[SOLVED] Trouble with Server after reboot

93i · 2015-01-13 20:31:09

Help, whats going on? I have set up a archlinux server, and it is in production... well, the parts that still work

I rebooted it today.

I have vsftpd installed with ssl enabled, and after the reboot, i could not connect anymore... turned out, that the ssl cert /etc/ssl/certs/vsftpd.pem was gone (!?) i had to restore it from the backups... now vsftpd is up again, but what the heck happened, how can certs dissapear, this is really bad and makes me wonder if chosing arch was a good idea for a production server :-/

The second problem i have not solved yet: None of my https servers is working anymore. This time the certs seem to be there, and i can telnet to 443, but every browser says that the connection failed. No noticable errors in the logfile or anything.

Here is an example of my vhost config:

<VirtualHost *:443>
    DocumentRoot "/srv/http/dummy"
    ErrorLog "/var/log/httpd/dummy-error_log"
    CustomLog "/var/log/httpd/dummy-access_log" common

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCompression off
    SSLCipherSuite AES256+EECDH:AES256+EDH:!MEDIUM:!aNULL:!eNULL:!EXP:!LOW:!MD5:!SSLv3:!SSLv2
    SSLCertificateFile "/etc/httpd/conf/certs/dummy/server.crt"
    SSLCertificateKeyFile "/etc/httpd/conf/certs/dummy/server.key"

    <Directory "/srv/http/dummy">
        AllowOverride None
        Require all granted
    </Directory>
</VirtualHost>

I also ran the ssllabs test on the domain, which run with no obvious error.

Please help.

Last edited by 93i (2015-01-14 07:16:01)

jasonwryan · 2015-01-13 20:33:22

https://www.archlinux.org/news/ca-certificates-update/

Ashren · 2015-01-13 20:33:27

When using Arch on a production system it is very important to read the news on the front page.

https://www.archlinux.org/news/ca-certificates-update/

93i · 2015-01-13 20:40:15

I've seen this and i did this.

My server certs are under /etc/httpd/conf/certs/hostname/* and named crt already

\hbar · 2015-01-13 20:40:59

Could you give more details about the error message that browsers report? Does anything show up in the access and error log when you try to connect via a browser?

93i · 2015-01-13 20:43:32

chrome:

The webpage at https://zefix.tv/ might be temporarily down or it may have moved permanently to a new web address.
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Firefox (which is wrong, SSLv3 is disabled, ssllabs test confirms this)

Unable to Connect Securely
Firefox cannot guarantee the safety of your data on zefix.tv because it uses SSLv3, a broken security protocol.
Advanced info: ssl_error_no_cypher_overlap

\hbar · 2015-01-13 21:17:10

If you comment out the 'SSLCipherSuite' entry, does it work?

93i · 2015-01-14 07:18:52

Thanx, yes, SSLCipherSuite was the reason, i had to remove '!SSLv3', which is weired. So the https problem was obviously not archlinux related, maybe this was introduced with the last openssl update? I am not sure if the problem existed before the reboot, could be... Anyway, thanx, everything up again... still weird, that the vsftpd cert was gone though, have to keep an eye on that.

Arch Linux

#1 2015-01-13 20:31:09

[SOLVED] Trouble with Server after reboot

#2 2015-01-13 20:33:22

Re: [SOLVED] Trouble with Server after reboot

#3 2015-01-13 20:33:27

Re: [SOLVED] Trouble with Server after reboot

#4 2015-01-13 20:40:15

Re: [SOLVED] Trouble with Server after reboot

#5 2015-01-13 20:40:59

Re: [SOLVED] Trouble with Server after reboot

#6 2015-01-13 20:43:32

Re: [SOLVED] Trouble with Server after reboot

#7 2015-01-13 21:17:10

Re: [SOLVED] Trouble with Server after reboot

#8 2015-01-14 07:18:52

Re: [SOLVED] Trouble with Server after reboot

Board footer