HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   Apache down every week (caught SIGTERM) (http://www.howtoforge.com/forums/showthread.php?t=6344)

jarkand 21st August 2006 15:08

Apache down every week (caught SIGTERM)
 
Hey guys,

this is my first post here, so don't push to hard on me, ok :)

I've been looking around for some time to find any helpful topics on the web but wasn't lucky so far. Let's try it this way.

My system is a Debian 3.1 version (Postfix, Apache2 (Apache/2.0.54 mod_ssl/2.0.54), MySql and Proftp, also).

And here's my problem (and I think it's not related to system only):
Every Sunday my Apache goes down so I sat down and checked the logs. The only thing I found, is an entry in /var/log/apache2/error.log which says:
Code:

[Sun Aug 06 06:25:02 2006] [notice] caught SIGTERM, shutting down
Well, every Sunday means that it has something to do with the crons running on my system. So I checked the weekly cron in /etc/cron.weekly and found the standard files which are:
Quote:

man-db
ntp-server
sysklogd
But wasn't lucky here, too.

After checking the /etc/logrotate.d/apache2 I found this:
Code:

/var/log/apache2/*.log {
        weekly
        missingok
        rotate 52
        compress
        delaycompress
        notifempty
        create 640 root adm
        sharedscripts
        postrotate
                if [ -f /var/run/apache2.pid ]; then
                        /etc/init.d/apache2 restart > /dev/null
                fi
        endscript
}

Here you can see that the Apache is restarted but for some reason it fails. OK, more digging and after one week I found this in the apache error log:
Code:

[Sun Aug 13 06:25:01 2006] [error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]
[Sun Aug 13 06:25:01 2006] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Sun Aug 13 06:25:01 2006] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Sun Aug 13 06:25:01 2006] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Sun Aug 13 06:25:01 2006] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

As far as I understand the cron is restarting the apache but apache waits for the SSL private key password but there's no one who types it in - right? So it sends the SIGTERM signal and that's it: no Website online :rolleyes:

Now my question: am I right? Is this the problem and if so how do I make sure that when apache is restarting, the password is submitted automatically?

Any hints are greatly appreciated. Thanks,
Mik

jarkand 21st August 2006 18:44

OK, I found one solution but I'm not very happy with it because it reduces the cert security level.

To get rid of the pass phrase request, simply create a new key without the -des3 (or what ever you've chosen) option.

Here's a very short (I'm sure you'll find these information 1 billion times on the net much better described than here) how to Apache-SSL / Apache ModSSL key and CSR Generation without pass phrase instructions:

1. Generate the private key
Code:

openssl genrsa –out yourdomain.com.key 1024
Quote:

insted of: openssl genrsa –des3 yourdomain.com.key 1024
2. Generate the CSR
Code:

openssl req –new –key yourdomain.com.key –out yourdomain.com.csr
3. Request the CRT from a CA Unit or create your own one.

4. Edit Apache's conf and restart.

Apache will never again ask you to enter the pass for your privat key and you don't have to worry about cron jobs that require to restart Apache.

Quote:

WARNING: Use this way only if you absolutely trust the server, and you make sure the permissions are carefully set!
Ohh, btw, any commends STILL appreciated...
Mik

falko 22nd August 2006 13:38

I guess when you created the certificates for Apache, you chose to encrypt the private key with a pass phrase (as shown here for ISPConfig's Apache: http://www.ispconfig.org/manual_installation.htm ). If you do this, then Apache always needs human intervention (someone who types in the pass phrase) to start/restart. Therefore you should choose not to encrypt the private key.

drks 23rd August 2006 11:29

There is no need to regenerate a key/csr/certificate. If you know the SSL Passphrase, you can simply remove it:

http://www.5dollarwhitebox.org/wiki/..._From_Key_File


Code:

# cp www.domain.com.key www.domain.com.key.passphrase

# openssl rsa -in www.domain.com.key.passphrase -out www.domain.com.key
read RSA key

Enter PEM pass phrase: <need to know passphrase to remove it>
writing RSA key


salehqt 12th July 2008 07:15

Same problem, different cause
 
I have same problem with Ubuntu Server 8.04. every package is in its default version. The fact is that I haven't enabled SSL at all. so the problem can't be caused by SSL or something.
I checked configuration and found out that logrotate is killing my apache. but there are no error messages in the log only one line: caught SIGTERM, shutting down.
I tried "apache2ctl configtest" and it says I have no problem with my config file.

PS: I tried once to install cpanel but I didn't complete the installation procedure, cpanel is not working now, but its files are in my /usr/local/cpanel.

falko 13th July 2008 12:57

Mayb monit is a solution for you - it starts Apache automatically if it is not running: http://www.howtoforge.com/server_mon...it_debian_etch

gotting 15th July 2008 01:59

Similar problem Apache dies
 
I have a similar problem.

It appears that my apache instance dies. Most often on sundays. Not every sunday but at least every second or third. I'm running isp config on Ubuntu 6.06. It might have somthing to do with this bug
https://bugs.launchpad.net/ubuntu/+s...e2/+bug/174805

However, I haven't managed to fund out if it's also present in Dapper. But it seems that Apache does not restart properly after log rotation.

The beginning of my error.log after rotation

Code:

[Sun Jul 06 06:25:41 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec2)
[Sun Jul 06 06:25:41 2008] [warn] module proxy_http_module is already loaded, skipping
[Sun Jul 06 06:25:41 2008] [notice] Apache/2.0.55 (Ubuntu) PHP/5.1.2 mod_ssl/2.0.55 OpenSSL/0.9.8a configured -- resuming normal operations
[Sun Jul 06 11:48:21 2008] [notice] caught SIGTERM, shutting down
[Sun Jul 06 11:48:23 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec2)
[Sun Jul 06 11:48:23 2008] [warn] module proxy_http_module is already loaded, skipping
[Sun Jul 06 11:48:23 2008] [notice] Apache/2.0.55 (Ubuntu) PHP/5.1.2 mod_ssl/2.0.55 OpenSSL/0.9.8a configured -- resuming normal operations
[Sun Jul 06 12:16:22 2008] [notice] caught SIGTERM, shutting down
[Sun Jul 06 12:16:23 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec2)
[Sun Jul 06 12:16:23 2008] [warn] module proxy_http_module is already loaded, skipping
[Sun Jul 06 12:16:24 2008] [notice] Apache/2.0.55 (Ubuntu) PHP/5.1.2 mod_ssl/2.0.55 OpenSSL/0.9.8a configured -- resuming normal operations
[Sun Jul 06 12:39:21 2008] [notice] Graceful restart requested, doing restart
[Sun Jul 06 12:39:21 2008] [warn] module proxy_http_module is already loaded, skipping
[Sun Jul 06 12:39:22 2008] [notice] Apache/2.0.55 (Ubuntu) PHP/5.1.2 mod_ssl/2.0.55 OpenSSL/0.9.8a configured -- resuming normal operations
[Sun Jul 06 12:39:22 2008] [warn] long lost child came home! (pid 21639)
[Sun Jul 06 12:42:17 2008] [notice] caught SIGTERM, shutting down

Can someone explain what the 4 first lines mean? I'm also concerned about
Code:

[warn] module proxy_http_module is already loaded, skipping
because I can't figure out why proxy_http_module seems to be loaded twice.

/Johan


All times are GMT +2. The time now is 11:40.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.