-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 01/16/2014 11:46 PM, Mathijs Schmittmann wrote:
> ----- Original Message ----- Hi all,
> 
> Ack!
> 
> This is apache 2.2.25 compiled from source but on a CentOS 6.5 
> system. Notably, I included all modules in the build.
> 
>> You might want to start to build with a minimal set of modules, 
>> to exclude any of them from being the cause. Why did you compile 
>> with all modules to start with?
> 
This is a build that *was* working. I've been using it--I see (see
below) since December.
> 
> I was trying to add a subdomain, ran into memory allocation 
> problems and so tweaked the settings accordingly. Here are the 
> current settings and I have no idea how sensible they are:
> 
> <IfModule prefork.c> StartServers       4 MinSpareServers    4 
> MaxSpareServers   64 ServerLimit       512 MaxClients        512 
> MaxRequestsPerChild  512 </IfModule> <IfModule worker.c> 
> StartServers         4 MaxClients         512 MinSpareThreads 32
> MaxSpareThreads     64 ThreadsPerChild     16 MaxRequestsPerChild
> 0 </IfModule>
> 
>> This depends on which MPM you are currently running, see your 
>> httpd -V output for this information. Obviously the specific 
>> settings will be different in each usecase, depending on load
>> and resources available.
> 
This returns:

Server version: Apache/2.2.25 (Unix)
Server built:   Dec  2 2013 08:47:03
Server's Module Magic Number: 20051115:33
Server loaded:  APR 1.4.8, APR-Util 1.5.2
Compiled using: APR 1.4.8, APR-Util 1.5.2
Architecture:   64-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/usr/local/apache2"
 -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

So I can ditch the worker section?

> 
>> The last write call shows that its logging an error to the 
>> errorlog, are you sure you have looked at the right errorlog?
>> You might want to try to 'strace -s 4096 ...' so the entire
>> message is captured in the trace.
> 
Thanks for the strace trick:
                              = 0
munmap(0x7fbfdc208000, 4096)            = 0
write(43, "[Thu Jan 16 23:57:11 2014] [error] Unable to configure
verify locations for client authentication\n", 98) = 98
exit_group(1)                           = ?

I gather this is an SSL problem. Here is the section of that
configuration that is changed. It is a new certificate (that includes
the new subdomain):

        Include /etc/httpd/conf/sites-available/all-ssl-common
        SSLCertificateFile
/big/www/ssl/parts-unknown.org/munich/parts-unknown.org.crt
        SSLCertificateKeyFile
/big/www/ssl/parts-unknown.org/munich/parts-unknown.org.key
        SSLCertificateChainFile
/big/www/ssl/parts-unknown.org/munich/sub.class2.server.ca.pem
        SSLCACertificateFile /big/www/ssl/parts-unknown.org/munich/ca.pem

These files all exist. all-ssl-common is unchanged. It contains:

        SSLEngine on

        SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2
        SSLCipherSuite
ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
        SSLHonorCipherOrder on
        SSLCompression Off
        #SSLCipherSuite RC4-SHA:HIGH:!ADH
        SSLInsecureRenegotiation off
        SSLOptions StdEnvVars

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Thanks!
- -- 
David Benfell
see https://parts-unknown.org/node/2 if you don't understand the
attachment

- -- 
David Benfell
see https://parts-unknown.org/node/2 if you don't understand the
attachment
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.0-ecc (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJS2OhYAAoJEKrN0Ha7pkCOK1QP/RdU5wyvOeyjOzhDWUoMvnZP
VrDdNQuMViND5h85q6emi2EfjRjpogWyzXSSA9KL0vagXHen3HWppqUMzkZTv6xf
t1ZnAFGoe+a4YRUNX/f7VaQzBgAnnFeazKnsqfTy8l55yk1G/y4DzlW1Q2MPKG10
vzTz0s/dtUWmB1+DVeCDMypymp22Ttekn0v+XhtB28a8Us8hOCSWsOEmzR48PAad
OucOYHZm/NY/kvjVu/y5dLnxEX2XRWpqQ/gjownFOpeQInSIXZS/LnGdpJgjFlYW
Cu2mV8op1trrvbz2XtHMDARIfnIeUrxV76lUqbxMraSyA4jTrD/8jr+oNqvypKEE
Oh2sRW7sbWPXBgsNbaa4UTugrLyF7xtlWctLw/ll3e328iJXX40/v6/B7jTNoGJS
cwelFYEiONFZEsWq09+Iny+sQA/sEWvT1SkTDEsdQ389pqQQt8jjXCIfwSs0n3Us
IkFyXuXhvOJf5T3BnOuALrol006VZL/3VLka8VXudJFuBeAfCAG/2Pxuq6KKThBE
qgEvGthK/48eTxGEFaRJHdiqCeeNVGrv4c483QfbVwVjDsPLXpI6gXKq+2qyOrks
oNKJiMmleFwl+P9BdtfS6cwDIaIwsUvLZm7kKxqsdz15BjPlcP6NRaSIr+uXTJik
IMiw/mH/WtOil8LXZYKp
=cSla
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to