Apache: fatal error initialising mod_ssl

diederick76 · 2017-04-24 20:49:49

Hi all,

After today's upgrade, my apache on both my server and development laptop wont't start with ssl anymore. They both use the same setup as far as Apache is concerned, with the same keys that belong to the server. These keys have worked since 2014 and verify:

$ sudo openssl verify -CAfile diederickdevries_net.ca-bundle diederickdevries_net.crt 
diederickdevries_net.crt: OK

But when I try to start apache, I get this in /var/log/httpd/error_log:

[Mon Apr 24 22:25:44.419675 2017] [ssl:info] [pid 2977:tid 140105201474496] AH01887: Init: Initializing (virtual) servers for SSL
[Mon Apr 24 22:25:44.419732 2017] [ssl:info] [pid 2977:tid 140105201474496] AH01914: Configuring server diederickdevries.net:443 for SSL protocol
[Mon Apr 24 22:25:44.420134 2017] [ssl:emerg] [pid 2977:tid 140105201474496] AH01903: Failed to configure CA certificate chain!
[Mon Apr 24 22:25:44.420144 2017] [ssl:emerg] [pid 2977:tid 140105201474496] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/httpd/error_log for more information
AH00016: Configuration Failed

And apache fails to start. Problem is, the mentioned log is the log I got this from. I'm not even sure if it is really my own certificates it is complaining about. I tried LogLevel debug in the right VirtualHost, but that did not make the log anymore verbose.

Also, Dovecot starts, but mentions: "Unknown protocol 'SSLv2'". Stopping to disallow it helped somehow. Changing ssl_protocols in /etc/dovecot/conf.d/10-ssl.conf from

ssl_protocols = !SSLv3 !SSLv2

to

ssl_protocols = !SSLv3

seemed to solve that.

Can anyone tell me how to research this further?

Arno500 · 2017-04-24 21:12:58

Hi,
Just after this evening upgrade, I see a LOT of errors coming from the new version of OpenSSL. This is pretty dangerous as some services refuses to start, and some apps that use HTTPS are rendered completely useless. I don't know how to fix that, however, I report that I actually have the same problem.

Nocturne · 2017-04-24 22:33:31

I can confirm I am having the exact same issues as diederick76 above. Was able to "fix" dovecot using his example, and for now, "fix" apache by disabling SSL. Neither are a solution at all, but these services *need* to work and until we find some answers this is the best I can do. Hoping for someone to chime in with a real solution!

Trilby · 2017-04-24 22:55:25

The proper fix is to ensure you have an up to date mirror and fully update your system (like nearly every other of the dozen or so related threads posted today). Apache was rebuilt against the new openssl package, but you likely still have the previous apache build.

Dovecot was also updated today.

EDIT: I just updated one of my servers - no problem at all when fully updated.

Nocturne · 2017-04-24 23:17:45

Thanks for replying Trilby, just to make sure I am doing this correctly, here is what I did before I posted here and just did again now. Please enlighten me if I have made a mistake:

First, run reflector like this:

# reflector --verbose --latest 5 --sort rate --save /etc/pacman.d/mirrorlist

With this result:

rating rsync://mirror.vfn-nrw.de/archlinux/
rating http://mirror.f4st.host/archlinux/
rating https://mirror.f4st.host/archlinux/
rating rsync://mirror.f4st.host/archlinux/
rating http://archlinux.dynamict.se/
Server                                          Rate       Time
http://mirror.f4st.host/archlinux/      157.38 KiB/s     0.79 s
http://archlinux.dynamict.se/           112.87 KiB/s     1.10 s
https://mirror.f4st.host/archlinux/     105.22 KiB/s     1.18 s
rsync://mirror.f4st.host/archlinux/      39.50 KiB/s     3.14 s
rsync://mirror.vfn-nrw.de/archlinux/      0.00 KiB/s      nan s

And next:

# pacman -Syyu

With this result:

:: Synchronizing package databases...
 core                                                                            123.8 KiB   250K/s 00:00 [###############################################################] 100%
 extra                                                                          1704.5 KiB   589K/s 00:03 [###############################################################] 100%
 community                                                                         3.8 MiB   430K/s 00:09 [###############################################################] 100%
 archlinuxfr                                                                      14.9 KiB   117K/s 00:00 [###############################################################] 100%
:: Starting full system upgrade...
 there is nothing to do

It is my understanding that what I have done is "Verbosely rate and sort the five most recently synchronized mirrors by download speed, and overwrite the file /etc/pacman.d/mirrorlist", then "force a refresh of all package lists and upgrade". Is this correct? Again, please tell me what I am doing wrong here the reason I am not getting the newly rebuilt packages. Do I need to "reinstall" those two packages?

Thanks in advance!

Last edited by Nocturne (2017-04-24 23:44:45)

Trilby · 2017-04-24 23:51:18

I just checked that top mirror, it currently has the right apache and dovecot packages. Which dovecot package version do you currently have installed? Did you restart the services after they were updated?

Nocturne · 2017-04-25 00:00:10

Here is what I get:

pacman -Q apache dovecot
apache 2.4.25-2
dovecot 2.2.28-2

And not only did I try to restart the services, but also rebooted the system for good measure. I re-enabled SSL for apache and also added back the "!SSLv2" to the dovecot "ssl_protocols" line in the config to check if things were working as they should and got the same failures. Not sure what else to try at this point.

Last edited by Nocturne (2017-04-25 00:01:47)

Trilby · 2017-04-25 00:05:46

That all looks good - your problem then may not have anything to do with the openssl update. Do you get the same errors as the OP? Please post your exact apache errors along with the referenced error log. Also post any dovecot errors.

Kido · 2017-04-25 00:24:10

I have the same problem with apache after update:

[Tue Apr 25 03:22:10.373195 2017] [ssl:emerg] [pid 3732] AH01903: Failed to configure CA certificate chain!
[Tue Apr 25 03:22:10.373362 2017] [ssl:emerg] [pid 3732] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed

Nocturne · 2017-04-25 02:06:47

Really quite embarrassed to share the solution that I found to my problem, but I hope that maybe someone else made the same silly mistake and that this will help them.

In my Apache configuration file(/etc/httpd/conf/extra/httpd-vhosts.conf) , I had this:

SSLCertificateFile "/etc/letsencrypt/live/mydomain.com/cert.pem"

When according to http://letsencrypt.readthedocs.io/en/la … rtificates, it should be this for versions of Apache >= 2.4.8:

SSLCertificateFile "/etc/letsencrypt/live/mydomain.com/fullchain.pem"

The interesting thing is that it worked correctly until this morning when I did my updates. I guess something changed in the new openssl perhaps?

Now I am going to examine my dovecot config a bit closer as well and see if there is something similar going on there.

Kido · 2017-04-25 02:56:23

Nocturne's solution worked for me, but I also had to delete SSLCertificateChainFile option.

Last edited by Kido (2017-04-25 02:59:33)

robin67 · 2017-04-25 06:21:05

Does anyone know how to fix the issue for dovecot ?
I have the same issue and had to enable SSLv2 temporary to keep my email running.
The issue started with the big update because of openssl 1.1

I do use the fullchain, so that's not the fix for dovecot unfortunately

diederick76 · 2017-04-25 07:36:26

I also have the latest versions:

pacman -Q apache dovecot openssl
apache 2.4.25-2
dovecot 2.2.28-2
openssl 1.1.0.e-1

I don't have a LetsEncrypt certificate. Mine is from Comodo and the way I've been using it is:

SSLCertificateFile "/etc/ssl/ssl.key/diederickdevries_net.crt"
SSLCertificateKeyFile "/etc/ssl/ssl.key/diederickdevries_net.pem"
SSLCertificateChainFile "/etc/ssl/ssl.crt/diederickdevries_net.ca-bundle"

Is there a way to check whether this should work?

diederick76 · 2017-04-25 07:39:04

I also have the latest versions:

pacman -Q apache dovecot openssl
apache 2.4.25-2
dovecot 2.2.28-2
openssl 1.1.0.e-1

I don't have a LetsEncrypt certificate. Mine is from Comodo and the way I've been using it is:

SSLCertificateFile "/etc/ssl/ssl.key/diederickdevries_net.crt"
SSLCertificateKeyFile "/etc/ssl/ssl.key/diederickdevries_net.pem"
SSLCertificateChainFile "/etc/ssl/ssl.crt/diederickdevries_net.ca-bundle"

When I remove the last line, apache will actually start and serve over ssl. Not sure why that would be a problem all of a sudden. Like Dovecot, all this is quite mysterious. So my question remains: how do I put apache in debug mode? Simply setting the LogLevel in the right VirtualHost doesn't appear to change anything.

Secondly, how do I figure out what's going on with Dovecot? And how to I re-dis-allow SSLv2?

Last edited by diederick76 (2017-04-25 07:46:17)

pavelm77 · 2017-04-25 08:32:15

diederick76 wrote:

I also have the latest versions:
pacman -Q apache dovecot openssl
apache 2.4.25-2
dovecot 2.2.28-2
openssl 1.1.0.e-1
I don't have a LetsEncrypt certificate. Mine is from Comodo and the way I've been using it is:
SSLCertificateFile "/etc/ssl/ssl.key/diederickdevries_net.crt"
SSLCertificateKeyFile "/etc/ssl/ssl.key/diederickdevries_net.pem"
SSLCertificateChainFile "/etc/ssl/ssl.crt/diederickdevries_net.ca-bundle"
When I remove the last line, apache will actually start and serve over ssl. Not sure why that would be a problem all of a sudden. Like Dovecot, all this is quite mysterious. So my question remains: how do I put apache in debug mode? Simply setting the LogLevel in the right VirtualHost doesn't appear to change anything.
Secondly, how do I figure out what's going on with Dovecot? And how to I re-dis-allow SSLv2?

I have solution for the Apache, change the last line from "SSLCertificateChainFile" to "SSLCACertificateFile" and Apache starts again.

diederick76 · 2017-04-25 09:07:24

pavelm77 wrote:

I have solution for the Apache, change the last line from "SSLCertificateChainFile" to "SSLCACertificateFile" and Apache starts again.

You are right. http://stackoverflow.com/questions/1899 … le#5543737 seems to agree with you that this is the correct way to send the bundle to the client.

Trilby · 2017-04-25 10:25:31

So it sounds like none of the issues in this thread are actually problems with the new openssl. They are all just outdated configs possibly from ignoring pacnews or not keeping up with changes (which are documneted in the wiki) to apache or dovecot configurations.

A server configured following guidelines in the wiki can go through the update without a single issue.

diederick76 · 2017-04-25 10:36:05

Trilby wrote:

So it sounds like none of the issues in this thread are actually problems with the new openssl. They are all just outdated configs possibly from ignoring pacnews or not keeping up with changes (which are documneted in the wiki) to apache or dovecot configurations.
A server configured following guidelines in the wiki can go through the update without a single issue.

Perhaps, though I am usually pretty careful updating config files, and there was no pacnew file with the update that broke things. But you could still be right, since an earlier pacnew file could have suggested the update.

As Dovecot is concerned, this could be a resurfacing of an older bug as mentioned in the debian bug tracker: https://bugs.debian.org/cgi-bin/bugrepo … bug=844311

Trilby · 2017-04-25 10:45:10

Yes, I didn't mean to imply that there was a current pacnew or config change - quite the opposite: my configs *didn't* need any changes with this update. But there have been a handful of changes to both apache and dovecot configs over the past 6-months or so that I have had to integrate into my configs.

I suspect there were previous config options or syntaxes that were changed and/or deprecated and the current update may have just revealed some already outdated config entries.

My best suggestion would just be to work through the wiki pages as if you were setting up the server anew, and find where your configs differ from the guidelines. What I'd hope to emphasize is that any workaround of symlinking libraries, installing the openssl-1.0, or disabling some ssl capabilities are not only not necessary but potentially dangerous for a server where you'd care about security. The right solution is simply to get the configs straightened out.

Nocturne · 2017-04-25 15:41:02

Trilby, if I understand your posts correctly, you have a working dovecot config with SSLv2 dis-allowed? If so, would you be so kind as to post that config file for the rest of us to compare with?

If I have misunderstood, I am sorry, but your last post seemed to indicate that you have made changes to the dovecot config over the last several months and having a working setup right now. My dovecot setup is only about 2 months old and I believe that I followed the wiki(First, Dovecot, and then Virtual user mail system) to the best of my ability. When I have what I believe to be the relevant section from the wiki(Create the SSL certificate, big pink warning box) in my config file:

ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048

It fails with this error message:

systemd[1]: Starting Dovecot IMAP/POP3 email server...
dovecot[27133]: master: Dovecot v2.2.28 (bed8434) starting up for imap, lmtp, sieve
systemd[1]: Started Dovecot IMAP/POP3 email server.
dovecot[27135]: imap-login: Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2'
dovecot[27133]: master: Error: service(imap-login): command startup failed, throttling for 2 secs
dovecot[27135]: imap-login: Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2'
dovecot[27133]: master: Error: service(imap-login): command startup failed, throttling for 4 secs
dovecot[27135]: imap-login: Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2'
dovecot[27133]: master: Error: service(imap-login): command startup failed, throttling for 8 secs

Until, like diederick76, I change:

ssl_protocols = !SSLv2 !SSLv3

to instead read:

ssl_protocols = !SSLv3

And then dovecot works as expected and I am able to log in correctly.

Looking in the /usr/share/doc/dovecot/example-config/conf.d directory, I see that the "defaults" in the 10-ssl.conf file are as such:

ssl_protocols = !SSLv3
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_prefer_server_ciphers = no
ssl_dh_parameters_length = 1024

Which work, but according to the wiki do not respond safely to POODLE and FREAK/Logjam.

So I, like the others here I think, would like to secure dovecot by disabling SSLv2 again, like it used to be before the latest round of updates. Please show us how you have it disabled and have dovecot running correctly. As a disclaimer, I use Let's Encrypt certificates.

diederick76, I too saw that bug and wondered about it...

Last edited by Nocturne (2017-04-25 15:43:16)

Trilby · 2017-04-25 16:02:36

Yes you interpret my post correctly. I use apache, postfix, and dovecot on my server. I also use LetsEncrypt certs for apache. My dovecot 10-ssl.conf is identical to the what is in the wiki (except I also have the ssl_cert and ssl_key lines in there).

I don't know much about dovecot though - and as a revision to my earlier statement, it seems I've not had to do any revision to dovecot-specific configs, apache certainly, and I think some postix configs have changed.

Also I don't use virtual user mail.

EDIT: I just noticed I do have similar errors in my dovecot status - perhaps dovecot is not working quite right here, but apache and postfix certainly are. My website is up and running, and mail is going in and out without issue. I'll test a remote imap connection momentarily.

EDIT 2: Sorry, I am unable to use imaps remotely. But this would highlight that the dovecot problem is definitely not the same as the apache problem that his thread was (supposed to be) about.

Nocturne · 2017-04-25 17:17:54

That is true, the dovecot problem is "definitely not the same" as the apache problem(misconfiguration on my part for sure, I have admitted my mistakes), however, it is pretty hard to deny that both "problems" presented themselves *after* the openssl update.

Trilby, you seem to be implying that I need to start a new thread about the dovecot problem and so I will do so, as well as making a post to the dovecot mailing list.

My sincere apologies for cluttering up this thread with trying to find solutions to the dovecot problems you were having, diederick76, we can continue our discussion on the topic here:
https://bbs.archlinux.org/viewtopic.php?id=225535

Last edited by Nocturne (2017-04-25 18:37:40)

Cobra · 2017-05-09 19:58:55

Just chiming in here to thank you gentlemen to post the solution. Solutions by Nocturne (post 10) and Kido (post 11) worked for me. I guess I didn't keep up with my configuration changes in httpd. Thanks for the heads up.

Arch Linux

#1 2017-04-24 20:49:49

Apache: fatal error initialising mod_ssl

#2 2017-04-24 21:12:58

Re: Apache: fatal error initialising mod_ssl

#3 2017-04-24 22:33:31

Re: Apache: fatal error initialising mod_ssl

#4 2017-04-24 22:55:25

Re: Apache: fatal error initialising mod_ssl

#5 2017-04-24 23:17:45

Re: Apache: fatal error initialising mod_ssl

#6 2017-04-24 23:51:18

Re: Apache: fatal error initialising mod_ssl

#7 2017-04-25 00:00:10

Re: Apache: fatal error initialising mod_ssl

#8 2017-04-25 00:05:46

Re: Apache: fatal error initialising mod_ssl

#9 2017-04-25 00:24:10

Re: Apache: fatal error initialising mod_ssl

#10 2017-04-25 02:06:47

Re: Apache: fatal error initialising mod_ssl

#11 2017-04-25 02:56:23

Re: Apache: fatal error initialising mod_ssl

#12 2017-04-25 06:21:05

Re: Apache: fatal error initialising mod_ssl

#13 2017-04-25 07:36:26

Re: Apache: fatal error initialising mod_ssl

#14 2017-04-25 07:39:04

Re: Apache: fatal error initialising mod_ssl

#15 2017-04-25 08:32:15

Re: Apache: fatal error initialising mod_ssl

#16 2017-04-25 09:07:24

Re: Apache: fatal error initialising mod_ssl

#17 2017-04-25 10:25:31

Re: Apache: fatal error initialising mod_ssl

#18 2017-04-25 10:36:05

Re: Apache: fatal error initialising mod_ssl

#19 2017-04-25 10:45:10

Re: Apache: fatal error initialising mod_ssl

#20 2017-04-25 15:41:02

Re: Apache: fatal error initialising mod_ssl

#21 2017-04-25 16:02:36

Re: Apache: fatal error initialising mod_ssl

#22 2017-04-25 17:17:54

Re: Apache: fatal error initialising mod_ssl

#23 2017-05-09 19:58:55

Re: Apache: fatal error initialising mod_ssl

Board footer