Apache down every week (caught SIGTERM)

Discussion in 'Server Operation' started by jarkand, Aug 21, 2006.

  1. jarkand

    jarkand New Member

    Hey guys,

    this is my first post here, so don't push to hard on me, ok :)

    I've been looking around for some time to find any helpful topics on the web but wasn't lucky so far. Let's try it this way.

    My system is a Debian 3.1 version (Postfix, Apache2 (Apache/2.0.54 mod_ssl/2.0.54), MySql and Proftp, also).

    And here's my problem (and I think it's not related to system only):
    Every Sunday my Apache goes down so I sat down and checked the logs. The only thing I found, is an entry in /var/log/apache2/error.log which says:
    Code:
    [Sun Aug 06 06:25:02 2006] [notice] caught SIGTERM, shutting down
    
    Well, every Sunday means that it has something to do with the crons running on my system. So I checked the weekly cron in /etc/cron.weekly and found the standard files which are:
    But wasn't lucky here, too.

    After checking the /etc/logrotate.d/apache2 I found this:
    Code:
    /var/log/apache2/*.log {
    	weekly
    	missingok
    	rotate 52
    	compress
    	delaycompress
    	notifempty
    	create 640 root adm
    	sharedscripts
    	postrotate
    		if [ -f /var/run/apache2.pid ]; then
    			/etc/init.d/apache2 restart > /dev/null
    		fi
    	endscript
    }
    
    Here you can see that the Apache is restarted but for some reason it fails. OK, more digging and after one week I found this in the apache error log:
    Code:
    [Sun Aug 13 06:25:01 2006] [error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]
    [Sun Aug 13 06:25:01 2006] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
    [Sun Aug 13 06:25:01 2006] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
    [Sun Aug 13 06:25:01 2006] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
    [Sun Aug 13 06:25:01 2006] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib 
    
    As far as I understand the cron is restarting the apache but apache waits for the SSL private key password but there's no one who types it in - right? So it sends the SIGTERM signal and that's it: no Website online :rolleyes:

    Now my question: am I right? Is this the problem and if so how do I make sure that when apache is restarting, the password is submitted automatically?

    Any hints are greatly appreciated. Thanks,
    Mik
     
  2. jarkand

    jarkand New Member

    OK, I found one solution but I'm not very happy with it because it reduces the cert security level.

    To get rid of the pass phrase request, simply create a new key without the -des3 (or what ever you've chosen) option.

    Here's a very short (I'm sure you'll find these information 1 billion times on the net much better described than here) how to Apache-SSL / Apache ModSSL key and CSR Generation without pass phrase instructions:

    1. Generate the private key
    Code:
    openssl genrsa –out yourdomain.com.key 1024
    2. Generate the CSR
    Code:
    openssl req –new –key yourdomain.com.key –out yourdomain.com.csr
    3. Request the CRT from a CA Unit or create your own one.

    4. Edit Apache's conf and restart.

    Apache will never again ask you to enter the pass for your privat key and you don't have to worry about cron jobs that require to restart Apache.

    Ohh, btw, any commends STILL appreciated...
    Mik
     
  3. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    I guess when you created the certificates for Apache, you chose to encrypt the private key with a pass phrase (as shown here for ISPConfig's Apache: http://www.ispconfig.org/manual_installation.htm ). If you do this, then Apache always needs human intervention (someone who types in the pass phrase) to start/restart. Therefore you should choose not to encrypt the private key.
     
  4. drks

    drks New Member HowtoForge Supporter

    There is no need to regenerate a key/csr/certificate. If you know the SSL Passphrase, you can simply remove it:

    http://www.5dollarwhitebox.org/wiki..._Certificates#Remove_Passphrase_From_Key_File


    Code:
    # cp www.domain.com.key www.domain.com.key.passphrase
    
    # openssl rsa -in www.domain.com.key.passphrase -out www.domain.com.key
    read RSA key
    
    Enter PEM pass phrase: <need to know passphrase to remove it>
    writing RSA key
    
     
  5. salehqt

    salehqt New Member

    Same problem, different cause

    I have same problem with Ubuntu Server 8.04. every package is in its default version. The fact is that I haven't enabled SSL at all. so the problem can't be caused by SSL or something.
    I checked configuration and found out that logrotate is killing my apache. but there are no error messages in the log only one line: caught SIGTERM, shutting down.
    I tried "apache2ctl configtest" and it says I have no problem with my config file.

    PS: I tried once to install cpanel but I didn't complete the installation procedure, cpanel is not working now, but its files are in my /usr/local/cpanel.
     
  6. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

  7. gotting

    gotting New Member

    Similar problem Apache dies

    I have a similar problem.

    It appears that my apache instance dies. Most often on sundays. Not every sunday but at least every second or third. I'm running isp config on Ubuntu 6.06. It might have somthing to do with this bug
    https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/174805

    However, I haven't managed to fund out if it's also present in Dapper. But it seems that Apache does not restart properly after log rotation.

    The beginning of my error.log after rotation

    Code:
    [Sun Jul 06 06:25:41 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec2)
    [Sun Jul 06 06:25:41 2008] [warn] module proxy_http_module is already loaded, skipping
    [Sun Jul 06 06:25:41 2008] [notice] Apache/2.0.55 (Ubuntu) PHP/5.1.2 mod_ssl/2.0.55 OpenSSL/0.9.8a configured -- resuming normal operations
    [Sun Jul 06 11:48:21 2008] [notice] caught SIGTERM, shutting down
    [Sun Jul 06 11:48:23 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec2)
    [Sun Jul 06 11:48:23 2008] [warn] module proxy_http_module is already loaded, skipping
    [Sun Jul 06 11:48:23 2008] [notice] Apache/2.0.55 (Ubuntu) PHP/5.1.2 mod_ssl/2.0.55 OpenSSL/0.9.8a configured -- resuming normal operations
    [Sun Jul 06 12:16:22 2008] [notice] caught SIGTERM, shutting down
    [Sun Jul 06 12:16:23 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec2)
    [Sun Jul 06 12:16:23 2008] [warn] module proxy_http_module is already loaded, skipping
    [Sun Jul 06 12:16:24 2008] [notice] Apache/2.0.55 (Ubuntu) PHP/5.1.2 mod_ssl/2.0.55 OpenSSL/0.9.8a configured -- resuming normal operations
    [Sun Jul 06 12:39:21 2008] [notice] Graceful restart requested, doing restart
    [Sun Jul 06 12:39:21 2008] [warn] module proxy_http_module is already loaded, skipping
    [Sun Jul 06 12:39:22 2008] [notice] Apache/2.0.55 (Ubuntu) PHP/5.1.2 mod_ssl/2.0.55 OpenSSL/0.9.8a configured -- resuming normal operations
    [Sun Jul 06 12:39:22 2008] [warn] long lost child came home! (pid 21639)
    [Sun Jul 06 12:42:17 2008] [notice] caught SIGTERM, shutting down
    Can someone explain what the 4 first lines mean? I'm also concerned about
    Code:
    [warn] module proxy_http_module is already loaded, skipping
    because I can't figure out why proxy_http_module seems to be loaded twice.

    /Johan
     

Share This Page