomain.net is my domain
# config setprop modSSL key /home/e-smith/ssl.key/mydomain.net.key
where mydomain.net is my domain
# signal-event console-save
# signal-event reboot

There are virtual domains on this SME, and godaddy generated a gd_bundle.crt as well, which I don't know what to do with so I ignored it.

Do I need to edit the httpd.conf file or something?

[Stefano]

# less /var/log/httpd/error_log
[Sun Dec 13 12:24:32 2009] [crit] (28)No space left on device: mod_rewrite: could not create rewrite_log_lock
Configuration Failed

please seach the forums and bugzilla, I'm sure you'll find the solution

[janet]

rshiras

Do I need something to be in /home/e-smith/ssl.pem for httpd to work?
How do I generate the pem ?

As it says in the Certificates Concepts Howto:
After you have deleted the .pem file do:
signal-event post-upgrade
signal-event reboot

[janet]

rshiras

No space left on device: mod_rewrite: could not create rewrite_log_lock
Configuration Failed

Does this mean that I am getting so many errors that it has filled up my drive with logs?

No, it more likely means you have a mismatch between your .crt and .key files.
An advanced forum search on that exact error message should steer you in the right direction. There was also a post some time ago re the correct way to add a  Godaddy certificate so search on Godaddy too.

[perelandra]

The problem could arise from a password protected certificate!

To avoid this, generate (re-key) a certificate @ godaddy.com without(!) the "-des"3" option. Some might remark that this is a security risk; though, it should work fine, if you are aware of including the gd_bundle they sent you:

See this thread for a working installation http://forums.contribs.org/index.php/topic,39310.msg179993.html#msg179993 and do not forget to

signal-event post-upgrade
signal-event reboot

once your through.

[rshiras]

I know I'm not supposed to edit /etc/httpd/conf/httpd.conf.
What file should I edit to set
SSLCertificateChainFile /home/e-smith/sslgen/gd_bundle.crt
SSLCertificateFile /home/e-smith/sslgen/bastion.mydomain.net.crt
SSLCertificateKeyFile /home/e-smith/sslgen/bastion.mydomain.net.key
Apparently, there is a cron job that overwrites this from a template somewhere and I can't find it.

[rshiras]

E-mail is down too.  I can get it locally by turning off SSL, but remote users can't get it via POP and they can't log into webmail.

[janet]

rshiras

You MUST copy your certificates files to the server and then issue the required db commands to tell sme about the location and name of your custom certificates or else the system will regenerate self signed certificates from the defaults. See the link that perelandra referred you to in the previous post.

[rshiras]

From a conversation between Charlie and Gordon,
http://bugs.contribs.org/show_bug.cgi?id=154
<<
I deleted key/crt/pem and regenerated all three, and
all is now fine. I also had to kick the imap service to
copy over the new key, but that's reasonable.

I think we should probably generate all three from the
same template expansion. My guess is we have a timing
issue between the expansions in the code which decides
when the files are out of date.
>>
Has this been done yet?  Does this apply to purchased SSL certs or just self signed certs?
I'm having trouble figuring out where to put things so they are expanded from the templates and so that expanding templates will not wipe out my certs and httpd settings.

[rshiras]

Mary,
Oh, do you mean these commands?  I want to be sure.

config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
config setprop modSSL CertificateChainFile /usr/share/ssl/certs/gd_intermediate_bundle.crt
signal-event console-save
httpd -k graceful
service httpd-admin restart