startssl at boot time
I use freebsd 4.9 stable and apache 2.0.0.49 with mod_ssl when i type startssl everything seems to work ie my non ssl sites and my ssl site. However on reboot my ssl site does not come up until i run apachectl stop and then apachectl startssl. How do i make apache start the ssl stuff at boot time THANK YOU in advance. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
apachectl startssl at boot time ?
Hi, I can start apache with SSL ok from the command line > apachectl startssl I've now put the following into /etc/rc.conf hoping that it will start at boot time. apache_enable="YES" apache_flags="startssl" This starts Apache on boot time but not with SSL Any ideas where I'm going wrong ? It seems like startssl is being passed as an argument to httpd rather than apachectl. David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: startssl at boot time
On Sat, Apr 03, 2004 at 02:53:15PM -0700, RYAN vAN GINNEKEN wrote:
> I use freebsd 4.9 stable and apache 2.0.0.49 with mod_ssl when i type
> startssl everything seems to work ie my non ssl sites and my ssl site.
> However on reboot my ssl site does not come up until i run apachectl
> stop and then apachectl startssl. How do i make apache start the ssl
> stuff at boot time THANK YOU in advance.
Apply this patch to /usr/local/etc/rc.d/apache2.sh:
% diff -u apache2.sh.orig apache2.sh
--- apache2.sh.orig Sun Apr 4 12:20:39 2004
+++ apache2.sh Sun Apr 4 12:20:54 2004
@@ -3,7 +3,7 @@
case "$1" in
start)
- [ "ssl" = "ssl" -a -f "$PREFIX/etc/apache2/ssl.crt/server.crt" ] && SSL=ssl
+ SSL=ssl
[ -x ${PREFIX}/sbin/apachectl ] && ${PREFIX}/sbin/apachectl start${SSL} >
/dev/null && echo -n ' apache2'
;;
stop)
which just stops the port trying to be clever about autodetecting if
SSL support is needed, and starts apache up with startssl every time.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp0.pgp
Description: PGP signature
Re: startssl at boot time
Matthew Seaman wrote:
On Sat, Apr 03, 2004 at 02:53:15PM -0700, RYAN vAN GINNEKEN wrote:
I use freebsd 4.9 stable and apache 2.0.0.49 with mod_ssl when i type
startssl everything seems to work ie my non ssl sites and my ssl site.
However on reboot my ssl site does not come up until i run apachectl
stop and then apachectl startssl. How do i make apache start the ssl
stuff at boot time THANK YOU in advance.
Apply this patch to /usr/local/etc/rc.d/apache2.sh:
% diff -u apache2.sh.orig apache2.sh
--- apache2.sh.orig Sun Apr 4 12:20:39 2004
+++ apache2.sh Sun Apr 4 12:20:54 2004
@@ -3,7 +3,7 @@
case "$1" in
start)
- [ "ssl" = "ssl" -a -f "$PREFIX/etc/apache2/ssl.crt/server.crt" ] && SSL=ssl
+ SSL=ssl
[ -x ${PREFIX}/sbin/apachectl ] && ${PREFIX}/sbin/apachectl start${SSL} > /dev/null
&& echo -n ' apache2'
;;
stop)
which just stops the port trying to be clever about autodetecting if
SSL support is needed, and starts apache up with startssl every time.
Cheers,
Matthew
Patch guess i am new to patches in fact this is my first one usually
just install the port as is and hope that all the patches are added.
Have compiled a few packages from source but would rather not.
Oh i think i get it it looks like mergemaster the + gets added and the -
gets removed right i will do manually will that work NOPE
please explain how i apply the patch works as i tried to manually edit
the config file and apache did not start at all thank you in advance.
Below is a copy of the edited apache2.sh file.
#!/bin/sh
PREFIX=/usr/local
case "$1" in
start)
SSL=ssl
[ -x ${PREFIX}/sbin/apachectl ] && ${PREFIX}/sbin/apachectl
start${SSL} > /dev
;;
stop)
[ -r /var/run/httpd.pid ] && ${PREFIX}/sbin/apachectl stop >
/dev/null && echo
;;
*)
echo "Usage: `basename $0` {start|stop}" >&2
;;
esac
exit 0
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: startssl at boot time
On Tue, Apr 06, 2004 at 12:04:58AM -0600, RYAN vAN GINNEKEN wrote:
> Patch guess i am new to patches in fact this is my first one usually
> just install the port as is and hope that all the patches are added.
> Have compiled a few packages from source but would rather not.
>
> Oh i think i get it it looks like mergemaster the + gets added and the -
> gets removed right i will do manually will that work NOPE
>
> please explain how i apply the patch works as i tried to manually edit
> the config file and apache did not start at all thank you in advance.
> Below is a copy of the edited apache2.sh file.
>
> #!/bin/sh
> PREFIX=/usr/local
>
> case "$1" in
> start)
>SSL=ssl
>[ -x ${PREFIX}/sbin/apachectl ] && ${PREFIX}/sbin/apachectl
> start${SSL} > /dev
>;;
> stop)
>[ -r /var/run/httpd.pid ] && ${PREFIX}/sbin/apachectl stop >
> /dev/null && echo
>;;
> *)
>echo "Usage: `basename $0` {start|stop}" >&2
>;;
> esac
>
> exit 0
Yes -- that's right. However, for future reference, use the patch(1)
program which can automate all that stuff for you.
All you should need to do is save the message into a file, and then:
# cd /usr/local/etc/rc.d
# patch < /tmp/saved-message
You don't even need to edit the saved message to extract the patch
text: the patch(1) program deals with all that automatically.
And you're right -- this is exactly what mergemaster(1) uses. The
patch is produced by the diff(1) program, which is why they are
occasionally known as 'diffs'. Note that diff(1) can produce patches
in three different formats, but for historical reasons the default
format is not the 'unidiff' format that basically everyone uses: you
have to type 'diff -u' to get that.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp0.pgp
Description: PGP signature
Re: startssl at boot time
This is right ??? the reason i ask is because apache does not start on a
reboot no ssl or even regular apache. here is the log output of an
apache stop then apache start using the script listed below when i use
apache start only regular apache starts so i then have to issue the
apache startssl command.
[Wed Apr 07 13:20:01 2004] [info] removed PID file /var/run/httpd.pid
(pid=3196)
[Wed Apr 07 13:20:01 2004] [notice] caught SIGTERM, shutting down
[Wed Apr 07 13:20:07 2004] [info] mod_unique_id: using ip addr 192.168.0.202
[Wed Apr 07 13:20:08 2004] [info] Init: Initializing OpenSSL library
[Wed Apr 07 13:20:08 2004] [info] Init: Seeding PRNG with 0 bytes of entropy
[Wed Apr 07 13:20:08 2004] [info] Init: Generating temporary RSA private
keys (512/102
[Wed Apr 07 13:20:08 2004] [info] Init: Generating temporary DH
parameters (512/1024 b
[Wed Apr 07 13:20:08 2004] [warn] Init: Session Cache is not configured
[hint: SSLSess
[Wed Apr 07 13:20:08 2004] [info] Init: Initializing (virtual) servers
for SSL
[Wed Apr 07 13:20:08 2004] [info] Server: Apache/2.0.49, Interface:
mod_ssl/2.0.49, Li
[Wed Apr 07 13:20:09 2004] [info] mod_unique_id: using ip addr 192.168.0.202
[Wed Apr 07 13:20:10 2004] [info] Init: Initializing OpenSSL library
[Wed Apr 07 13:20:10 2004] [info] Init: Seeding PRNG with 0 bytes of entropy
[Wed Apr 07 13:20:10 2004] [info] Init: Generating temporary RSA private
keys (512/102
[Wed Apr 07 13:20:12 2004] [info] Init: Generating temporary DH
parameters (512/1024 b
[Wed Apr 07 13:20:12 2004] [info] Init: Initializing (virtual) servers
for SSL
[Wed Apr 07 13:20:12 2004] [info] Server: Apache/2.0.49, Interface:
mod_ssl/2.0.49, Li
[Wed Apr 07 13:20:13 2004] [notice] Apache/2.0.49 (Unix) PHP/4.3.5
mod_ssl/2.0.49 Open
[Wed Apr 07 13:20:13 2004] [info] Server built: Mar 30 2004 04:02:47
[Wed Apr 07 13:20:13 2004] [debug] prefork.c(955): AcceptMutex: flock
(default: flock)
Seems to initialize ssl but my ssl page still does not work however my
regular page does work. Here is a print out of the log file when i do
an apachectl stop and apachectl startssl. when i use startssl
everything work great including my ssl page.
[Wed Apr 07 13:23:21 2004] [info] removed PID file /var/run/httpd.pid
(pid=3227)
[Wed Apr 07 13:23:21 2004] [notice] caught SIGTERM, shutting down
[Wed Apr 07 13:23:26 2004] [info] mod_unique_id: using ip addr 192.168.0.202
[Wed Apr 07 13:23:27 2004] [info] Init: Initializing OpenSSL library
[Wed Apr 07 13:23:27 2004] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Wed Apr 07 13:23:27 2004] [info] Init: Generating temporary RSA private
keys (512/102
[Wed Apr 07 13:23:29 2004] [info] Init: Generating temporary DH
parameters (512/1024 b
[Wed Apr 07 13:23:29 2004] [debug] ssl_scache_dbm.c(403): Inter-Process
Session Cache
[Wed Apr 07 13:23:29 2004] [info] Init: Initializing (virtual) servers
for SSL
[Wed Apr 07 13:23:29 2004] [info] Server: Apache/2.0.49, Interface:
mod_ssl/2.0.49, Li
[Wed Apr 07 13:23:30 2004] [info] mod_unique_id: using ip addr 192.168.0.202
[Wed Apr 07 13:23:31 2004] [info] Init: Initializing OpenSSL library
[Wed Apr 07 13:23:31 2004] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Wed Apr 07 13:23:31 2004] [info] Init: Generating temporary RSA private
keys (512/102
[Wed Apr 07 13:23:31 2004] [info] Init: Generating temporary DH
parameters (512/1024 b
[Wed Apr 07 13:23:31 2004] [debug] ssl_scache_dbm.c(403): Inter-Process
Session Cache
[Wed Apr 07 13:23:31 2004] [info] Init: Initializing (virtual) servers
for SSL
[Wed Apr 07 13:23:31 2004] [info] Server: Apache/2.0.49, Interface:
mod_ssl/2.0.49, Li
[Wed Apr 07 13:23:31 2004] [notice] Apache/2.0.49 (Unix) PHP/4.3.5
mod_ssl/2.0.49 Open
[Wed Apr 07 13:23:31 2004] [info] Server built: Mar 30 2004 04:02:47
[Wed Apr 07 13:23:31 2004] [debug] prefork.c(955): AcceptMutex: flock
(default: flock)
here are the differences in the logs did this manually will have to
spend some time using the diff command as it could work for comparing
log entries too right? So it must have something to do with the entropy
and the session cache i guess.
[Wed Apr 07 13:20:08 2004] [info] Init: Seeding PRNG with 0 bytes of entropy
[Wed Apr 07 13:20:08 2004] [warn] Init: Session Cache is not configured
[hint: SSLSess
Matthew Seaman wrote:
On Tue, Apr 06, 2004 at 12:04:58AM -0600, RYAN vAN GINNEKEN wrote:
Patch guess i am new to patches in fact this is my first one usually
just install the port as is and hope that all the patches are added.
Have compiled a few packages from source but would rather not.
Oh i think i get it it looks like mergemaster the + gets added and the -
gets removed right i will do manually will that work NOPE
please explain how i apply the patch works as i tried to manually edit
the config file and apache did not start at all thank you in advance.
Below is a copy of the edited apache2.sh file.
#!/bin/sh
PREFIX=/usr/local
case "$1" in
start)
SSL=ssl
[ -x ${PREFIX}/sbin/apachectl ] && ${PREFIX}/sbin
Re: startssl at boot time
This is right ??? the reason i ask is because apache does not start on a
reboot no ssl or even regular apache. here is the log output of an
apache stop then apache start using the script listed below when i use
apache start only regular apache starts so i then have to issue the
apache startssl command.
[Wed Apr 07 13:20:01 2004] [info] removed PID file /var/run/httpd.pid
(pid=3196)
[Wed Apr 07 13:20:01 2004] [notice] caught SIGTERM, shutting down
[Wed Apr 07 13:20:07 2004] [info] mod_unique_id: using ip addr 192.168.0.202
[Wed Apr 07 13:20:08 2004] [info] Init: Initializing OpenSSL library
[Wed Apr 07 13:20:08 2004] [info] Init: Seeding PRNG with 0 bytes of entropy
[Wed Apr 07 13:20:08 2004] [info] Init: Generating temporary RSA private
keys (512/102
[Wed Apr 07 13:20:08 2004] [info] Init: Generating temporary DH
parameters (512/1024 b
[Wed Apr 07 13:20:08 2004] [warn] Init: Session Cache is not configured
[hint: SSLSess
[Wed Apr 07 13:20:08 2004] [info] Init: Initializing (virtual) servers
for SSL
[Wed Apr 07 13:20:08 2004] [info] Server: Apache/2.0.49, Interface:
mod_ssl/2.0.49, Li
[Wed Apr 07 13:20:09 2004] [info] mod_unique_id: using ip addr 192.168.0.202
[Wed Apr 07 13:20:10 2004] [info] Init: Initializing OpenSSL library
[Wed Apr 07 13:20:10 2004] [info] Init: Seeding PRNG with 0 bytes of entropy
[Wed Apr 07 13:20:10 2004] [info] Init: Generating temporary RSA private
keys (512/102
[Wed Apr 07 13:20:12 2004] [info] Init: Generating temporary DH
parameters (512/1024 b
[Wed Apr 07 13:20:12 2004] [info] Init: Initializing (virtual) servers
for SSL
[Wed Apr 07 13:20:12 2004] [info] Server: Apache/2.0.49, Interface:
mod_ssl/2.0.49, Li
[Wed Apr 07 13:20:13 2004] [notice] Apache/2.0.49 (Unix) PHP/4.3.5
mod_ssl/2.0.49 Open
[Wed Apr 07 13:20:13 2004] [info] Server built: Mar 30 2004 04:02:47
[Wed Apr 07 13:20:13 2004] [debug] prefork.c(955): AcceptMutex: flock
(default: flock)
Seems to initialize ssl but my ssl page still does not work however my
regular page does work. Here is a print out of the log file when i do
an apachectl stop and apachectl startssl. when i use startssl
everything work great including my ssl page.
[Wed Apr 07 13:23:21 2004] [info] removed PID file /var/run/httpd.pid
(pid=3227)
[Wed Apr 07 13:23:21 2004] [notice] caught SIGTERM, shutting down
[Wed Apr 07 13:23:26 2004] [info] mod_unique_id: using ip addr 192.168.0.202
[Wed Apr 07 13:23:27 2004] [info] Init: Initializing OpenSSL library
[Wed Apr 07 13:23:27 2004] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Wed Apr 07 13:23:27 2004] [info] Init: Generating temporary RSA private
keys (512/102
[Wed Apr 07 13:23:29 2004] [info] Init: Generating temporary DH
parameters (512/1024 b
[Wed Apr 07 13:23:29 2004] [debug] ssl_scache_dbm.c(403): Inter-Process
Session Cache
[Wed Apr 07 13:23:29 2004] [info] Init: Initializing (virtual) servers
for SSL
[Wed Apr 07 13:23:29 2004] [info] Server: Apache/2.0.49, Interface:
mod_ssl/2.0.49, Li
[Wed Apr 07 13:23:30 2004] [info] mod_unique_id: using ip addr 192.168.0.202
[Wed Apr 07 13:23:31 2004] [info] Init: Initializing OpenSSL library
[Wed Apr 07 13:23:31 2004] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Wed Apr 07 13:23:31 2004] [info] Init: Generating temporary RSA private
keys (512/102
[Wed Apr 07 13:23:31 2004] [info] Init: Generating temporary DH
parameters (512/1024 b
[Wed Apr 07 13:23:31 2004] [debug] ssl_scache_dbm.c(403): Inter-Process
Session Cache
[Wed Apr 07 13:23:31 2004] [info] Init: Initializing (virtual) servers
for SSL
[Wed Apr 07 13:23:31 2004] [info] Server: Apache/2.0.49, Interface:
mod_ssl/2.0.49, Li
[Wed Apr 07 13:23:31 2004] [notice] Apache/2.0.49 (Unix) PHP/4.3.5
mod_ssl/2.0.49 Open
[Wed Apr 07 13:23:31 2004] [info] Server built: Mar 30 2004 04:02:47
[Wed Apr 07 13:23:31 2004] [debug] prefork.c(955): AcceptMutex: flock
(default: flock)
here are the differences in the logs did this manually will have to
spend some time using the diff command as it could work for comparing
log entries too right? So it must have something to do with the entropy
and the session cache i guess.
[Wed Apr 07 13:20:08 2004] [info] Init: Seeding PRNG with 0 bytes of entropy
[Wed Apr 07 13:20:08 2004] [warn] Init: Session Cache is not configured
[hint: SSLSess
Matthew Seaman wrote:
On Tue, Apr 06, 2004 at 12:04:58AM -0600, RYAN vAN GINNEKEN wrote:
Patch guess i am new to patches in fact this is my first one usually
just install the port as is and hope that all the patches are added.
Have compiled a few packages from source but would rather not.
Oh i think i get it it looks like mergemaster the + gets added and the -
gets removed right i will do manually will that work NOPE
please explain how i apply the patch works as i tried to manually edit
the config file and apache did not start at all thank you in advance.
Below is a copy of the edited apache2.sh file.
#!/bin/sh
PREFIX=/usr/local
case "$1" in
start)
SSL=ssl
[ -x ${PREFIX}/sbin/apachectl ] && ${PREFIX}/sbin
Re: startssl at boot time
On Wed, Apr 07, 2004 at 03:39:42PM -0600, RYAN vAN GINNEKEN wrote: > Seems to initialize ssl but my ssl page still does not work however my > regular page does work. Here is a print out of the log file when i do > an apachectl stop and apachectl startssl. when i use startssl > everything work great including my ssl page. > [Wed Apr 07 13:20:08 2004] [info] Init: Seeding PRNG with 0 bytes of entropy > [Wed Apr 07 13:20:08 2004] [warn] Init: Session Cache is not configured > [hint: SSLSess The fact that you can do an apachectl startssl and have everything work as desired means that you're 99.99% of the way to gettting it all to work. The modification to the apache2.sh script I sent you last time sould force that script to always run 'apachectl startssl' itself, so that shouldn't be the problem. Hmmm... I think that perhaps the problem arises from when the apache2.sh script is run. I'm guessing that the 'Seeding PRNG' line is significant -- it aparently means that there is no random data yet available from /dev/random at the point when apache is started up in the boot sequence. As you're running 4.9, that can be cured by telling the system to use some appropriate IRQs as sources of randomness. First run: % vmstat -i and look for the IRQs where there are a lot of interrupts generated. Not the 'clk' or 'rtc' interrupts, as those are clock ticks, firing at regular intervals, which is worse than useless as a source of randomness. I find that irq12 (psm0 -- the mouse), irq1 (atkbd0 -- the keyboard), irq11 (mux -- multiplex: but this is network activity mostly) and irq15 (mux -- multiplex again, but disk activity mostly) work well for me, but you will have to choose 2 or 3 or 4 suitable IRQs on your own system to harvest for randomness. Then add them to /etc/rc.conf rand_irqs="1 11 12 15" Then reboot. (See rndcontrol(8) for more details) With luck, and a following wind, there will be sufficient system activity during startup that there will be sufficient random data available to prime the PRNG used by OpenSSL, which should let apache start up automatically. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Re: startssl at boot time
THANKS but i already have that line in my rc.conf file and the log entries that i have submitted to this list are not from a reboot but rather apachectl stop and start or startssl. So when i run a startssl i get the randomness i need however when i just use apachectl start which is 99.9% the same command it does not. honestly i am stumped hope you have some more wisdom to share. There is also the line about ssl cache i have do some googleing but have not been able to come up with anything that helps. Matthew Seaman wrote: On Wed, Apr 07, 2004 at 03:39:42PM -0600, RYAN vAN GINNEKEN wrote: Seems to initialize ssl but my ssl page still does not work however my regular page does work. Here is a print out of the log file when i do an apachectl stop and apachectl startssl. when i use startssl everything work great including my ssl page. [Wed Apr 07 13:20:08 2004] [info] Init: Seeding PRNG with 0 bytes of entropy [Wed Apr 07 13:20:08 2004] [warn] Init: Session Cache is not configured [hint: SSLSess The fact that you can do an apachectl startssl and have everything work as desired means that you're 99.99% of the way to gettting it all to work. The modification to the apache2.sh script I sent you last time sould force that script to always run 'apachectl startssl' itself, so that shouldn't be the problem. Hmmm... I think that perhaps the problem arises from when the apache2.sh script is run. I'm guessing that the 'Seeding PRNG' line is significant -- it aparently means that there is no random data yet available from /dev/random at the point when apache is started up in the boot sequence. As you're running 4.9, that can be cured by telling the system to use some appropriate IRQs as sources of randomness. First run: % vmstat -i and look for the IRQs where there are a lot of interrupts generated. Not the 'clk' or 'rtc' interrupts, as those are clock ticks, firing at regular intervals, which is worse than useless as a source of randomness. I find that irq12 (psm0 -- the mouse), irq1 (atkbd0 -- the keyboard), irq11 (mux -- multiplex: but this is network activity mostly) and irq15 (mux -- multiplex again, but disk activity mostly) work well for me, but you will have to choose 2 or 3 or 4 suitable IRQs on your own system to harvest for randomness. Then add them to /etc/rc.conf rand_irqs="1 11 12 15" Then reboot. (See rndcontrol(8) for more details) With luck, and a following wind, there will be sufficient system activity during startup that there will be sufficient random data available to prime the PRNG used by OpenSSL, which should let apache start up automatically. Cheers, Matthew ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: startssl at boot time
On Wed, Apr 07, 2004 at 04:58:24PM -0600, RYAN vAN GINNEKEN wrote: > THANKS but i already have that line in my rc.conf file and the log > entries that i have submitted to this list are not from a reboot but > rather apachectl stop and start or startssl. So when i run a startssl i > get the randomness i need however when i just use apachectl start which > is 99.9% the same command it does not. honestly i am stumped hope you > have some more wisdom to share. There is also the line about ssl cache > i have do some googleing but have not been able to come up with anything > that helps. That's most odd. As you say, the apache2.sh script essentially just runs 'apachectl start' for you. Or, at least, that's what it's meant to do. There must be something different about what it is doing. Hmmm... Can you show us the output from: # sh -x /usr/local/etc/rc.d/apache2.sh start (make sure apache is not running before you type that) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Re: startssl at boot time
(side note, I'm a lurker, not a subscriber, so this response will probably break threading. If anyone has suggestions on how best to reply, without needing to subscribe and be swamped by email, I'd be grateful). I'm slightly confused as to what your actual problem is, as the logs you've posted make sense to me with regard to how you generated them. Referring back to your post (http://docs.freebsd.org/cgi/mid.cgi?4074751E.2070607): RYAN vAN GINNEKEN wrote: >This is right ??? the reason i ask is because apache does not start on a >reboot no ssl or even regular apache. You then go on to show the log output from doing "apachectl start" vs "apachectl startssl". Note that the difference between these is very subtle, and not simply an issue of Is SSL initialised or not. Specifically, all that additionally happens with "startssl" is that "SSL" flag is defined, such that blocks will be evaluted. Note that with the default ssl.conf, this is where SSLSessionCache, and SSLRandomSeed are defined (among other things). So, this explains why you see: >here is the log output of an >apache stop then apache start using the script listed below when i use >apache start only regular apache starts so i then have to issue the >apache startssl command. >[... snip ...] >[Wed Apr 07 13:20:08 2004] [info] Init: Initializing OpenSSL library >[Wed Apr 07 13:20:08 2004] [info] Init: Seeding PRNG with 0 bytes of entropy >[... snip ...] >[Wed Apr 07 13:20:08 2004] [warn] Init: Session Cache is not configured >[hint: SSLSess As you say, you have to use startssl. The likely cause, as Matthew suggested, is lack of randomness. However, it would help, if you were to post log output from apache starting up *after a reboot*, rather than from manual startssl/stop, since this is where (as far as I can understand) the problem lies. Cheers, Eric. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: startssl at boot time
* Eric Penfold <[EMAIL PROTECTED]> [2004-04-08 04:50]: > > (side note, I'm a lurker, not a subscriber, so this response will probably > break threading. If anyone has suggestions on how best to reply, without > needing to subscribe and be swamped by email, I'd be grateful). You could subscribe to the list and choose to have it delivered to you daily as a digest; then you'd have all of the list posts, and only receive one mail (or so) per day. -- Joshua Without followers, evil cannot spread. -- Spock, "And The Children Shall Lead", stardate 5029.5 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: startssl at boot time
On Apr 8, 2004, at 12:58 AM, RYAN vAN GINNEKEN wrote: THANKS but i already have that line in my rc.conf file and the log entries that i have submitted to this list are not from a reboot but rather apachectl stop and start or startssl. So when i run a startssl i get the randomness i need however when i just use apachectl start which is 99.9% the same command it does not. honestly i am stumped hope you have some more wisdom to share. There is also the line about ssl cache i have do some googleing but have not been able to come up with anything that helps. The trouble you are having is not with the SSLCache (which you should enable regardless, but for different reasons). If you already do rand_irqs's in your rc.conf and you safe/load the entropy over boot time; then that is about the best you can do in assuring there is 'real' entropy in the /dev/random sort of getting into special kernels and/or hardware. So next step is to read the comments in the section 'Pseudo Random Number Generator' and the mod_ssl manual and deceide if in -your- case you can get away with less randomness. In some specific cases you can. What is puzzling is that, assuming that the log file you are showing us is complete, is that you are -not- getting the fatal error "Failed to generate temporary 512 bit RSA private key". S o it may be worth to switch logging to 'debug' level and double check that not something else (e.g. DNS timeout, lack of a ca-bundle/chain) is biting you. There is a very complete FAQ on ssl and apache in the apache bundle. Dw Matthew Seaman wrote: On Wed, Apr 07, 2004 at 03:39:42PM -0600, RYAN vAN GINNEKEN wrote: Seems to initialize ssl but my ssl page still does not work however my regular page does work. Here is a print out of the log file when i do an apachectl stop and apachectl startssl. when i use startssl everything work great including my ssl page. [Wed Apr 07 13:20:08 2004] [info] Init: Seeding PRNG with 0 bytes of entropy [Wed Apr 07 13:20:08 2004] [warn] Init: Session Cache is not configured [hint: SSLSess The fact that you can do an apachectl startssl and have everything work as desired means that you're 99.99% of the way to gettting it all to work. The modification to the apache2.sh script I sent you last time sould force that script to always run 'apachectl startssl' itself, so that shouldn't be the problem. Hmmm... I think that perhaps the problem arises from when the apache2.sh script is run. I'm guessing that the 'Seeding PRNG' line is significant -- it aparently means that there is no random data yet available from /dev/random at the point when apache is started up in the boot sequence. As you're running 4.9, that can be cured by telling the system to use some appropriate IRQs as sources of randomness. First run: % vmstat -i and look for the IRQs where there are a lot of interrupts generated. Not the 'clk' or 'rtc' interrupts, as those are clock ticks, firing at regular intervals, which is worse than useless as a source of randomness. I find that irq12 (psm0 -- the mouse), irq1 (atkbd0 -- the keyboard), irq11 (mux -- multiplex: but this is network activity mostly) and irq15 (mux -- multiplex again, but disk activity mostly) work well for me, but you will have to choose 2 or 3 or 4 suitable IRQs on your own system to harvest for randomness. Then add them to /etc/rc.conf rand_irqs="1 11 12 15" Then reboot. (See rndcontrol(8) for more details) With luck, and a following wind, there will be sufficient system activity during startup that there will be sufficient random data available to prime the PRNG used by OpenSSL, which should let apache start up automatically. Cheers, Matthew ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: startssl at boot time
Here is the output of my
sh -x /usr/local/etc/rc.d/apache2.sh start
+ PREFIX=/usr/local
+ SSL=ssl
+ [ -x /usr/local/sbin/apachectl ]
+ /usr/local/sbin/apachectl startssl
+ echo -n apache2
apache2+ exit 0
here is the log of what happens when i reboot useing this apache2.sh script
#!/bin/sh
PREFIX=/usr/local
case "$1" in
start)
SSL=ssl
[ -x ${PREFIX}/sbin/apachectl ] && ${PREFIX}/sbin/apachectl start${SSL} > /de
;;
stop)
[ -r /var/run/httpd.pid ] && ${PREFIX}/sbin/apachectl stop > /dev/null && ech
;;
*)
echo "Usage: `basename $0` {start|stop}" >&2
;;
esac
exit 0
[Thu Apr 08 17:55:16 2004] [info] removed PID file /var/run/httpd.pid
(pid=3243)
[Thu Apr 08 17:55:16 2004] [notice] caught SIGTERM, shutting down
[Thu Apr 08 17:55:24 2004] [info] mod_unique_id: using ip addr 192.168.0.202
[Thu Apr 08 17:55:25 2004] [info] Init: Initializing OpenSSL library
[Thu Apr 08 17:55:25 2004] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Thu Apr 08 17:55:25 2004] [info] Init: Generating temporary RSA private
keys (512/10
[Thu Apr 08 17:55:27 2004] [info] Init: Generating temporary DH
parameters (512/1024
[Thu Apr 08 17:55:27 2004] [debug] ssl_scache_dbm.c(403): Inter-Process
Session Cache
[Thu Apr 08 17:55:27 2004] [info] Init: Initializing (virtual) servers
for SSL
[Thu Apr 08 17:55:27 2004] [info] Server: Apache/2.0.49, Interface:
mod_ssl/2.0.49, L
[Thu Apr 08 17:55:27 2004] [info] mod_unique_id: using ip addr 192.168.0.202
[Thu Apr 08 17:55:28 2004] [info] Init: Initializing OpenSSL library
[Thu Apr 08 17:55:28 2004] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Thu Apr 08 17:55:28 2004] [info] Init: Generating temporary RSA private
keys (512/10
[Thu Apr 08 17:55:28 2004] [info] Init: Generating temporary DH
parameters (512/1024
[Thu Apr 08 17:55:28 2004] [debug] ssl_scache_dbm.c(403): Inter-Process
Session Cache
[Thu Apr 08 17:55:28 2004] [info] Init: Initializing (virtual) servers
for SSL
[Thu Apr 08 17:55:28 2004] [info] Server: Apache/2.0.49, Interface:
mod_ssl/2.0.49, L
[Thu Apr 08 17:55:28 2004] [notice] Apache/2.0.49 (Unix) PHP/4.3.5
mod_ssl/2.0.49 Ope
[Thu Apr 08 17:55:28 2004] [info] Server built: Mar 30 2004 04:02:47
[Thu Apr 08 17:55:28 2004] [debug] prefork.c(955): AcceptMutex: flock
(default: flock
[Thu Apr 08 17:56:03 2004] [info] removed PID file /var/run/httpd.pid
(pid=5919)
[Thu Apr 08 17:56:03 2004] [notice] caught SIGTERM, shutting down
[Thu Apr 08 17:56:30 2004] [info] mod_unique_id: using ip addr 192.168.0.202
[Thu Apr 08 17:56:31 2004] [info] Init: Initializing OpenSSL library
[Thu Apr 08 17:56:31 2004] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Thu Apr 08 17:56:31 2004] [info] Init: Generating temporary RSA private
keys (512/10
[Thu Apr 08 17:56:32 2004] [info] Init: Generating temporary DH
parameters (512/1024
[Thu Apr 08 17:56:32 2004] [debug] ssl_scache_dbm.c(403): Inter-Process
Session Cache
[Thu Apr 08 17:56:32 2004] [info] Init: Initializing (virtual) servers
for SSL
[Thu Apr 08 17:56:32 2004] [info] Server: Apache/2.0.49, Interface:
mod_ssl/2.0.49, L
[Thu Apr 08 17:56:32 2004] [info] mod_unique_id: using ip addr 192.168.0.202
[Thu Apr 08 17:56:33 2004] [info] Init: Initializing OpenSSL library
[Thu Apr 08 17:56:33 2004] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Thu Apr 08 17:56:33 2004] [info] Init: Generating temporary RSA private
keys (512/10
[Thu Apr 08 17:56:33 2004] [info] Init: Generating temporary DH
parameters (512/1024
[Thu Apr 08 17:56:33 2004] [debug] ssl_scache_dbm.c(403): Inter-Process
Session Cache
[Thu Apr 08 17:56:33 2004] [info] Init: Initializing (virtual) servers
for SSL
[Thu Apr 08 17:56:33 2004] [info] Server: Apache/2.0.49, Interface:
mod_ssl/2.0.49, L
[Thu Apr 08 17:56:33 2004] [notice] Apache/2.0.49 (Unix) PHP/4.3.5
mod_ssl/2.0.49 Ope
[Thu Apr 08 17:56:33 2004] [info] Server built: Mar 30 2004 04:02:47
[Thu Apr 08 17:56:33 2004] [debug] prefork.c(955): AcceptMutex: flock
(default: flock
[Thu Apr 08 18:00:20 2004] [info] removed PID file /var/run/httpd.pid
(pid=5942)
[Thu Apr 08 18:00:20 2004] [notice] caught SIGTERM, shutting down
[Thu Apr 08 17:56:33 2004] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Thu Apr 08 17:56:33 2004] [info] Init: Generating temporary RSA private
keys (512/10
[Thu Apr 08 17:56:33 2004] [info] Init: Generating temporary DH
parameters (512/1024
[Thu Apr 08 17:56:33 2004] [debug] ssl_scache_dbm.c(403): Inter-Process
Session Cache
[Thu Apr 08 17:56:33 2004] [info] Init: Initializing (virtual) servers
for SSL
[Thu Apr 08 17:56:33 2004] [info] Server: Apache/2.0.49, Interface:
mod_ssl/2.0.49, L
[Thu Apr 08 17:56:33 2004] [notice] Apache/2.0.49 (Unix) PHP/4.3.5
mod_ssl/2.0.49 Ope
[Thu Apr 08 17:56:33 2004] [info] Server built: Mar 30 2004 04:02:47
[Thu Apr 08 17:56:33 2004] [debug] prefork.c(955): AcceptMutex: flock
(default: flock
[Thu Apr 08 18:00:20 2004] [info] removed PID file /var/run/httpd.pid
(pid=5942)
[T
Re: apachectl startssl at boot time ?
> Hi, > > I can start apache with SSL ok from the command line > >> apachectl startssl > > I've now put the following into /etc/rc.conf hoping that it will start at > boot time. > > apache_enable="YES" > apache_flags="startssl" Try apache_flags="-DSSL" instead. > This starts Apache on boot time but not with SSL > > It seems like startssl is being passed as an argument to httpd rather than > apachectl. You are right, the startup scripts call httpd directly. If you look at the apachectl script you will see that the 'startssl' command does the following: startssl|sslstart|start-SSL) if [ $RUNNING -eq 1 ]; then echo "$0 $ARG: httpd (pid $PID) already running" continue fi if $HTTPD -DSSL; then echo "$0 $ARG: httpd started" So, if you do what I said above, your web server will start up with ssl support. -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: apachectl startssl at boot time ?
On Thu, 3 Mar 2005 11:48:24 -0500 (EST) "Ean Kingston" <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > I can start apache with SSL ok from the command line > > > >> apachectl startssl > > > > I've now put the following into /etc/rc.conf hoping that it will start at > > boot time. > > > > apache_enable="YES" > > apache_flags="startssl" > > Try > > apache_flags="-DSSL" Works a treat thanks ;-) > > instead. > > > This starts Apache on boot time but not with SSL > > > > It seems like startssl is being passed as an argument to httpd rather than > > apachectl. > > You are right, the startup scripts call httpd directly. If you look at the > apachectl script you will see that the 'startssl' command does the > following: > > startssl|sslstart|start-SSL) > if [ $RUNNING -eq 1 ]; then > echo "$0 $ARG: httpd (pid $PID) already running" > continue > fi > if $HTTPD -DSSL; then > echo "$0 $ARG: httpd started" > > So, if you do what I said above, your web server will start up with ssl > support. > > -- > Ean Kingston > E-Mail: ean_AT_hedron_DOT_org > PGP KeyID: 1024D/CBC5D6BB >URL: http://www.hedron.org/ > > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: apachectl startssl at boot time ?
On Thu, Mar 03, 2005 at 05:58:42PM +, David Larkin wrote: > Hi, > > I can start apache with SSL ok from the command line > > > apachectl startssl > > I've now put the following into /etc/rc.conf hoping that it will start at > boot time. > > apache_enable="YES" > apache_flags="startssl" > > This starts Apache on boot time but not with SSL > > Any ideas where I'm going wrong ? Have a look in /usr/local/etc/rc.d/apache.sh for hints on the possible stuff you can put into /etc/rc.conf. To start SSL, you need to put the following line into rc.conf: apache2ssl_enable="YES" Cheers. -- Jonathan Chen <[EMAIL PROTECTED]> -- The Internet: an empirical test of the idea that a million monkeys banging on a million keyboards can produce Shakespeare ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
How best to reply to list (Was Re: startssl at boot time)
Joshua Lokken wrote: > * Eric Penfold <[EMAIL PROTECTED]> [2004-04-08 04:50]: > >> (side note, I'm a lurker, not a subscriber, so this response will probably break threading. If anyone has suggestions on how best to reply, without needing to subscribe and be swamped by email, I'd be grateful). > > > > You could subscribe to the list and choose to have it delivered to you > daily as a digest; then you'd have all of the list posts, and only > receive one mail (or so) per day. Yes, I'm aware of that possibility, but it doesnt help with the fundamental problem of being able to reply to specific posts (without breaking threading etc). Cheers, Eric. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How best to reply to list (Was Re: startssl at boot time)
On Thu, Apr 08, 2004 at 06:45:23PM +0100, Eric Penfold wrote: > Joshua Lokken wrote: > > > * Eric Penfold <[EMAIL PROTECTED]> [2004-04-08 04:50]: > > > >> (side note, I'm a lurker, not a subscriber, so this response will > probably break threading. If anyone has suggestions on how best to reply, > without needing to subscribe and be swamped by email, I'd be grateful). > > > > > > > > You could subscribe to the list and choose to have it delivered to you > > daily as a digest; then you'd have all of the list posts, and only > > receive one mail (or so) per day. > > Yes, I'm aware of that possibility, but it doesnt help with the fundamental > problem of being able to reply to specific posts (without breaking > threading etc). Once or twice when I have wanted to reply to a mail on a list that I am not subscribed to, I have downloaded the raw e-mail in question from the list-archives, placed it in my mailbox and then replied to it just as if I had received it normally. It is a bit of work, but it works fine. -- Erik Trulsson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
