Apache server does not log errors when there is an SSL configuration problem

Discussion in 'Server Operation' started by cbj4074, Jul 23, 2012.

  1. cbj4074

    cbj4074 Member

    I find it extremely troubling that when Apache fails to start due to an SSL-related misconfiguration nothing is logged to that effect.

    For example, if a certificate and private key do not match, Apache will fail to start and, from what I can tell, fails to log anything at all.

    Maybe there is some alternate log file location of which I'm not aware, but tailing /var/log/apache2/error.log, or the site-specific log at /var/www/example.com/log/error.log, reveals absolutely nothing about the issue's cause.

    I realize that ISPConfig employs a mechanism for "rolling-back" after misconfiguration problems cause restarting Apache to fail, so my issue is not with ISPConfig, it's with Apache.

    How can the world's "most mature", "most advanced" Web-server be brought to its knees due to an SSL misconfiguration with one site?

    I find this to be inexcusable. Even if Apache did log every detail regarding the cause for the failed service start-up, the fact that Apache has no mechanism for handling such a misconfiguration gracefully is appalling.

    What about simply ignoring the configuration block in which the problem occurred? (Yes, there could be serious implications for this, security-related and otherwise, which is why any such option would require acknowledgement of any risks before enabling.) What about binding to port 80 only, instead of both 80 and 443? There are plenty of other actions that could be taken that are preferable over an outright failure to start -- especially in a "shared" environment where any number of sites may be brought down unexpectedly.

    To the contrary, Dovecot, for example, failed gracefully in the same instance; it reported a very specific message in its logs and still started-up. Due to the fact that the certificate was malformed, Dovecot dropped its TLS capabilities, but it still started the server and bound to the non-secure port.

    The apache2ctl configtest command is completely useless when the required files exist and are not empty. This utility does not check for a match between the private key and the certificate.

    Am I missing something? Or is Apache really this incapable?

Share This Page