Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 23rd July 2012, 20:32
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 386
Thanks: 28
Thanked 58 Times in 50 Posts
 
Default Apache server does not log errors when there is an SSL configuration problem

I find it extremely troubling that when Apache fails to start due to an SSL-related misconfiguration nothing is logged to that effect.

For example, if a certificate and private key do not match, Apache will fail to start and, from what I can tell, fails to log anything at all.

Maybe there is some alternate log file location of which I'm not aware, but tailing /var/log/apache2/error.log, or the site-specific log at /var/www/example.com/log/error.log, reveals absolutely nothing about the issue's cause.

I realize that ISPConfig employs a mechanism for "rolling-back" after misconfiguration problems cause restarting Apache to fail, so my issue is not with ISPConfig, it's with Apache.

How can the world's "most mature", "most advanced" Web-server be brought to its knees due to an SSL misconfiguration with one site?

I find this to be inexcusable. Even if Apache did log every detail regarding the cause for the failed service start-up, the fact that Apache has no mechanism for handling such a misconfiguration gracefully is appalling.

What about simply ignoring the configuration block in which the problem occurred? (Yes, there could be serious implications for this, security-related and otherwise, which is why any such option would require acknowledgement of any risks before enabling.) What about binding to port 80 only, instead of both 80 and 443? There are plenty of other actions that could be taken that are preferable over an outright failure to start -- especially in a "shared" environment where any number of sites may be brought down unexpectedly.

To the contrary, Dovecot, for example, failed gracefully in the same instance; it reported a very specific message in its logs and still started-up. Due to the fact that the certificate was malformed, Dovecot dropped its TLS capabilities, but it still started the server and bound to the non-secure port.

The apache2ctl configtest command is completely useless when the required files exist and are not empty. This utility does not check for a match between the private key and the certificate.

Am I missing something? Or is Apache really this incapable?
Reply With Quote
Sponsored Links
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
haproxy with stunnel problem abubin Server Operation 6 10th April 2012 15:08
Virtual Users+Postfix+Courier+CentOS problem telnet localhost 25 stinson HOWTO-Related Questions 11 5th February 2011 13:57
Need some Hints to "The Perfect Server - Debian Lenny (Debian 5.0) [ISPConfig 3]" wahid HOWTO-Related Questions 10 25th August 2010 15:18
The Perfect Setup - Debian Etch (Debian 4.0) some trouble daniel80 HOWTO-Related Questions 26 1st February 2008 16:30
Problem with keeping Apache alive bobeq Server Operation 3 29th November 2007 16:11


All times are GMT +2. The time now is 13:56.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.