[olug] Apache will no longer run in Red Hat after a reboot

Justin Reiners justin at hotlinesinc.com
Tue Jan 27 21:48:16 CST 2015


Was there a power loss or something? Wonder how they corrupted. We have nss
on every application server and have never had that happen.

Makes sense though.
On Jan 27, 2015 8:45 PM, "T. J. Brumfield" <enderandrew at gmail.com> wrote:

> SELinux was on, but wasn't the problem. Permissions were fine. NSS couldn't
> read the key stores because they were corrupt.
>
> certutil: function failed: security library: bad database.
>
> And the RPM db was corrupt. So was yum repo data.
>
> On Tue, Jan 27, 2015 at 3:52 PM, Kevin <sharpestmarble at gmail.com> wrote:
>
> > Is SELinux turned on? If it is and if it's the thing doing the blocking,
> > then it will manifest as a confusing permissions issue. Try this:
> > `setenforce Permissive` and see if it starts working.
> >
> > On Tue, Jan 27, 2015 at 2:26 PM, Damian Harouff <cekkent at gmail.com>
> wrote:
> >
> > > If this is stock RHEL-provided Apache, SSL should already be compiled
> in,
> > > which can be confirmed with:
> > >
> > > root at svr [~]# httpd -t -D DUMP_MODULES | grep ssl
> > >  ssl_module (static)
> > > root at svr [~]#
> > >
> > > Otherwise you'll have to compile it in or load the module.
> > >
> > > Once you get over that hurdle, getting SSL going should be as easy as
> > > specifying an additional VirtualHost directive on port 443 inside the
> > > site's configuration:
> > >
> > > <VirtualHost 192.168.1.1:443>
> > >         SSLEngine on
> > >         SSLCipherSuite
> > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> > >
> > >         SSLCertificateFile      /etc/ssl/star.example.com.crt
> > >         SSLCertificateKeyFile   /etc/ssl/star.example.com.key
> > >
> > >         ServerName      "two.example.com"
> > >         DocumentRoot    "/var/www/html/two"
> > >
> > >         CustomLog       "/var/log/httpd/two-access.log" combined
> > >         ErrorLog        "/var/log/httpd/two-error.log"
> > >
> > >         <Directory /var/www/html>
> > >                 AllowOverride none
> > >
> > >                 Order Allow,Deny
> > >                 Allow from all
> > >         </Directory>
> > > </VirtualHost>
> > >
> > >
> > >
> > > On Tue, Jan 27, 2015 at 2:16 PM, T. J. Brumfield <
> enderandrew at gmail.com>
> > > wrote:
> > >
> > > > Yeah, that's what I tried. I httpd.conf is inheriting any *.conf file
> > in
> > > > /etc/httpd/conf.d so I just renamed nss.conf to nss.conf.bak (since
> > > > nss.conf was the file actually loading mod_nss) and when I did that,
> > > Apache
> > > > would start, but SSL wasn't working.
> > > >
> > > > On Tue, Jan 27, 2015 at 2:14 PM, Damian Harouff <cekkent at gmail.com>
> > > wrote:
> > > >
> > > > > I hate to be "that guy", but: is he even using mod_nss? Red Hat
> tends
> > > to
> > > > > enable a lot of things arbitrarily. I know that NSS is more "open",
> > but
> > > > > mod_ssl might get him back online sooner.
> > > > >
> > > > > On Tue, Jan 27, 2015 at 2:11 PM, T. J. Brumfield <
> > > enderandrew at gmail.com>
> > > > > wrote:
> > > > >
> > > > > > I'll try 644. Every article I saw on this said it must be a
> > > permission
> > > > > > issue access the *.db files in /etc/httpd/alias but the
> permissions
> > > > > appear
> > > > > > to be set correctly.
> > > > > >
> > > > > > On Tue, Jan 27, 2015 at 2:05 PM, Lou Duchez <lou at paprikash.com>
> > > wrote:
> > > > > >
> > > > > > > https://www.centos.org/forums/viewtopic.php?t=5818
> > > > > > >
> > > > > > > The fix seems to be:
> > > > > > >
> > > > > > > cd /etc/httpd
> > > > > > > chmod -R +r alias
> > > > > > >
> > > > > > > I don't think that 640 is right; I think you're looking for
> 644.
> > > > > > >
> > > > > > >  I got a call from a friend whose business depends on an Apache
> > web
> > > > > > server,
> > > > > > >> but he doesn't know much about Linux. He is running Red Hat
> > inside
> > > > of
> > > > > a
> > > > > > >> Windows Hyper-V VM. He bounced the Windows box for patching,
> > which
> > > > in
> > > > > > turn
> > > > > > >> rebooted his VM. He doesn't remember the last time he
> installed
> > > > > updates
> > > > > > in
> > > > > > >> Red Hat, but he does it from time to time.
> > > > > > >>
> > > > > > >> /var/log/httpd/error_log is just full of this:
> > > > > > >>
> > > > > > >> [error] NSS_Initialize failed. Certificate database:
> > > > /etc/httpd/alias.
> > > > > > >> [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED
> > > > > > >>
> > > > > > >> I've never used NSS personally. I Googled for the error and
> > > > literally
> > > > > > >> every
> > > > > > >> hit I found was a permissions issue, that the apache wasn't
> > > running
> > > > > > under
> > > > > > >> the right group or that group couldn't access the files under
> > > > > > >> /etc/httpd/alias.
> > > > > > >>
> > > > > > >> The problem is that doesn't appear to the problem with my
> buddy.
> > > > Every
> > > > > > >> httpd process is running under apache:apache and all the *.db
> > > files
> > > > in
> > > > > > >> /etc/httpd/alias are 640 and owned by the apache group,
> exactly
> > > how
> > > > > they
> > > > > > >> should be.
> > > > > > >>
> > > > > > >> My buddy's business is down until we can resolve this.
> > > > > > >>
> > > > > > >> Any suggestions from someone more familiar with Red
> > > > Hat/Fedora/CentOS
> > > > > > and
> > > > > > >> NSS?
> > > > > > >>
> > > > > > >> -- T. J. Brumfield
> > > > > > >> "I'm questioning my education
> > > > > > >> Rewind and what does it show?
> > > > > > >> Could be, the truth it becomes you
> > > > > > >> I'm a seed, wondering why it grows"
> > > > > > >> -- Pearl Jam, Education
> > > > > > >> _______________________________________________
> > > > > > >> OLUG mailing list
> > > > > > >> OLUG at olug.org
> > > > > > >> https://lists.olug.org/mailman/listinfo/olug
> > > > > > >>
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > OLUG mailing list
> > > > > > > OLUG at olug.org
> > > > > > > https://lists.olug.org/mailman/listinfo/olug
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > "I'm questioning my education
> > > > > > Rewind and what does it show?
> > > > > > Could be, the truth it becomes you
> > > > > > I'm a seed, wondering why it grows"
> > > > > > -- Pearl Jam, Education
> > > > > > _______________________________________________
> > > > > > OLUG mailing list
> > > > > > OLUG at olug.org
> > > > > > https://lists.olug.org/mailman/listinfo/olug
> > > > > >
> > > > > _______________________________________________
> > > > > OLUG mailing list
> > > > > OLUG at olug.org
> > > > > https://lists.olug.org/mailman/listinfo/olug
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > "I'm questioning my education
> > > > Rewind and what does it show?
> > > > Could be, the truth it becomes you
> > > > I'm a seed, wondering why it grows"
> > > > -- Pearl Jam, Education
> > > > _______________________________________________
> > > > OLUG mailing list
> > > > OLUG at olug.org
> > > > https://lists.olug.org/mailman/listinfo/olug
> > > >
> > > _______________________________________________
> > > OLUG mailing list
> > > OLUG at olug.org
> > > https://lists.olug.org/mailman/listinfo/olug
> > >
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > https://lists.olug.org/mailman/listinfo/olug
> >
>
>
>
> --
> "I'm questioning my education
> Rewind and what does it show?
> Could be, the truth it becomes you
> I'm a seed, wondering why it grows"
> -- Pearl Jam, Education
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>


More information about the OLUG mailing list