Topic: no access to server-manager and apache

[portedaix]

Hello,

I tried to issue a custom certificate, following this howto.
"http://wiki.contribs.org/Certificates_signed_by_own_CA".

After that, I changed my servername, using the "configure this server" from the admin prompt.
The result was that all https connections were not working anymore (server-manager and dolibarr). The error message = connection failed (same message when accessed directly from the server command line, then admin login). Connection to http://myservername was OK.
By checking my logs, I found out this message in httpd error_log :
"[crit] (28)No space left on device: mod_rewrite: could not create rewrite_log_lock
Configuration Failed"
and of course "df" shows me plenty of space on my hard disks.

I found out with "http://forums.contribs.org/index.php/topic,33171.0.html" a supposed solution. I applied it, and there is no error message appearing in the logs anymore, but there is still no access to https://, and now normal apache server is not responding anymore, http://myservername, or http://192.168.100.1.

I checked with "sv status /service/..." that both httpd-e-smith and httpd-admin are runing.

You can imagine that any help would be much appreciated. That my production server of course...
Thanks. Olivier

[byte]

What version of SME Server are you using ?

Check your:

/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/httpd/admin_error_log
/var/log/httpd/admin_access_log

for any errors/warnings, also (if you haven't already) restart your services by:

sv t /service/httpd-e-smith
sv t /service/httpd-admin

Do they restart OK ?

[portedaix]

Thanks for your quick answer.

I just pinpointed a strange behaviour, which might be the cause of the problem. Please see end of this post.

My version is 7.5.1. Sorry I do not mention it.
Logs are :

• access_log -> empty
• error_log -> "[crit] (28)No space left on device: mod_rewrite: could not create rewrite_log_lock
  Configuration Failed
• [Fri Sep 03 17:16:23 2010] [crit] (28)No space left on device: mod_rewrite: could not create rewrite_log_lock
  Configuration Failed
  [Fri Sep 03 17:18:56 2010] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
  [Fri Sep 03 17:18:57 2010] [notice] Digest: generating secret for digest authentication ...
  [Fri Sep 03 17:18:57 2010] [notice] Digest: done
  [Fri Sep 03 17:19:00 2010] [notice] Apache configured -- resuming normal operations
• admin_access_log -> empty

both httpd-e-smith and httpd-admin restart OK and run OK.

STRANGE BEHAVIOUR :
I tried as well to follow the FAQ "I can't access the server-manager", which was pointing to this certificate problem.
http://www.google.com/url?q=http://wiki.contribs.org/SME_Server:Documentation:FAQ%23Server-Manager&usg=AFQjCNHdh2fuwxXNvi0AW8NKfPWvIOcjtg&sa=X&ei=JCGBTOi8LtyT4gbopNmhAg&ved=0CA8QygQ
after regenerating the certificate files with "signal-event domain-modify" I have two key files coming : mycompany.mycompany.fr.key and mycompany.mycompany.net.key. I configured the server with "mycompany.net" as the primary domain name, previously it was "mycompany.fr". And the servername is "mycompany".  No *.crt nor *.pem file. Which is not normal I believe. It looks like two primary domain names are coexisting ?? How to correct that and is there a way to regenerate those *.crt and *.pem files ?

Thanks

[portedaix]

Sorry, only one *.key file is there. There was a remanent display from winscp. I managed to create now a new crt file with expand-template /home/e-smith/ssl.key/key. But still not good.
 

[byte]

Please show the result of:

ls -lt /home/e-smith/ssl*/*

?

Can you also tell us exactly what steps you have done (copy and paste them from putty)

[byte]

I managed to create now a new crt file with expand-template /home/e-smith/ssl.key/key. But still not good.

How exactly did you manage to create a new one...more information please so we can see exactly what steps you're taking.

[portedaix]

Hello,

1)Output from putty is :
[root@energie ~]# ls -lt /home/e-smith/ssl*/*
-rw-r--r--  1 root root 1680 sep  3 19:53 /home/e-smith/ssl.crt/energie.energie.net.crt
-rw-r--r--  1 root root 1676 sep  3 19:37 /home/e-smith/ssl.key/energie.energie.net.key

2)crt file
I generate it by running "expand-template /home/e-smith/ssl.crt/crt"
Otherwise, if I delete all key eand crt file and then run "signal-event domain-modify", only the key file is generated, not the crt file. There is no pem file anymore, I moved the old one; no new one is generated.

3)what I did first was
"http://wiki.contribs.org/Certificates_signed_by_own_CA"
I followed it step by step. I do not have a trace of it in putty anymore.
I made a mistake. For what is called "FQHN" I entered www.energie.net
but then, when I changed the servername by running as "admin" the server configuration, I entered energie.net, without the "www".
After that, https was dead.

4)what I did second was to follow
"http://forums.contribs.org/index.php/topic,33171.0.html"
and run the script included
Then http://192.168.100.1 was dead

Thanks

[byte]

2)crt file
I generate it by running "expand-template /home/e-smith/ssl.crt/crt"
Otherwise, if I delete all key eand crt file and then run "signal-event domain-modify", only the key file is generated, not the crt file. There is no pem file anymore, I moved the old one; no new one is generated.

Did you also reboot ?

signal-event reboot

So to get back in sync you need to regenerate them all:

 rm /home/e-smith/ssl.key/domain.com.key
 rm /home/e-smith/ssl.pem/domain.com.pem
 rm /home/e-smith/ssl.crt/domain.com.crt
 signal-event domain-modify
 signal-event reboot

(of course you have one or two already missing, so skip until you have completed)

[portedaix]

Hello,

I did it previously. Unfortunately it did not help. And as I mentionned, only the key file is regenerated.

I am just checking now my hosts.allow. I guess it should not have changed, but just to make sure. I do not see any autorisation for httpd. Normal ? This is how it looks

afpd: 127.0.0.1 192.168.30.0/255.255.255.0
papd: 127.0.0.1 192.168.30.0/255.255.255.0
# 'oidentd' is disabled in the configuration database
# LDAP servers
slapd: 127.0.0.1 192.168.30.0/255.255.255.0
pop3s: 127.0.0.1 192.168.30.0/255.255.255.0
pptpd: ALL
qmail-popup: 127.0.0.1 192.168.30.0/255.255.255.0
sshd: 127.0.0.1 192.168.30.0/255.255.255.0

[janet]

portedaix

You should also remove the database entries you created in the Certificate Howto as these are no longer applicable when you reset the server to defaults.

config show modSSL
config delprop modSSL crt
config delprop modSSL key
config show modSSL
signal-event console-save
signal-event reboot

Then do the following to ensure all old files are removed and new files are regenerated (answer y when requested to accept the file deletions one at a time)
rm /home/e-smith/ssl.crt/*
rm /home/e-smith/ssl.key/*
rm /home/e-smith/ssl.pem/*
signal-event post-upgrade
signal-event reboot

For some more background information and understanding read this
http://wiki.contribs.org/Certificates_Concepts

[janet]

portedaix

babelfish gives me this, can you explain further

HTTP request failed with error SSL: certificate subject name 'www.mymeter.org' does not match target host name 'energie.net' (51) for URL: https://energie.net/
We're sorry we've encountered an error with your request.

[portedaix]

Hello,

Everything is functionning now. It is nice to receive valuable help from this forum. Thanks a lot.

I beleive the main point was issuing "config delprop modSSL crt".
"config show modSSL" was showing a crt file /home/e-smith/ssl.crt/energie.net.crt whereas the working one is /home/e-
smith/ssl.crt/energie.energie.net.crt. Please note I changed my company name when I copied/paste (too) quickly on friday putty
output. Sorry to have mislead you. Now "config show modSSL" is not showing any reference to a crt file anymore.

I guess my mistakes were the following :

• I created a mismatch between keys/certificate FQHN+CN and the one in sme-server. Hence, the connection could not be
  established.
• I changed my sme FQHN after issuing a custom certificate, which does not seem to be the correct order. After all the information
  I read, I beleive now I should have done it the other way round, so the new private key is generated before the custom certificate.
  Obvious ins't it ? I found some good readings, mainly http://tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html and
  http://www.modssl.org/docs/2.8/ssl_intro.html.
• Last but not least : testing process. I have been "playing" with linux and sme for years, but now it is for real, I use it for
  the company I just settled. This certificate issuing process was beyond my knowledge. Not to take any risks anymore, ideally, I
  would like to have a clone server, a test server, where I could make all the tests I want, and I still need some more. So my
  production server is not affected by any wrong move. I must have an old spare i486 somewhere. I did not investigate this clone
  server idea yet. If you have any suggestion, I would appreciate it.

Thanks
Olivier

[janet]

portedaix

If your production server uses software RAID1 with 2 drives (and this concept is a good reason why to use RAID1), you can remove one of the production drives and swap it for a blank identical drive (ie have a 3rd spare HDD). Then put the removed drive into the other test server. The server will automatically start up in degraded software RAID mode using a single drive (fully functional too), then login as admin and run Configure this server to setup the different NICs and other LAN IP settings.

Then you can safely do testing on the test server that is actually configured identically to your production server. Test and prove any changes you want to make before deploying the same changes to the production server.
Before using that drive again in the production server, ie next time you want to swap a drive "out of" and "into" the production server to get the current configuration to test on, you must delete the partition information using the dd command, eg on the test server do
dd if=/dev/zero of=/dev/sdx bs=512 count=1
where sdx is your drive location eg most likely sda on a single drive SATA system
You MUST reboot so that the empty partition table gets read correctly.

Alternatively use a boot floppy/USB/CD with delpart.exe on it (or a similar freely downloadable utility).
Then that "blanked" drive can be swapped back into the production server to rebuild the array .

Another way to create an almost identical server is to fo a backup to USB on the production server and then restore that to a test server with a cleanly installed OS. The result will be an identically configured server without the installed contribs.
See this Howto
http://wiki.contribs.org/Backup_server_config
for various alternative methods to doing a full backup and restore, eg you might want to exclude the ibay data & email data if there is a lot of that.