Re: [users@httpd] Still have messed up TLS

2023-11-27 Thread John 
On Sun, 2023-11-26 at 18:06 -0500, Paul wrote:
> On 2023-11-26 16:12, John wrote:
> > After a week of chasing this around I have managed to change the problem 
> > several times but I'm
> > still
> > unable to get Apache started.  I **think** there is something unrelated to 
> > the error that I'm
> > seeing
> > that may have been included in the default config but before I go down that 
> > rabbit hole I
> > realize
> > that I am making a number of assumptions because I don't know how to check, 
> > so if everyone would
> > please bear with me, and my apologies in advance:
> > 
> > Here are the relevant parts of the full configuration:
> > 
> > /usr/sbin/httpd -M
> 
> I think you said you were using "Rocky Linux" associated with RHEL which 
> may use /usr/sbin/httpd rather than /usr/share/apache2 (debian).  If 
> "Rocky" is a spin-off (I have no knowledge of it) perhaps they have a 
> "users list" that could help you?
> 
> In any case what is the output of 'apachectl -S' (or perhaps 'httpd 
> -S')?  Is it only your TLS that is problematic, or are there other 
> underlying glitches?  You write "httpd.service: Main process exited, 
> code=exited, status=1/FAILURE" and this looks to me that it could 
> preceed any TLS certs.
> 
> Also, your "SSLCACertificateFile" probably has to be used carefully.  It 
> "can be used alternatively and/or additionally to "SSLCACertificatePath" 
> and should only be used if "SSLCADNRequestPath or SSLCADNRequestFile" 
> are missing. See . 
> Yours appear to be missing from what you write (please delete all rem'ed 
> out lines, it's rather boring) - are you sure this is what you want?
> 
> Good luck -- Paul
> > 
> > ***89 deleted module lines here**
> > ssl_module (shared)
> > systemd_module (shared)
> > 
> > the full config file for the ONLY https virtual server
> > --
> > # SSL Support for Coax Publications ONLY!
> > 
> >     ServerName www.coaxpublications.ca
> > #   ServerAlias t.coaxpublications.ca
> >     DocumentRoot /usr/httpd/coax
> >     Options -MultiViews
> >     H2Direct on
> >     ProxyPassMatch "^/.*\.php(/.*)?$" fcgi://127.0.0.1:9002/usr/httpd/coax
> >     SSLEngine on
> > #   SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !RC4: !PSK: !MD5
> >     SSLCipherSuite TLSv1.3
> >     SSLCertificateFile /etc/httpd/conf/sslcert/www.coaxpublications.ca.pem
> >     SSLCertificateKeyFile 
> > /etc/httpd/conf/sslcert/www.coaxpublications.ca.key
> >     SSLCACertificateFile /etc/httpd/conf/sslcert/intermediate.crt
> >     SSLHonorCipherOrder on
> >     Header always set Strict-Transport-Security 
> > "max-age-63072000;includeSubDomains"
> > 
> > 
> > # Redirect if logon is to coaxpublications without the 'www'
> > 
> >     ServerName coaxpublications.ca
> >     Redirect permanent / https://www.coaxpublications.ca
> > 
> > --
> > 
> > the systemctl status on attempting to start:
> > --
> > # systemctl status httpd
> > × httpd.service - The Apache HTTP Server
> >   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; 
> > preset: disabled)
> >  Drop-In: /usr/lib/systemd/system/httpd.service.d
> >   └─php-fpm.conf
> >   Active: failed (Result: exit-code) since Sun 2023-11-26 15:14:50 EST; 
> > 25min ago
> >     Duration: 1d 22h 32min 36.626s
> >     Docs: man:httpd.service(8)
> >  Process: 56733 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND 
> > (code=exited,
> > status=1/FAILURE)
> >     Main PID: 56733 (code=exited, status=1/FAILURE)
> >   Status: "Reading configuration..."
> >  CPU: 25ms
> > 
> > Nov 26 15:14:50 prod02 systemd[1]: Starting The Apache HTTP Server...
> > Nov 26 15:14:50 prod02 systemd[1]: httpd.service: Main process exited, 
> > code=exited,
> > status=1/FAILURE
> > Nov 26 15:14:50 prod02 systemd[1]: httpd.service: Failed with result 
> > 'exit-code'.
> > Nov 26 15:14:50 prod02 systemd[1]: Failed to start The Apache HTTP Server.
> > --
> > 
> > our production TLS certificate.  The one on the problem server is a .pem 
> > version of the same
> > thing
> > because it will eventually replace this server.  What I don't know is how 
> > to confirm that the
> > .pem
> > cert is identical to this one.
> > 
> > --
> > 
> > 
> > 
> > 
> >  
> >  
> >  
> >  
> >  
> >   > src="chrome://global/content/certviewer/certviewer.mjs">
> >   > src="chrome://global/content/certviewer/components/certificate-
> > section.mjs">
> >   > src="chrome://global/content/certviewer/components/about-certificate-
> > section.mjs">
> >   > href="chrome://global/skin/in-content/common.css">
> >   > href="chrome://global/content/certviewer/certviewer.css">
> >   > args="{"firstCertName":"www.coaxpublications.ca"}" 
> > data-l10n-
> > id="certificate-
> > viewer-tab-title">Certificate for www.coaxpublications.ca
> >    
> >    
> >  
> >     > href="chrome://global/content/certviewer/components/certificate-
>

Re: [users@httpd] Still have messed up TLS

2023-11-27 Thread Frank Gingras 
On Mon, Nov 27, 2023 at 2:47 PM John  wrote:

> On Sun, 2023-11-26 at 18:06 -0500, Paul wrote:
> > On 2023-11-26 16:12, John wrote:
> > > After a week of chasing this around I have managed to change the
> problem several times but I'm
> > > still
> > > unable to get Apache started.  I **think** there is something
> unrelated to the error that I'm
> > > seeing
> > > that may have been included in the default config but before I go down
> that rabbit hole I
> > > realize
> > > that I am making a number of assumptions because I don't know how to
> check, so if everyone would
> > > please bear with me, and my apologies in advance:
> > >
> > > Here are the relevant parts of the full configuration:
> > >
> > > /usr/sbin/httpd -M
> >
> > I think you said you were using "Rocky Linux" associated with RHEL which
> > may use /usr/sbin/httpd rather than /usr/share/apache2 (debian).  If
> > "Rocky" is a spin-off (I have no knowledge of it) perhaps they have a
> > "users list" that could help you?
> >
> > In any case what is the output of 'apachectl -S' (or perhaps 'httpd
> > -S')?  Is it only your TLS that is problematic, or are there other
> > underlying glitches?  You write "httpd.service: Main process exited,
> > code=exited, status=1/FAILURE" and this looks to me that it could
> > preceed any TLS certs.
> >
> > Also, your "SSLCACertificateFile" probably has to be used carefully.  It
> > "can be used alternatively and/or additionally to "SSLCACertificatePath"
> > and should only be used if "SSLCADNRequestPath or SSLCADNRequestFile"
> > are missing. See .
> > Yours appear to be missing from what you write (please delete all rem'ed
> > out lines, it's rather boring) - are you sure this is what you want?
> >
> > Good luck -- Paul
> > >
> > > ***89 deleted module lines here**
> > > ssl_module (shared)
> > > systemd_module (shared)
> > >
> > > the full config file for the ONLY https virtual server
> > > --
> > > # SSL Support for Coax Publications ONLY!
> > > 
> > > ServerName www.coaxpublications.ca
> > > #   ServerAlias t.coaxpublications.ca
> > > DocumentRoot /usr/httpd/coax
> > > Options -MultiViews
> > > H2Direct on
> > > ProxyPassMatch "^/.*\.php(/.*)?$" fcgi://
> 127.0.0.1:9002/usr/httpd/coax
> > > SSLEngine on
> > > #   SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !RC4: !PSK: !MD5
> > > SSLCipherSuite TLSv1.3
> > > SSLCertificateFile
> /etc/httpd/conf/sslcert/www.coaxpublications.ca.pem
> > > SSLCertificateKeyFile
> /etc/httpd/conf/sslcert/www.coaxpublications.ca.key
> > > SSLCACertificateFile /etc/httpd/conf/sslcert/intermediate.crt
> > > SSLHonorCipherOrder on
> > > Header always set Strict-Transport-Security
> "max-age-63072000;includeSubDomains"
> > > 
> > >
> > > # Redirect if logon is to coaxpublications without the 'www'
> > > 
> > > ServerName coaxpublications.ca
> > > Redirect permanent / https://www.coaxpublications.ca
> > > 
> > > --
> > >
> > > the systemctl status on attempting to start:
> > > --
> > > # systemctl status httpd
> > > × httpd.service - The Apache HTTP Server
> > >   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled;
> preset: disabled)
> > >  Drop-In: /usr/lib/systemd/system/httpd.service.d
> > >   └─php-fpm.conf
> > >   Active: failed (Result: exit-code) since Sun 2023-11-26 15:14:50
> EST; 25min ago
> > > Duration: 1d 22h 32min 36.626s
> > > Docs: man:httpd.service(8)
> > >  Process: 56733 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
> (code=exited,
> > > status=1/FAILURE)
> > > Main PID: 56733 (code=exited, status=1/FAILURE)
> > >   Status: "Reading configuration..."
> > >  CPU: 25ms
> > >
> > > Nov 26 15:14:50 prod02 systemd[1]: Starting The Apache HTTP Server...
> > > Nov 26 15:14:50 prod02 systemd[1]: httpd.service: Main process exited,
> code=exited,
> > > status=1/FAILURE
> > > Nov 26 15:14:50 prod02 systemd[1]: httpd.service: Failed with result
> 'exit-code'.
> > > Nov 26 15:14:50 prod02 systemd[1]: Failed to start The Apache HTTP
> Server.
> > > --
> > >
> > > our production TLS certificate.  The one on the problem server is a
> .pem version of the same
> > > thing
> > > because it will eventually replace this server.  What I don't know is
> how to confirm that the
> > > .pem
> > > cert is identical to this one.
> > >
> > > --
> > > 
> > > 
> > > 
> > > 
> > >  
> > >  
> > >  
> > >  
> > >  
> > >   src="chrome://global/content/certviewer/certviewer.mjs">
> > >   src="chrome://global/content/certviewer/components/certificate-
> > > section.mjs">
> > >   src="chrome://global/content/certviewer/components/about-certificate-
> > > section.mjs">
> > >   href="chrome://global/skin/in-content/common.css">
> > >   href="chrome://global/content/certviewer/certviewer.css">
> > >   > > args="{"firstCertName":"www.coaxpublications.ca"}