apache2 won't start after ssl configuration
5,409
Syntax error on line 4 of /etc/apache2/sites-enabled/default-ssl.conf: <IfModule takes one argument
and this is line 4
<IfModule mod_headers.c>Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"</IfModule>
I suspect you need to split that up so that each directive is on it's own line.
Related videos on Youtube
Comments
-
Sarius over 1 year
I did the following to make my websites https able (german): http://www.tecchannel.de/a/owncloud-9-unter-ubuntu-server-16-04-lts-installieren,3277807,2
now if I start apache2 I get this error :
> Job for apache2.service failed. See 'systemctl status apache2.service' > and 'journalctl -xn' for details.
details:
● apache2.service - LSB: Apache2 web server Loaded: loaded (/etc/init.d/apache2) Drop-In: /lib/systemd/system/apache2.service.d └─forking.conf Active: failed (Result: exit-code) since Sun 2017-03-26 18:55:09 CEST; 17s ago Process: 4328 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS) Process: 5164 ExecStart=/etc/init.d/apache2 start (code=exited, status=1/FAILURE) Mar 26 18:55:09 root599046.kms4.cc apache2[5164]: Starting web server: apache2 failed! Mar 26 18:55:09 root599046.kms4.cc apache2[5164]: The apache2 configtest failed. ... (warning). Mar 26 18:55:09 root599046.kms4.cc apache2[5164]: Output of config test was: Mar 26 18:55:09 root599046.kms4.cc apache2[5164]: apache2: Syntax error on line 219 of /etc/apache2/apache2.conf: Syntax error on line 4 of /etc/apache2/sites-enabled/default-ssl.conf: <IfModule takes one argument, Container for directives based on existence of specified modules Mar 26 18:55:09 root599046.kms4.cc apache2[5164]: Action 'configtest' failed. Mar 26 18:55:09 root599046.kms4.cc apache2[5164]: The Apache error log may have more information. Mar 26 18:55:09 root599046.kms4.cc systemd[1]: apache2.service: control process exited, code=exited status=1 Mar 26 18:55:09 root599046.kms4.cc systemd[1]: Failed to start LSB: Apache2 web server. Mar 26 18:55:09 root599046.kms4.cc systemd[1]: Unit apache2.service entered failed state.
but whats wrong with the ifModule? my apache2.conf :
> # This is the main Apache server configuration file. It contains the > # configuration directives that give the server its instructions. > # See http://httpd.apache.org/docs/2.4/ for detailed information about > # the directives and /usr/share/doc/apache2/README.Debian about Debian specific > # hints. > # > # > # Summary of how the Apache 2 configuration works in Debian: > # The Apache 2 web server configuration in Debian is quite different to > # upstream's suggested way to configure the web server. This is because Debian's > # default Apache2 installation attempts to make adding and removing modules, > # virtual hosts, and extra configuration directives as flexible as possible, in > # order to make automating the changes and administering the server as easy as > # possible. > > # It is split into several files forming the configuration hierarchy outlined > # below, all located in the /etc/apache2/ directory: > # > # /etc/apache2/ > # |-- apache2.conf > # | `-- ports.conf > # |-- mods-enabled > # | |-- *.load > # | `-- *.conf > # |-- conf-enabled > # | `-- *.conf > # `-- sites-enabled > # `-- *.conf > # > # > # * apache2.conf is the main configuration file (this file). It puts the pieces > # together by including all remaining configuration files when starting up the > # web server. > # > # * ports.conf is always included from the main configuration file. It is > # supposed to determine listening ports for incoming connections which can be > # customized anytime. > # > # * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ > # directories contain particular configuration snippets which manage modules, > # global configuration fragments, or virtual host configurations, > # respectively. > # > # They are activated by symlinking available configuration files from their > # respective *-available/ counterparts. These should be managed by using our > # helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See > # their respective man pages for detailed information. > # > # * The binary is called apache2. Due to the use of environment variables, in > # the default configuration, apache2 needs to be started/stopped with > # /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not > # work with the default configuration. > > > # Global configuration > # > > # > # ServerRoot: The top of the directory tree under which the server's > # configuration, error, and log files are kept. > # > # NOTE! If you intend to place this on an NFS (or otherwise network) > # mounted filesystem then please read the Mutex documentation (available > # at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>); > # you will save yourself a lot of trouble. > # > # Do NOT add a slash at the end of the directory path. > # > #ServerRoot "/etc/apache2" > > # > # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. > # Mutex file:${APACHE_LOCK_DIR} default > > # > # PidFile: The file in which the server should record its process > # identification number when it starts. > # This needs to be set in /etc/apache2/envvars > # PidFile ${APACHE_PID_FILE} > > # > # Timeout: The number of seconds before receives and sends time out. > # Timeout 300 > > # > # KeepAlive: Whether or not to allow persistent connections (more than > # one request per connection). Set to "Off" to deactivate. > # KeepAlive On > > # > # MaxKeepAliveRequests: The maximum number of requests to allow > # during a persistent connection. Set to 0 to allow an unlimited amount. > # We recommend you leave this number high, for maximum performance. > # MaxKeepAliveRequests 100 > > # > # KeepAliveTimeout: Number of seconds to wait for the next request from the > # same client on the same connection. > # KeepAliveTimeout 5 > > > # These need to be set in /etc/apache2/envvars User ${APACHE_RUN_USER} Group ${APACHE_RUN_GROUP} > > # > # HostnameLookups: Log the names of clients or just their IP addresses > # e.g., www.apache.org (on) or 204.62.129.132 (off). > # The default is off because it'd be overall better for the net if people > # had to knowingly turn this feature on, since enabling it means that > # each client request will result in AT LEAST one lookup request to the > # nameserver. > # HostnameLookups Off > > # ErrorLog: The location of the error log file. > # If you do not specify an ErrorLog directive within a <VirtualHost> > # container, error messages relating to that virtual host will be > # logged here. If you *do* define an error logfile for a <VirtualHost> > # container, that host's errors will be logged there and not here. > # ErrorLog ${APACHE_LOG_DIR}/error.log > > # > # LogLevel: Control the severity of messages logged to the error_log. > # Available values: trace8, ..., trace1, debug, info, notice, warn, > # error, crit, alert, emerg. > # It is also possible to configure the log level for particular modules, e.g. > # "LogLevel info ssl:warn" > # LogLevel warn > > # Include module configuration: IncludeOptional mods-enabled/*.load IncludeOptional mods-enabled/*.conf > > # Include list of ports to listen on Include ports.conf > > > # Sets the default security model of the Apache2 HTTPD server. It does > # not allow access to the root filesystem outside of /usr/share and /var/www. > # The former is used by web applications packaged in Debian, > # the latter may be used for local directories served by the web server. If > # your system is serving content from a sub-directory in /srv you must allow > # access here, or in any related virtual host. <Directory /> Options FollowSymLinks AllowOverride None Require all denied </Directory> > > <Directory /usr/share> AllowOverride None Require all granted > </Directory> > > <Directory /var/www/> Options Indexes FollowSymLinks AllowOverride > None Require all granted </Directory> > > #<Directory /srv/> > # Options Indexes FollowSymLinks > # AllowOverride None > # Require all granted > #</Directory> > > > > > # AccessFileName: The name of the file to look for in each directory > # for additional configuration directives. See also the AllowOverride > # directive. > # AccessFileName .htaccess > > # > # The following lines prevent .htaccess and .htpasswd files from being > # viewed by Web clients. > # <FilesMatch "^\.ht"> Require all denied </FilesMatch> > > > # > # The following directives define some format nicknames for use with > # a CustomLog directive. > # > # These deviate from the Common Log Format definitions in that they use %O > # (the actual bytes sent including headers) instead of %b (the size of the > # requested file), because the latter makes it impossible to detect partial > # requests. > # > # Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. > # Use mod_remoteip instead. > # LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined LogFormat "%h %l %u %t \"%r\" %>s > %O \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t > \"%r\" %>s %O" common LogFormat "%{Referer}i -> %U" referer LogFormat > "%{User-agent}i" agent > > # Include of directories ignores editors' and dpkg's backup files, > # see README.Debian for details. > > # Include generic snippets of statements IncludeOptional conf-enabled/*.conf > > # Include the virtual host configurations: IncludeOptional sites-enabled/*.conf > > # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
default-ssl.conf :
<IfModule mod_ssl.c> <VirtualHost _default_:443> ServerAdmin webmaster@localhost <IfModule mod_headers.c>Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"</IfModule> DocumentRoot /var/www # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crtSSLCertificateKeyFile /etc/apache2/ssl/apache.key # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. # SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/ssl/certs/ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache2/ssl.crl/ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost> </IfModule> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
hope anyone can help! :)
-
Sarius about 7 yearsoh right thanks, but now I get this error: Mar 26 20:18:58 root599046.kms4.cc apache2[5419]: AH00526: Syntax error on line 29 of /etc/apache2/sites-enabled/default-ssl.conf: Mar 26 20:18:58 root599046.kms4.cc apache2[5419]: SSLCertificateFile: file '/etc/apache2/ssl/apache.crtSSLCertificateKeyFile' does not exist or is empty
-
Patrick Mevzek about 7 yearsYou are missing a return line here :
apache.crtSSLCertificateKeyFile
. PutSSLCertificateKeyFile
and its arguments on its own ligne, below the one finishing withapache.crt