SSL Error Causes Apache to Not Start

Discussion in 'Server Operation' started by buddyrigotti, Nov 1, 2018.

Tags:
  1. buddyrigotti

    buddyrigotti New Member

    None of the websites on my ISPConfig 3 / Debian 8 / Apache web server are loading. Earlier today, I tried to generate an SSL for the ISPConfig 3 interface, but that didn't work, and I think my issue has something to do with that. Here's the output I get when running service apache2 status:
    Code:
    Oct 31 18:53:55 server.servername.net apache2[2717]: Starting web server: apache2AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:73
    Oct 31 18:53:55 server.servername.net apache2[2717]: Action 'start' failed.
    Oct 31 18:53:55 server.servername.net apache2[2717]: The Apache error log may have more information.
    Oct 31 18:53:55 server.servername.net apache2[2717]: .
    Oct 31 18:53:55 server.servername.net systemd[1]: Started LSB: Apache2 web server.
    My Apache error log looks like this:
    Code:
    [Wed Oct 31 18:46:48.705899 2018] [ssl:emerg] [pid 1094] AH02572: Failed to configure at least one certificate and key for server.servername.net:443
    [Wed Oct 31 18:46:48.705976 2018] [ssl:emerg] [pid 1094] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
    [Wed Oct 31 18:46:48.706006 2018] [ssl:emerg] [pid 1094] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
    [Wed Oct 31 18:46:48.706020 2018] [ssl:emerg] [pid 1094] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
    [Wed Oct 31 18:46:48.706025 2018] [ssl:emerg] [pid 1094] AH02312: Fatal error initialising mod_ssl, exiting.
    AH00016: Configuration Failed
    Any help would be greatly appreciated. Thanks!
     
  2. ahrasis

    ahrasis Well-Known Member

    As stated by the error log, you do not have your SSL certs properly configured. Are you using Lets Encrypt or other SSL certs? Do go to /usr/local/ispconfig/interface/ssl and check whether you have proper SSL certs, then open your ispconfig.vhost and check whether they are properly assigned in it.
     
  3. buddyrigotti

    buddyrigotti New Member

    Thank you for the help. I am using self-signed certificates and yes the ispconfig.vhost file points to the correct certificate and key in the location you described. Originally, all was working fine (for years) until I tried to create a Let's Encrypt SSL for ISPConfig to use, rather than the self signed certificate I've been using (the browser errors are annoying). I followed this tutorial (https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/) to try to make the LE SSL work, but I never was able to get it to work, but I did not have any apache issues. All was still working as it was.
    Here's the interesting thing: the Apache error above refers to dal01.domainname.net, which is the FQDN my VPS provider uses, but when we installed ISPConfig years ago, we use server1.domainname.net. So I'm not sure why an SSL would have ever been generated for dal01.domainname.net.
    In following the tutorial above, I did create server1.domainname.net as a website inside ISPConfig, but it did not immediately break my server. My server broke somewhat randomly, about an hour or two after I had made these changes. The server broke about a minute after I disabled an older website (that was created years ago). Very strange!
    One more thing: I can get Apache to start only if I use the command
    Code:
    a2dismod ssl
    to temporarily disable ssl. Then, the sites on my server that do not use SSL load fine, but none of my SSL sites load, including my ISPConfig 3 Control Panel.
     
  4. ahrasis

    ahrasis Well-Known Member

    What is the output off "ls -lat /usr/local/ispconfig/interface/ssl"?

    Ubuntu 18.04 "hostname -f" depends on what you prescribed in /etc/hosts, make sure it is correctly in there and running that command resulted in your right hostname fqdn displayed before you attempt that tutorial.

    Many failed to set their server hostname properly resulting following the tutorial or using its LE4ISPC script useless since they both depends on proper setting up of server hostnane fqdn.

    So get that right first and then go through the tutorial or its LE4ISPC script one by one. The LE4ISPC script can be run without following the tutorial but learning via the tutorial is better.
     
  5. buddyrigotti

    buddyrigotti New Member

    Code:
    total 28
    -rwxr-x--- 1 root      root        45 Oct 31 18:53 empty.dir
    drwxr-s--- 2 root      root      4096 Oct 31 18:52 .
    -rwxr-x--- 1 root      root      3243 Oct 31 18:52 ispserver.key
    -rwxr-x--- 1 root      root      2208 Oct 31 18:52 ispserver.crt
    -rwxr-x--- 1 root      root      1870 Oct 31 18:52 ispserver.csr
    -rwxr-x--- 1 root      root      3311 Oct 31 18:51 ispserver.key.secure
    drwxr-s--- 9 ispconfig ispconfig 4096 Nov 22  2016 ..
    running hostname -f reveals the hostname given by my VPS, dal01.domainname.net, not the actual server name I used to set up ISPConfig (server1.domainname.net).
     
  6. ahrasis

    ahrasis Well-Known Member

  7. buddyrigotti

    buddyrigotti New Member

    Thanks so much for the assistance. I got this (mostly) fixed by editing the ssl.conf file and pointing the cert paths in that file to the new server1.domainname.net ssl cert/key.
    So now all my sites are working properly via https...however...
    Now my ISPConfig control panel still does not load. Will making the suggested edit above to my /etc/hosts file fix this? And will it mess up the sites that are now working? Thanks in advance.
     

Share This Page