Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: rshiras on December 13, 2009, 08:40:57 PM
-
I followed instructions at:
http://wiki.contribs.org/Certificates_Concepts
and I have also tried the methods at:
http://forums.contribs.org/index.php?topic=45081.0
My web pages do not come up. It looks like httpd is not running:
# ps -A |grep http
4505 ? 00:00:00 httpd-admin
4625 ? 00:00:00 httpd-admin
# /etc/rc.d/init.d/httpd start
Starting httpd: [FAILED]
#
Here's some info on my server:
# cat /etc/e-smith-release
SME Server release 7.4
# httpd -v
Server version: Apache/2.0.52
Server built: Nov 12 2009 06:54:45
# ps -A
PID TTY TIME CMD
1 ? 00:00:00 init
2 ? 00:00:00 migration/0
3 ? 00:00:00 ksoftirqd/0
4 ? 00:00:00 migration/1
5 ? 00:00:00 ksoftirqd/1
6 ? 00:00:00 events/0
7 ? 00:00:00 events/1
8 ? 00:00:00 khelper
9 ? 00:00:00 kthread
10 ? 00:00:00 kacpid
31 ? 00:00:00 kblockd/0
32 ? 00:00:00 kblockd/1
33 ? 00:00:00 khubd
50 ? 00:00:00 pdflush
51 ? 00:00:00 pdflush
52 ? 00:00:00 kswapd0
53 ? 00:00:00 aio/0
54 ? 00:00:00 aio/1
200 ? 00:00:00 kseriod
454 ? 00:00:00 md1_raid1
456 ? 00:00:00 md2_raid1
461 ? 00:00:01 kjournald
1045 ? 00:00:00 kauditd
1150 ? 00:00:00 udevd
2046 ? 00:00:00 ata/0
2047 ? 00:00:00 ata/1
2048 ? 00:00:00 ata_aux
2051 ? 00:00:00 scsi_eh_0
2052 ? 00:00:00 scsi_eh_1
2411 ? 00:00:00 scsi_eh_2
2412 ? 00:00:00 usb-storage
2602 ? 00:00:00 kjournald
2881 tty2 00:00:00 mingetty
2887 tty3 00:00:00 mingetty
2894 ? 00:00:00 runsvdir
3201 ? 00:00:00 runsv
3202 ? 00:00:00 runsv
3215 ? 00:00:00 runsv
3229 ? 00:00:00 runsv
3230 ? 00:00:00 runsv
3231 ? 00:00:00 runsv
3232 ? 00:00:00 runsv
3233 ? 00:00:00 runsv
3234 ? 00:00:00 runsv
3235 ? 00:00:00 runsv
3236 ? 00:00:00 runsv
3237 ? 00:00:00 runsv
3238 ? 00:00:00 runsv
3239 ? 00:00:00 runsv
3240 ? 00:00:00 runsv
3241 ? 00:00:00 runsv
3242 ? 00:00:00 runsv
3243 ? 00:00:00 runsv
3244 ? 00:00:00 runsv
3245 ? 00:00:00 runsv
3246 ? 00:00:00 runsv
3247 ? 00:00:00 runsv
3248 ? 00:00:00 runsv
3249 ? 00:00:00 runsv
3250 ? 00:00:00 runsv
3251 ? 00:00:00 runsv
3252 ? 00:00:00 runsv
3253 ? 00:00:00 runsv
3254 ? 00:00:00 runsv
3255 ? 00:00:00 runsv
3256 ? 00:00:00 runsv
3257 ? 00:00:00 runsv
3258 ? 00:00:00 runsv
3259 ? 00:00:00 runsv
3260 ? 00:00:00 runsv
3261 ? 00:00:00 multilog
3262 ? 00:00:00 multilog
3263 ? 00:00:00 multilog
3264 ? 00:00:00 multilog
3265 ? 00:00:00 multilog
3266 ? 00:00:00 multilog
3267 ? 00:00:00 multilog
3268 ? 00:00:00 multilog
3269 ? 00:00:00 multilog
3270 ? 00:00:00 multilog
3271 ? 00:00:00 multilog
3272 ? 00:00:00 multilog
3273 ? 00:00:00 multilog
3274 ? 00:00:00 multilog
3276 ? 00:00:00 multilog
3277 ? 00:00:00 ulogd
3278 ? 00:00:00 multilog
3279 ? 00:00:00 multilog
3280 ? 00:00:00 smtp-auth-proxy
3281 ? 00:00:00 multilog
3282 ? 00:00:00 multilog
3283 ? 00:00:00 multilog
3284 ? 00:00:00 multilog
3285 ? 00:00:00 multilog
3286 ? 00:00:00 multilog
3287 ? 00:00:00 multilog
3288 ? 00:00:00 multilog
3289 ? 00:00:00 multilog
3290 ? 00:00:00 cvm-unix
3291 ? 00:00:00 multilog
3292 ? 00:00:00 multilog
3293 ? 00:00:00 multilog
3294 ? 00:00:00 multilog
3295 ? 00:00:00 multilog
3296 ? 00:00:00 multilog
3374 ? 00:00:00 syslogd
3378 ? 00:00:00 klogd
3424 ? 00:00:00 mdadm
3455 ? 00:00:00 oidentd
4016 ? 00:00:00 run.static
4046 ? 00:00:00 irqbalance
4078 ? 00:00:00 crond
4101 ? 00:00:00 acpid
4129 ? 00:00:00 mysqld
4138 ? 00:00:00 dnscache
4165 ? 00:00:00 tcpsvd
4173 ? 00:00:00 tcpsvd
4205 ? 00:00:00 tcpsvd
4217 ? 00:00:00 tcpsvd
4226 ? 00:00:00 dnscache
4245 ? 00:00:00 tinydns
4255 ? 00:00:00 lpd
4275 ? 00:00:00 dhcpd
4302 ? 00:00:14 clamd
4321 ? 00:00:00 freshclam
4347 ? 00:00:00 slapd
4360 ? 00:00:00 ntpd
4412 ? 00:00:00 qmail-send
4419 ? 00:00:00 lpd
4463 ? 00:00:00 tcpsvd
4474 ? 00:00:00 qmail-lspawn
4475 ? 00:00:00 qmail-rspawn
4476 ? 00:00:00 qmail-clean
4477 ? 00:00:00 tcpsvd
4487 ? 00:00:00 sshd
4505 ? 00:00:00 httpd-admin
4516 ? 00:00:00 qpsmtpd-forkser
4584 ? 00:00:05 spamd
4603 ? 00:00:01 squid
4625 ? 00:00:00 httpd-admin
4644 ? 00:00:00 nmbd
4646 ? 00:00:00 atalkd
4664 ? 00:00:00 smbd
4735 ? 00:00:00 dbus-daemon-1
4753 ? 00:00:00 unlinkd
4760 ? 00:00:00 smbd
4761 ? 00:00:00 sme7admind
4790 ? 00:00:01 hald
4856 ? 00:00:05 java
5303 ? 00:00:04 spamd
5304 ? 00:00:00 spamd
5435 ? 00:00:00 papd
5442 ? 00:00:00 cnid_metad
5446 ? 00:00:00 afpd
5753 tty1 00:00:00 mingetty
7327 ? 00:00:00 sshd
7348 pts/0 00:00:00 bash
12153 ? 00:00:00 smbd
13545 pts/0 00:00:00 ps
#
What am I missing?
-
Check the logs:
/var/log/httpd/error_log, it should contain an error message indicating what;s going wrong.
-
# less /var/log/httpd/error_log
[Sun Dec 13 12:24:32 2009] [crit] (28)No space left on device: mod_rewrite: could not create rewrite_log_lock
Configuration Failed
Does this mean that I am getting so many errors that it has filled up my drive with logs?
-
# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_primary-lv_root
182G 134G 39G 78% /
/dev/md1 99M 40M 54M 43% /boot
none 1013M 0 1013M 0% /dev/shm
-
Do I need something to be in /home/e-smith/ssl.pem for httpd to work?
How do I generate the pem?
I'm just stabbing in the dark as to how to fix this problem at this point.
I'm about to go back to a self-signed key because I am down and this means trouble for me.
-
Also found this to be of interest:
http://bugs.contribs.org/show_bug.cgi?id=154
But I am still floundering here and desperate for a solution.
I'm thinking I must have done something wrong to generate my cert.
Here are the steps I took:
# openssl genrsa -des3 -out bastion.key 2048
# openssl req -new -key bastion.key -out bastion.csr
Copied contents of bastion.csr to the re-key dialog at godaddy to re-key the cert
Downloaded the resulting crt key from godaddy to my PC
Copied the crt from my PC to /home/e-smith/ssl.crt using WinSCP
# config setprop modSSL crt /home/e-smith/ssl.crt/mydomain.net.crt
where mydomain.net is my domain
# config setprop modSSL key /home/e-smith/ssl.key/mydomain.net.key
where mydomain.net is my domain
# signal-event console-save
# signal-event reboot
There are virtual domains on this SME, and godaddy generated a gd_bundle.crt as well, which I don't know what to do with so I ignored it.
Do I need to edit the httpd.conf file or something?
-
# less /var/log/httpd/error_log
[Sun Dec 13 12:24:32 2009] [crit] (28)No space left on device: mod_rewrite: could not create rewrite_log_lock
Configuration Failed
please seach the forums and bugzilla, I'm sure you'll find the solution
-
rshiras
Do I need something to be in /home/e-smith/ssl.pem for httpd to work?
How do I generate the pem ?
As it says in the Certificates Concepts Howto:
After you have deleted the .pem file do:
signal-event post-upgrade
signal-event reboot
-
rshiras
No space left on device: mod_rewrite: could not create rewrite_log_lock
Configuration Failed
Does this mean that I am getting so many errors that it has filled up my drive with logs?
No, it more likely means you have a mismatch between your .crt and .key files.
An advanced forum search on that exact error message should steer you in the right direction. There was also a post some time ago re the correct way to add a Godaddy certificate so search on Godaddy too.
-
The problem could arise from a password protected certificate!
To avoid this, generate (re-key) a certificate @ godaddy.com without(!) the "-des"3" option. Some might remark that this is a security risk; though, it should work fine, if you are aware of including the gd_bundle they sent you:
See this thread for a working installation http://forums.contribs.org/index.php/topic,39310.msg179993.html#msg179993 and do not forget to
signal-event post-upgrade
signal-event reboot
once your through.
-
I know I'm not supposed to edit /etc/httpd/conf/httpd.conf.
What file should I edit to set
SSLCertificateChainFile /home/e-smith/sslgen/gd_bundle.crt
SSLCertificateFile /home/e-smith/sslgen/bastion.mydomain.net.crt
SSLCertificateKeyFile /home/e-smith/sslgen/bastion.mydomain.net.key
Apparently, there is a cron job that overwrites this from a template somewhere and I can't find it.
-
E-mail is down too. I can get it locally by turning off SSL, but remote users can't get it via POP and they can't log into webmail.
-
rshiras
You MUST copy your certificates files to the server and then issue the required db commands to tell sme about the location and name of your custom certificates or else the system will regenerate self signed certificates from the defaults. See the link that perelandra referred you to in the previous post.
-
From a conversation between Charlie and Gordon,
http://bugs.contribs.org/show_bug.cgi?id=154
<<
I deleted key/crt/pem and regenerated all three, and
all is now fine. I also had to kick the imap service to
copy over the new key, but that's reasonable.
I think we should probably generate all three from the
same template expansion. My guess is we have a timing
issue between the expansions in the code which decides
when the files are out of date.
>>
Has this been done yet? Does this apply to purchased SSL certs or just self signed certs?
I'm having trouble figuring out where to put things so they are expanded from the templates and so that expanding templates will not wipe out my certs and httpd settings.
-
Mary,
Oh, do you mean these commands? I want to be sure.
config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
config setprop modSSL CertificateChainFile /usr/share/ssl/certs/gd_intermediate_bundle.crt
signal-event console-save
httpd -k graceful
service httpd-admin restart
-
Has this been done yet?
Yes (the bug has been resolved, verified, then closed, as you can see)
Does this apply to purchased SSL certs or just self signed certs?
Just to self-signed certs.
-
rshiras
config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
config setprop modSSL CertificateChainFile /usr/share/ssl/certs/gd_intermediate_bundle.crt
Yes they are the db commands in the link referred to, but follow them with
signal-event post-upgrade
signal-event reboot
You would copy the Godaddy issued certificate files to the locations specified first, replacing {domain} with the name of your domain that matches the certificate file.
-
Here is a rough draft of a how-to on entering a UCC SSL certificate into SME 7.4. I am quite sure I have too many steps here so I implore the experts to help me to turn this into a slimmed down how-to.
Run these commands (do not use the des3 parameter suggested by GoDaddy):
openssl genrsa -out yourdomain.key 2048
openssl req -new -key yourdomain.key -out yourdomain.csr
copy contents of yourdomain.csr to the re-key dialog at godaddy to re-key the cert
Download the ssl zip file from godaddy to your PC
Make a folder /home/e-smith/signedssl
copy the zip file from your pc to /home/e-smith/signedssl
unzip it with these commands:
cd /home/e-smith/signedssl
unzip yourdomain.zip
make a backup copy of these files:
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf/httpd.conf
Un-comment and edit these lines:
SSLCertificateFile /etc/httpd/conf/signedssl/yourdomain.crt
SSLCertificateKeyFile /etc/httpd/conf/signedssl/yourdomain.key
SSLCertificateChainFile /etc/httpd/conf/signedssl/gd_bundle.crt
Run these commands:
config setprop modSSL CommonName yourdomain
config setprop modSSL crt /home/e-smith/signedssl/yourdomain.crt
config setprop modSSL key /home/e-smith/signedssl/yourdomain.key
config setprop modSSL CertificateChainFile /home/e-smith/signedssl/gd_bundle.crt
expand-template /etc/httpd/conf/httpd.conf
signal-event console-save
httpd -k graceful
service httpd-admin restart
signal-event post-upgrade
signal-event reboot
Run these checks:
db configuration show modSSL
grep Certificate /etc/httpd/conf.d/ssl.conf /etc/httpd/conf/httpd.conf |grep -v \#
/etc/init.d/httpd status
Generate a PEM:
cd /home/e-smith/signedssl
openssl x509 -in yourdomain.crt -out input.der -outform DER
openssl x509 -in input.der -inform DER -out yourdomain.pem -outform PEM
rm input.der
Copy your crt and pem files to your primary ibay html folder to make them available to users.
-
Here is a rough draft of a how-to on entering a UCC SSL certificate into SME 7.4. I am quite sure I have too many steps here so I implore the experts to help me to turn this into a slimmed down how-to.
If you want to play that game, the wiki is the place to do it.
make a backup copy of these files:
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf/httpd.conf
Un-comment and edit these lines:
SSLCertificateFile /etc/httpd/conf/signedssl/yourdomain.crt
SSLCertificateKeyFile /etc/httpd/conf/signedssl/yourdomain.key
SSLCertificateChainFile /etc/httpd/conf/signedssl/gd_bundle.crt
Above is definitely wrong advice. I'd advise you to read the developers guide and other documentation, and understand the templating system.
Was this not clear enough for you?
# !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/
-
Sorry Charlie.
I knew that would get your attention.
I put these lines in because they are suggested on the GoDaddy help page for installing certs. I wanted to make a point of this.
So obviously we want to take out the line to edit httpd.conf.
What about /etc/httpd/conf.d/ssl.conf? Is that also not needed? The DO NOT MODIFY warning is not at the top of this file, and I wanted to be sure to include everything that might be needed.
I'm glad you jumped in here, because I have seen by your many great posts that you really know SME.
Is there anything else that should be added or deleted to make this how-to valuable to others?
I would like to handle this without a lot of back and forth, and avoid flaming and RTFM.
I will place my final draft in the wiki as you suggest.
-
I will place my final draft in the wiki as you suggest.
Wiki is the place for the first draft.
Over and out.