Apache failed to start after SSL config change. No errors. Please help
Do a full restart, not a graceful one. Your change to have the private key unencrypted should also work.
Conceptually, I can't imagine the apachectl
process being able to prompt for a new passphrase for a startup when the main process is only being sent signals by apachectl
, not being spawned by it.
In more concrete terms - this 7-year-old posting on a bug report confirms that the behavior that you're seeing is expected - sorry, couldn't find anything more recent confirming that the issue still exists in current apache versions, but it fits.
Related videos on Youtube
Fraggle
Updated on September 18, 2022Comments
-
Fraggle over 1 year
Website(s) were up. I changed my config files in sites-enabled, then ran:
apache2ctl configtest
Got: Syntax OK
Then ran:
apache2ctl graceful
Got returned to the command prompt. No messages. The websites went down, did not restart. Also, I wasn't prompted for a passphrase which I should have been since my key has it.
So I put back the old configs (quickly) and restarted.
Does apache2ctl graceful not support the passphrase ? No error messages were in error.log files. Just "[notice] Graceful restart requested, doing restart", then nothing.
UPDATE 7/8 : After searching other error logs (previously just checked main one), I found this:
SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
-
Fraggle almost 13 yearsFYI: I've now removed the passphrase from my key, but don't really want to experiment with my live server (no qa box at the moment). So hoping someone can shed some light here before I try again.
-
Fraggle almost 13 yearsThis is the first time I've tried to configure for SSL on my server. I added a VirtualHost *:443 section and changed others to VirtualHost *:80, added a NameVirtualHost *:80 and NameVirtualHost *:443
-
Fraggle almost 13 yearsFound the answer. Wrong key file. See my comments below.
-
Pacerier about 8 yearsThere's a related post at: serverfault.com/q/459275/87017
-
-
Fraggle almost 13 yearsSo do apache2ctl stop, then apache2ctl start? What is the correct way to start without using apache2ctl. Apache docs do not have it that I can see.
-
ravi yarlagadda almost 13 years
apache2ctl restart
should do the trick. The "right" way depends on your OS and how Apache's set up - might be init scripts, or theservice
command. -
Fraggle almost 13 yearsI've tried again. Put my ssl configs back in place, tried apache2ctl stop, followed by apache2ctl start. Well the stop sure works, but start does nothing. Nothing in error log. Just returns to command prompt and websites are down. Is there some kind of delay when starting with ssl??
-
Fraggle almost 13 yearsUPDATE: after more thourough searching of all error logs, I found this: "SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch"
-
Fraggle almost 13 yearsOk, found the answer. All my fault. Wrong key file. Dumb mistake. Had one from a few months ago that I never used. Also missed error message cause it was in a different error log than I checked. Bad mistakes.
-
ravi yarlagadda almost 13 yearsVerify that they do match; output from
openssl x509 -noout -modulus -in cert.pem
should matchopenssl rsa -noout -modulus -in cert.key
Edit - oversights happen, glad it was a simple solution!