Re: [users@httpd] Apache won't start, strace output enclosed
SSLCACertificateFile is only for client certificate authentication. Are you trying to use that? If not, removing that line should solve that particular error. If you do want to use client certificate auth, then there is probably some other problem with your certificate. - Y On Fri, Jan 17, 2014 at 3:22 AM, David Benfell wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 01/16/2014 11:46 PM, Mathijs Schmittmann wrote: > > - Original Message - Hi all, > > > > Ack! > > > > This is apache 2.2.25 compiled from source but on a CentOS 6.5 > > system. Notably, I included all modules in the build. > > > >> You might want to start to build with a minimal set of modules, > >> to exclude any of them from being the cause. Why did you compile > >> with all modules to start with? > > > This is a build that *was* working. I've been using it--I see (see > below) since December. > > > > I was trying to add a subdomain, ran into memory allocation > > problems and so tweaked the settings accordingly. Here are the > > current settings and I have no idea how sensible they are: > > > > StartServers 4 MinSpareServers4 > > MaxSpareServers 64 ServerLimit 512 MaxClients512 > > MaxRequestsPerChild 512 > > StartServers 4 MaxClients 512 MinSpareThreads 32 > > MaxSpareThreads 64 ThreadsPerChild 16 MaxRequestsPerChild > > 0 > > > >> This depends on which MPM you are currently running, see your > >> httpd -V output for this information. Obviously the specific > >> settings will be different in each usecase, depending on load > >> and resources available. > > > This returns: > > Server version: Apache/2.2.25 (Unix) > Server built: Dec 2 2013 08:47:03 > Server's Module Magic Number: 20051115:33 > Server loaded: APR 1.4.8, APR-Util 1.5.2 > Compiled using: APR 1.4.8, APR-Util 1.5.2 > Architecture: 64-bit > Server MPM: Prefork > threaded: no > forked: yes (variable process count) > Server compiled with > -D APACHE_MPM_DIR="server/mpm/prefork" > -D APR_HAS_SENDFILE > -D APR_HAS_MMAP > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > -D APR_USE_SYSVSEM_SERIALIZE > -D APR_USE_PTHREAD_SERIALIZE > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D APR_HAS_OTHER_CHILD > -D AP_HAVE_RELIABLE_PIPED_LOGS > -D DYNAMIC_MODULE_LIMIT=128 > -D HTTPD_ROOT="/usr/local/apache2" > -D SUEXEC_BIN="/usr/local/apache2/bin/suexec" > -D DEFAULT_PIDLOG="logs/httpd.pid" > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > -D DEFAULT_LOCKFILE="logs/accept.lock" > -D DEFAULT_ERRORLOG="logs/error_log" > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > So I can ditch the worker section? > > > > >> The last write call shows that its logging an error to the > >> errorlog, are you sure you have looked at the right errorlog? > >> You might want to try to 'strace -s 4096 ...' so the entire > >> message is captured in the trace. > > > Thanks for the strace trick: > = 0 > munmap(0x7fbfdc208000, 4096)= 0 > write(43, "[Thu Jan 16 23:57:11 2014] [error] Unable to configure > verify locations for client authentication\n", 98) = 98 > exit_group(1) = ? > > I gather this is an SSL problem. Here is the section of that > configuration that is changed. It is a new certificate (that includes > the new subdomain): > > Include /etc/httpd/conf/sites-available/all-ssl-common > SSLCertificateFile > /big/www/ssl/parts-unknown.org/munich/parts-unknown.org.crt > SSLCertificateKeyFile > /big/www/ssl/parts-unknown.org/munich/parts-unknown.org.key > SSLCertificateChainFile > /big/www/ssl/parts-unknown.org/munich/sub.class2.server.ca.pem > SSLCACertificateFile /big/www/ssl/parts-unknown.org/munich/ca.pem > > These files all exist. all-ssl-common is unchanged. It contains: > > SSLEngine on > > SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2 > SSLCipherSuite > ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; > SSLHonorCipherOrder on > SSLCompression Off > #SSLCipherSuite RC4-SHA:HIGH:!ADH > SSLInsecureRenegotiation off > SSLOptions StdEnvVars > > BrowserMatch "MSIE [2-6]" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown > > Thanks! > - -- > David Benfell > see https://parts-unknown.org/node/2 if you don't understand the > attachment > > - -- > David Benfell > see https://parts-unknown.org/node/2 if you don't understand the > attachment > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.1.0-ecc (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCgAGBQJS2OhYAAoJEKrN0Ha7pkCOK1QP/RdU5wyvOeyjOzhDWUoMvnZP > VrDdNQuMViND5h85q6emi2EfjRjpogWyzXSSA9KL0vagXHen3HWppqUMzkZTv6xf > t1ZnAFGoe+a4YRUNX/f7VaQzBgAnnFea
Re: [users@httpd] Apache won't start, strace output enclosed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01/16/2014 11:46 PM, Mathijs Schmittmann wrote: > - Original Message - Hi all, > > Ack! > > This is apache 2.2.25 compiled from source but on a CentOS 6.5 > system. Notably, I included all modules in the build. > >> You might want to start to build with a minimal set of modules, >> to exclude any of them from being the cause. Why did you compile >> with all modules to start with? > This is a build that *was* working. I've been using it--I see (see below) since December. > > I was trying to add a subdomain, ran into memory allocation > problems and so tweaked the settings accordingly. Here are the > current settings and I have no idea how sensible they are: > > StartServers 4 MinSpareServers4 > MaxSpareServers 64 ServerLimit 512 MaxClients512 > MaxRequestsPerChild 512 > StartServers 4 MaxClients 512 MinSpareThreads 32 > MaxSpareThreads 64 ThreadsPerChild 16 MaxRequestsPerChild > 0 > >> This depends on which MPM you are currently running, see your >> httpd -V output for this information. Obviously the specific >> settings will be different in each usecase, depending on load >> and resources available. > This returns: Server version: Apache/2.2.25 (Unix) Server built: Dec 2 2013 08:47:03 Server's Module Magic Number: 20051115:33 Server loaded: APR 1.4.8, APR-Util 1.5.2 Compiled using: APR 1.4.8, APR-Util 1.5.2 Architecture: 64-bit Server MPM: Prefork threaded: no forked: yes (variable process count) Server compiled with -D APACHE_MPM_DIR="server/mpm/prefork" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT="/usr/local/apache2" -D SUEXEC_BIN="/usr/local/apache2/bin/suexec" -D DEFAULT_PIDLOG="logs/httpd.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_LOCKFILE="logs/accept.lock" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" So I can ditch the worker section? > >> The last write call shows that its logging an error to the >> errorlog, are you sure you have looked at the right errorlog? >> You might want to try to 'strace -s 4096 ...' so the entire >> message is captured in the trace. > Thanks for the strace trick: = 0 munmap(0x7fbfdc208000, 4096)= 0 write(43, "[Thu Jan 16 23:57:11 2014] [error] Unable to configure verify locations for client authentication\n", 98) = 98 exit_group(1) = ? I gather this is an SSL problem. Here is the section of that configuration that is changed. It is a new certificate (that includes the new subdomain): Include /etc/httpd/conf/sites-available/all-ssl-common SSLCertificateFile /big/www/ssl/parts-unknown.org/munich/parts-unknown.org.crt SSLCertificateKeyFile /big/www/ssl/parts-unknown.org/munich/parts-unknown.org.key SSLCertificateChainFile /big/www/ssl/parts-unknown.org/munich/sub.class2.server.ca.pem SSLCACertificateFile /big/www/ssl/parts-unknown.org/munich/ca.pem These files all exist. all-ssl-common is unchanged. It contains: SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2 SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; SSLHonorCipherOrder on SSLCompression Off #SSLCipherSuite RC4-SHA:HIGH:!ADH SSLInsecureRenegotiation off SSLOptions StdEnvVars BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown Thanks! - -- David Benfell see https://parts-unknown.org/node/2 if you don't understand the attachment - -- David Benfell see https://parts-unknown.org/node/2 if you don't understand the attachment -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.0-ecc (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJS2OhYAAoJEKrN0Ha7pkCOK1QP/RdU5wyvOeyjOzhDWUoMvnZP VrDdNQuMViND5h85q6emi2EfjRjpogWyzXSSA9KL0vagXHen3HWppqUMzkZTv6xf t1ZnAFGoe+a4YRUNX/f7VaQzBgAnnFeazKnsqfTy8l55yk1G/y4DzlW1Q2MPKG10 vzTz0s/dtUWmB1+DVeCDMypymp22Ttekn0v+XhtB28a8Us8hOCSWsOEmzR48PAad OucOYHZm/NY/kvjVu/y5dLnxEX2XRWpqQ/gjownFOpeQInSIXZS/LnGdpJgjFlYW Cu2mV8op1trrvbz2XtHMDARIfnIeUrxV76lUqbxMraSyA4jTrD/8jr+oNqvypKEE Oh2sRW7sbWPXBgsNbaa4UTugrLyF7xtlWctLw/ll3e328iJXX40/v6/B7jTNoGJS cwelFYEiONFZEsWq09+Iny+sQA/sEWvT1SkTDEsdQ389pqQQt8jjXCIfwSs0n3Us IkFyXuXhvOJf5T3BnOuALrol006VZL/3VLka8VXudJFuBeAfCAG/2Pxuq6KKThBE qgEvGthK/48eTxGEFaRJHdiqCeeNVGrv4c483QfbVwVjDsPLXpI6gXKq+2qyOrks oNKJiMmleFwl+P9BdtfS6cwDIaIwsUvLZm7kKxqsdz15BjPlcP6NRaSIr+uXTJik IM
Re: [users@httpd] Apache won't start, strace output enclosed
- Original Message - > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Hi all, > > Ack! > > This is apache 2.2.25 compiled from source but on a CentOS 6.5 system. > Notably, I included all modules in the build. You might want to start to build with a minimal set of modules, to exclude any of them from being the cause. Why did you compile with all modules to start with? > > I was trying to add a subdomain, ran into memory allocation problems > and so tweaked the settings accordingly. Here are the current settings > and I have no idea how sensible they are: > > > StartServers 4 > MinSpareServers4 > MaxSpareServers 64 > ServerLimit 512 > MaxClients512 > MaxRequestsPerChild 512 > > > StartServers 4 > MaxClients 512 > MinSpareThreads 32 > MaxSpareThreads 64 > ThreadsPerChild 16 > MaxRequestsPerChild 0 > This depends on which MPM you are currently running, see your httpd -V output for this information. Obviously the specific settings will be different in each usecase, depending on load and resources available. > > Now it won't start at all and writes nothing to the error log. So I > managed to get strace going on it. These are the last few lines of the > output: > > open("/etc/localtime", O_RDONLY)= 82 > fstat(82, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0 > fstat(82, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0x7fce20292000 > read(82, > "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., > 4096) = 2819 > lseek(82, -1802, SEEK_CUR) = 1017 > read(82, > "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"..., > 4096) = 1802 > close(82) = 0 > munmap(0x7fce20292000, 4096)= 0 > write(43, "[Thu Jan 16 19:49:38 2014] [erro"..., 98) = 98 > exit_group(1) The last write call shows that its logging an error to the errorlog, are you sure you have looked at the right errorlog? You might want to try to 'strace -s 4096 ...' so the entire message is captured in the trace. > > As you might imagine, I'm in a bit of a panic. What's going wrong? > > Thanks! > - -- > David Benfell > see https://parts-unknown.org/node/2 if you don't understand the > attachment > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.1.0-ecc (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCgAGBQJS2K3RAAoJEKrN0Ha7pkCOWP8P/23HK4h3KQ0ERVn5LN8l85t+ > c+ZbjWsc3G+5LsU8sRhgx6724ZFi4Mo3v2pq1UAXpeGToa0QqUfteXFtepLz5X++ > 0gJUy84gphrz3P5XZEHO51l1tH4RhBovVOUoWpQiZMRG06UapuLqHqmM33RB275+ > IMKfem8KukTOaUCr5ByKxWSNi3aA/2P5wP21ah9t7LMCvp668PKFyMUI8nbq1nyQ > ZM2sFfulEjHel+6KpmrxEZ/QaMK4ElGCnmhNExz1sRicYaLNrk/kgOZBEAqI7esV > EHe8L3KO7IqRrCgCUEC4ovFYh+THnrlGvNZU3seQNKzocQ64bR+zRViHNaR0jzXr > GZKIAyKhaEutpPqjvcfTYtF/HRsIS3FkOlXPKPq0xonyJtQ0SWPsR6e74Lj3x2aq > OqD2FdnCEqy8+GlQ1nh1kOaI14N6b5uzRWacNNDmwRYD0Dr8V1Du+F/LF33mpH9p > 3WkiKtXJ7bvSxAtdA1+DJc+DaQnMOjpoAdzMX0VQCdkJURdvNcCVmIkj6LO6z1Qy > oNf9pg0b6oLN6BDJuBM7AKneT61K5EwBmcHVW5Jq+jSBJHGbzumWPy7OUyzedfNM > DPl7ZoxrFY9CH+piRMTXSh9se0uBIunJFc3hHBIxFv3HeKBj7AEXwA387PPuMDOh > 97UgbIOS5IdZ4OppgXue > =NgHk > -END PGP SIGNATURE- > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org With kind regards, Mathijs Schmittmann - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Apache won't start, strace output enclosed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi all, Ack! This is apache 2.2.25 compiled from source but on a CentOS 6.5 system. Notably, I included all modules in the build. I was trying to add a subdomain, ran into memory allocation problems and so tweaked the settings accordingly. Here are the current settings and I have no idea how sensible they are: StartServers 4 MinSpareServers4 MaxSpareServers 64 ServerLimit 512 MaxClients512 MaxRequestsPerChild 512 StartServers 4 MaxClients 512 MinSpareThreads 32 MaxSpareThreads 64 ThreadsPerChild 16 MaxRequestsPerChild 0 Now it won't start at all and writes nothing to the error log. So I managed to get strace going on it. These are the last few lines of the output: open("/etc/localtime", O_RDONLY)= 82 fstat(82, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0 fstat(82, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fce20292000 read(82, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 2819 lseek(82, -1802, SEEK_CUR) = 1017 read(82, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"..., 4096) = 1802 close(82) = 0 munmap(0x7fce20292000, 4096)= 0 write(43, "[Thu Jan 16 19:49:38 2014] [erro"..., 98) = 98 exit_group(1) As you might imagine, I'm in a bit of a panic. What's going wrong? Thanks! - -- David Benfell see https://parts-unknown.org/node/2 if you don't understand the attachment -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.0-ecc (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJS2K3RAAoJEKrN0Ha7pkCOWP8P/23HK4h3KQ0ERVn5LN8l85t+ c+ZbjWsc3G+5LsU8sRhgx6724ZFi4Mo3v2pq1UAXpeGToa0QqUfteXFtepLz5X++ 0gJUy84gphrz3P5XZEHO51l1tH4RhBovVOUoWpQiZMRG06UapuLqHqmM33RB275+ IMKfem8KukTOaUCr5ByKxWSNi3aA/2P5wP21ah9t7LMCvp668PKFyMUI8nbq1nyQ ZM2sFfulEjHel+6KpmrxEZ/QaMK4ElGCnmhNExz1sRicYaLNrk/kgOZBEAqI7esV EHe8L3KO7IqRrCgCUEC4ovFYh+THnrlGvNZU3seQNKzocQ64bR+zRViHNaR0jzXr GZKIAyKhaEutpPqjvcfTYtF/HRsIS3FkOlXPKPq0xonyJtQ0SWPsR6e74Lj3x2aq OqD2FdnCEqy8+GlQ1nh1kOaI14N6b5uzRWacNNDmwRYD0Dr8V1Du+F/LF33mpH9p 3WkiKtXJ7bvSxAtdA1+DJc+DaQnMOjpoAdzMX0VQCdkJURdvNcCVmIkj6LO6z1Qy oNf9pg0b6oLN6BDJuBM7AKneT61K5EwBmcHVW5Jq+jSBJHGbzumWPy7OUyzedfNM DPl7ZoxrFY9CH+piRMTXSh9se0uBIunJFc3hHBIxFv3HeKBj7AEXwA387PPuMDOh 97UgbIOS5IdZ4OppgXue =NgHk -END PGP SIGNATURE- <> - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org