Re: [users@httpd] Apache won't start, strace output enclosed

[Yehuda Katz]

SSLCACertificateFile is only for client certificate authentication. Are you
trying to use that?
If not, removing that line should solve that particular error.

If you do want to use client certificate auth, then there is probably some
other problem with your certificate.

- Y


On Fri, Jan 17, 2014 at 3:22 AM, David Benfell  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On 01/16/2014 11:46 PM, Mathijs Schmittmann wrote:
> > - Original Message - Hi all,
> >
> > Ack!
> >
> > This is apache 2.2.25 compiled from source but on a CentOS 6.5
> > system. Notably, I included all modules in the build.
> >
> >> You might want to start to build with a minimal set of modules,
> >> to exclude any of them from being the cause. Why did you compile
> >> with all modules to start with?
> >
> This is a build that *was* working. I've been using it--I see (see
> below) since December.
> >
> > I was trying to add a subdomain, ran into memory allocation
> > problems and so tweaked the settings accordingly. Here are the
> > current settings and I have no idea how sensible they are:
> >
> >  StartServers   4 MinSpareServers4
> > MaxSpareServers   64 ServerLimit   512 MaxClients512
> > MaxRequestsPerChild  512  
> > StartServers 4 MaxClients 512 MinSpareThreads 32
> > MaxSpareThreads 64 ThreadsPerChild 16 MaxRequestsPerChild
> > 0 
> >
> >> This depends on which MPM you are currently running, see your
> >> httpd -V output for this information. Obviously the specific
> >> settings will be different in each usecase, depending on load
> >> and resources available.
> >
> This returns:
>
> Server version: Apache/2.2.25 (Unix)
> Server built:   Dec  2 2013 08:47:03
> Server's Module Magic Number: 20051115:33
> Server loaded:  APR 1.4.8, APR-Util 1.5.2
> Compiled using: APR 1.4.8, APR-Util 1.5.2
> Architecture:   64-bit
> Server MPM: Prefork
>   threaded: no
> forked: yes (variable process count)
> Server compiled with
>  -D APACHE_MPM_DIR="server/mpm/prefork"
>  -D APR_HAS_SENDFILE
>  -D APR_HAS_MMAP
>  -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
>  -D APR_USE_SYSVSEM_SERIALIZE
>  -D APR_USE_PTHREAD_SERIALIZE
>  -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
>  -D APR_HAS_OTHER_CHILD
>  -D AP_HAVE_RELIABLE_PIPED_LOGS
>  -D DYNAMIC_MODULE_LIMIT=128
>  -D HTTPD_ROOT="/usr/local/apache2"
>  -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
>  -D DEFAULT_PIDLOG="logs/httpd.pid"
>  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>  -D DEFAULT_LOCKFILE="logs/accept.lock"
>  -D DEFAULT_ERRORLOG="logs/error_log"
>  -D AP_TYPES_CONFIG_FILE="conf/mime.types"
>  -D SERVER_CONFIG_FILE="conf/httpd.conf"
>
> So I can ditch the worker section?
>
> >
> >> The last write call shows that its logging an error to the
> >> errorlog, are you sure you have looked at the right errorlog?
> >> You might want to try to 'strace -s 4096 ...' so the entire
> >> message is captured in the trace.
> >
> Thanks for the strace trick:
>   = 0
> munmap(0x7fbfdc208000, 4096)= 0
> write(43, "[Thu Jan 16 23:57:11 2014] [error] Unable to configure
> verify locations for client authentication\n", 98) = 98
> exit_group(1)   = ?
>
> I gather this is an SSL problem. Here is the section of that
> configuration that is changed. It is a new certificate (that includes
> the new subdomain):
>
> Include /etc/httpd/conf/sites-available/all-ssl-common
> SSLCertificateFile
> /big/www/ssl/parts-unknown.org/munich/parts-unknown.org.crt
> SSLCertificateKeyFile
> /big/www/ssl/parts-unknown.org/munich/parts-unknown.org.key
> SSLCertificateChainFile
> /big/www/ssl/parts-unknown.org/munich/sub.class2.server.ca.pem
> SSLCACertificateFile /big/www/ssl/parts-unknown.org/munich/ca.pem
>
> These files all exist. all-ssl-common is unchanged. It contains:
>
> SSLEngine on
>
> SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2
> SSLCipherSuite
> ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
> SSLHonorCipherOrder on
> SSLCompression Off
> #SSLCipherSuite RC4-SHA:HIGH:!ADH
> SSLInsecureRenegotiation off
> SSLOptions StdEnvVars
>
> BrowserMatch "MSIE [2-6]" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
>
> Thanks!
> - --
> David Benfell
> see https://parts-unknown.org/node/2 if you don't understand the
> attachment
>
> - --
> David Benfell
> see https://parts-unknown.org/node/2 if you don't understand the
> attachment
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.1.0-ecc (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCgAGBQJS2OhYAAoJEKrN0Ha7pkCOK1QP/RdU5wyvOeyjOzhDWUoMvnZP
> VrDdNQuMViND5h85q6emi2EfjRjpogWyzXSSA9KL0vagXHen3HWppqUMzkZTv6xf
> t1ZnAFGoe+a4YRUNX/f7VaQzBgAnnFea

Re: [users@httpd] Apache won't start, strace output enclosed

[David Benfell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 01/16/2014 11:46 PM, Mathijs Schmittmann wrote:
> - Original Message - Hi all,
> 
> Ack!
> 
> This is apache 2.2.25 compiled from source but on a CentOS 6.5 
> system. Notably, I included all modules in the build.
> 
>> You might want to start to build with a minimal set of modules, 
>> to exclude any of them from being the cause. Why did you compile 
>> with all modules to start with?
> 
This is a build that *was* working. I've been using it--I see (see
below) since December.
> 
> I was trying to add a subdomain, ran into memory allocation 
> problems and so tweaked the settings accordingly. Here are the 
> current settings and I have no idea how sensible they are:
> 
>  StartServers   4 MinSpareServers4 
> MaxSpareServers   64 ServerLimit   512 MaxClients512 
> MaxRequestsPerChild  512   
> StartServers 4 MaxClients 512 MinSpareThreads 32
> MaxSpareThreads 64 ThreadsPerChild 16 MaxRequestsPerChild
> 0 
> 
>> This depends on which MPM you are currently running, see your 
>> httpd -V output for this information. Obviously the specific 
>> settings will be different in each usecase, depending on load
>> and resources available.
> 
This returns:

Server version: Apache/2.2.25 (Unix)
Server built:   Dec  2 2013 08:47:03
Server's Module Magic Number: 20051115:33
Server loaded:  APR 1.4.8, APR-Util 1.5.2
Compiled using: APR 1.4.8, APR-Util 1.5.2
Architecture:   64-bit
Server MPM: Prefork
  threaded: no
forked: yes (variable process count)
Server compiled with
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/usr/local/apache2"
 -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

So I can ditch the worker section?

> 
>> The last write call shows that its logging an error to the 
>> errorlog, are you sure you have looked at the right errorlog?
>> You might want to try to 'strace -s 4096 ...' so the entire
>> message is captured in the trace.
> 
Thanks for the strace trick:
  = 0
munmap(0x7fbfdc208000, 4096)= 0
write(43, "[Thu Jan 16 23:57:11 2014] [error] Unable to configure
verify locations for client authentication\n", 98) = 98
exit_group(1)   = ?

I gather this is an SSL problem. Here is the section of that
configuration that is changed. It is a new certificate (that includes
the new subdomain):

Include /etc/httpd/conf/sites-available/all-ssl-common
SSLCertificateFile
/big/www/ssl/parts-unknown.org/munich/parts-unknown.org.crt
SSLCertificateKeyFile
/big/www/ssl/parts-unknown.org/munich/parts-unknown.org.key
SSLCertificateChainFile
/big/www/ssl/parts-unknown.org/munich/sub.class2.server.ca.pem
SSLCACertificateFile /big/www/ssl/parts-unknown.org/munich/ca.pem

These files all exist. all-ssl-common is unchanged. It contains:

SSLEngine on

SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2
SSLCipherSuite
ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
SSLHonorCipherOrder on
SSLCompression Off
#SSLCipherSuite RC4-SHA:HIGH:!ADH
SSLInsecureRenegotiation off
SSLOptions StdEnvVars

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Thanks!
- -- 
David Benfell
see https://parts-unknown.org/node/2 if you don't understand the
attachment

- -- 
David Benfell
see https://parts-unknown.org/node/2 if you don't understand the
attachment
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.1.0-ecc (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJS2OhYAAoJEKrN0Ha7pkCOK1QP/RdU5wyvOeyjOzhDWUoMvnZP
VrDdNQuMViND5h85q6emi2EfjRjpogWyzXSSA9KL0vagXHen3HWppqUMzkZTv6xf
t1ZnAFGoe+a4YRUNX/f7VaQzBgAnnFeazKnsqfTy8l55yk1G/y4DzlW1Q2MPKG10
vzTz0s/dtUWmB1+DVeCDMypymp22Ttekn0v+XhtB28a8Us8hOCSWsOEmzR48PAad
OucOYHZm/NY/kvjVu/y5dLnxEX2XRWpqQ/gjownFOpeQInSIXZS/LnGdpJgjFlYW
Cu2mV8op1trrvbz2XtHMDARIfnIeUrxV76lUqbxMraSyA4jTrD/8jr+oNqvypKEE
Oh2sRW7sbWPXBgsNbaa4UTugrLyF7xtlWctLw/ll3e328iJXX40/v6/B7jTNoGJS
cwelFYEiONFZEsWq09+Iny+sQA/sEWvT1SkTDEsdQ389pqQQt8jjXCIfwSs0n3Us
IkFyXuXhvOJf5T3BnOuALrol006VZL/3VLka8VXudJFuBeAfCAG/2Pxuq6KKThBE
qgEvGthK/48eTxGEFaRJHdiqCeeNVGrv4c483QfbVwVjDsPLXpI6gXKq+2qyOrks
oNKJiMmleFwl+P9BdtfS6cwDIaIwsUvLZm7kKxqsdz15BjPlcP6NRaSIr+uXTJik
IM

Re: [users@httpd] Apache won't start, strace output enclosed

[Mathijs Schmittmann]

- Original Message -
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> Hi all,
> 
> Ack!
> 
> This is apache 2.2.25 compiled from source but on a CentOS 6.5 system.
> Notably, I included all modules in the build.

You might want to start to build with a minimal set of modules, to exclude any 
of them from being the cause. Why did you compile with all modules to start 
with?

> 
> I was trying to add a subdomain, ran into memory allocation problems
> and so tweaked the settings accordingly. Here are the current settings
> and I have no idea how sensible they are:
> 
> 
> StartServers   4
> MinSpareServers4
> MaxSpareServers   64
> ServerLimit   512
> MaxClients512
> MaxRequestsPerChild  512
> 
> 
> StartServers 4
> MaxClients 512
> MinSpareThreads 32
> MaxSpareThreads 64
> ThreadsPerChild 16
> MaxRequestsPerChild  0
> 

This depends on which MPM you are currently running, see your httpd -V output 
for this information. Obviously the specific settings will be different in each 
usecase, depending on load and resources available.

> 
> Now it won't start at all and writes nothing to the error log. So I
> managed to get strace going on it. These are the last few lines of the
> output:
> 
> open("/etc/localtime", O_RDONLY)= 82
> fstat(82, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
> fstat(82, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0x7fce20292000
> read(82,
> "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"...,
> 4096) = 2819
> lseek(82, -1802, SEEK_CUR)  = 1017
> read(82,
> "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"...,
> 4096) = 1802
> close(82)   = 0
> munmap(0x7fce20292000, 4096)= 0
> write(43, "[Thu Jan 16 19:49:38 2014] [erro"..., 98) = 98
> exit_group(1)

The last write call shows that its logging an error to the errorlog, are you 
sure you have looked at the right errorlog? You might want to try to 'strace -s 
4096 ...' so the entire message is captured in the trace.

> 
> As you might imagine, I'm in a bit of a panic. What's going wrong?
> 
> Thanks!
> - --
> David Benfell
> see https://parts-unknown.org/node/2 if you don't understand the
> attachment
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.1.0-ecc (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQIcBAEBCgAGBQJS2K3RAAoJEKrN0Ha7pkCOWP8P/23HK4h3KQ0ERVn5LN8l85t+
> c+ZbjWsc3G+5LsU8sRhgx6724ZFi4Mo3v2pq1UAXpeGToa0QqUfteXFtepLz5X++
> 0gJUy84gphrz3P5XZEHO51l1tH4RhBovVOUoWpQiZMRG06UapuLqHqmM33RB275+
> IMKfem8KukTOaUCr5ByKxWSNi3aA/2P5wP21ah9t7LMCvp668PKFyMUI8nbq1nyQ
> ZM2sFfulEjHel+6KpmrxEZ/QaMK4ElGCnmhNExz1sRicYaLNrk/kgOZBEAqI7esV
> EHe8L3KO7IqRrCgCUEC4ovFYh+THnrlGvNZU3seQNKzocQ64bR+zRViHNaR0jzXr
> GZKIAyKhaEutpPqjvcfTYtF/HRsIS3FkOlXPKPq0xonyJtQ0SWPsR6e74Lj3x2aq
> OqD2FdnCEqy8+GlQ1nh1kOaI14N6b5uzRWacNNDmwRYD0Dr8V1Du+F/LF33mpH9p
> 3WkiKtXJ7bvSxAtdA1+DJc+DaQnMOjpoAdzMX0VQCdkJURdvNcCVmIkj6LO6z1Qy
> oNf9pg0b6oLN6BDJuBM7AKneT61K5EwBmcHVW5Jq+jSBJHGbzumWPy7OUyzedfNM
> DPl7ZoxrFY9CH+piRMTXSh9se0uBIunJFc3hHBIxFv3HeKBj7AEXwA387PPuMDOh
> 97UgbIOS5IdZ4OppgXue
> =NgHk
> -END PGP SIGNATURE-
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org

With kind regards,

Mathijs Schmittmann

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Apache won't start, strace output enclosed

[David Benfell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi all,

Ack!

This is apache 2.2.25 compiled from source but on a CentOS 6.5 system.
Notably, I included all modules in the build.

I was trying to add a subdomain, ran into memory allocation problems
and so tweaked the settings accordingly. Here are the current settings
and I have no idea how sensible they are:


StartServers   4
MinSpareServers4
MaxSpareServers   64
ServerLimit   512
MaxClients512
MaxRequestsPerChild  512


StartServers 4
MaxClients 512
MinSpareThreads 32
MaxSpareThreads 64
ThreadsPerChild 16
MaxRequestsPerChild  0


Now it won't start at all and writes nothing to the error log. So I
managed to get strace going on it. These are the last few lines of the
output:

open("/etc/localtime", O_RDONLY)= 82
fstat(82, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
fstat(82, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7fce20292000
read(82,
"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"...,
4096) = 2819
lseek(82, -1802, SEEK_CUR)  = 1017
read(82,
"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"...,
4096) = 1802
close(82)   = 0
munmap(0x7fce20292000, 4096)= 0
write(43, "[Thu Jan 16 19:49:38 2014] [erro"..., 98) = 98
exit_group(1)

As you might imagine, I'm in a bit of a panic. What's going wrong?

Thanks!
- -- 
David Benfell
see https://parts-unknown.org/node/2 if you don't understand the
attachment
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.1.0-ecc (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJS2K3RAAoJEKrN0Ha7pkCOWP8P/23HK4h3KQ0ERVn5LN8l85t+
c+ZbjWsc3G+5LsU8sRhgx6724ZFi4Mo3v2pq1UAXpeGToa0QqUfteXFtepLz5X++
0gJUy84gphrz3P5XZEHO51l1tH4RhBovVOUoWpQiZMRG06UapuLqHqmM33RB275+
IMKfem8KukTOaUCr5ByKxWSNi3aA/2P5wP21ah9t7LMCvp668PKFyMUI8nbq1nyQ
ZM2sFfulEjHel+6KpmrxEZ/QaMK4ElGCnmhNExz1sRicYaLNrk/kgOZBEAqI7esV
EHe8L3KO7IqRrCgCUEC4ovFYh+THnrlGvNZU3seQNKzocQ64bR+zRViHNaR0jzXr
GZKIAyKhaEutpPqjvcfTYtF/HRsIS3FkOlXPKPq0xonyJtQ0SWPsR6e74Lj3x2aq
OqD2FdnCEqy8+GlQ1nh1kOaI14N6b5uzRWacNNDmwRYD0Dr8V1Du+F/LF33mpH9p
3WkiKtXJ7bvSxAtdA1+DJc+DaQnMOjpoAdzMX0VQCdkJURdvNcCVmIkj6LO6z1Qy
oNf9pg0b6oLN6BDJuBM7AKneT61K5EwBmcHVW5Jq+jSBJHGbzumWPy7OUyzedfNM
DPl7ZoxrFY9CH+piRMTXSh9se0uBIunJFc3hHBIxFv3HeKBj7AEXwA387PPuMDOh
97UgbIOS5IdZ4OppgXue
=NgHk
-END PGP SIGNATURE-
<>
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org