apache2 failing with AH00016: Configuration Failed? [SOLVED]

Message

tld · Post by **tld** » Tue Oct 15, 2024 7:03 pm

HELP!! I just did an update and apache is failing to start and getting is just getting this in it's error_log:

AH00016: Configuration Failed

The update didn't involve apache2 at all, nor PHP. The ONLY thing I can think of is that it did update openssl-3.0.14 to openssl-3.3.2.

Other than that I've got nothing. Any ideas?

Thanks!
Tom

tld · Post by **tld** » Tue Oct 15, 2024 7:37 pm

WOW I am really really desperate here. I decided to try to recompile apache and that didn't help.

I have to think it's somehow related to that openssl, but HOW would that break the apache2 configuration?? Nothing even changed in there.

To make matters worse, I wanted to try downgrading dev-libs/openssl and is will NOT let me and somehow I'm missing why!!?? I added this:

Code: Select all

grep dev-libs/openssl /etc/portage/package.mask 
>dev-libs/openssl-3.0.14

And that 3.0.14 IS available yet I'm getting this?:

Code: Select all

emerge -auv dev-libs/openssl

These are the packages that would be merged, in order:

Calculating dependencies... done!
Dependency resolution took 19.29 s (backtrack: 0/20).


Total: 0 packages, Size of downloads: 0 KiB

!!! The following installed packages are masked:
- dev-libs/openssl-3.3.2::gentoo (masked by: package.mask)
/etc/portage/package.mask:
# IMPORTANT! Seeing if this fixes apache start failure with AH00016: Configuration Failed

For more information, see the MASKED PACKAGES section in the emerge
man page or refer to the Gentoo Handbook.



 * dev-libs/openssl

Would you like to add these packages to your world favorites? [Yes/No]

Why won't that downgrade??!! WHAT on earth am I missing with this!!? I feel like I'm loosing my mind.

EDIT: OK...I figured out that in order to downgrade openssl I have to downgrade curl as well. Trying that now.

Tom

Post by Hu » Tue Oct 15, 2024 7:51 pm

If I remember correctly, the apache startup pre-checks the configuration file. If that checker were broken, you might get this error, even when the file is well-formed.

If you want to run an older openssl, ask for it: emerge --ask --oneshot --verbose '=dev-libs/openssl-3.0.14'.

Beyond that, you have not given us anything with which to work.

tld · Post by **tld** » Tue Oct 15, 2024 8:09 pm

Thanks Hu. I'm downgrading openssl now (which required also downgrading curl) and that will take a while. Hopefully that'll do it. If not I'll post everything that was in this update just to see if anything else there may have caused this.

Will post when that's done. I had no issues with these similar upgrades on this AMD machine. This failure is on my x86 mythtv backend.

Tom

grknight · Post by **grknight** » Tue Oct 15, 2024 8:14 pm

Quick online searches suggest checking other logs, often ssl_error_log, as well for a contributing factor. Often a bad/outdated certificate or key.

tld · Post by **tld** » Tue Oct 15, 2024 9:15 pm

Thanks grknight! First of all it clearly WAS being caused by the openssl upgrade as downgrading it got apache to start.

And as to your suggestion, I think I found the issue:

Code: Select all

cat /var/log/apache2/ssl_error_log
[Tue Oct 15 14:40:01.711698 2024] [ssl:emerg] [pid 2087:tid 2087] AH02562: Failed to configure certificate localhost:443:0 (with chain), check /etc/ssl/apache2/server.crt
[Tue Oct 15 14:40:01.711923 2024] [ssl:emerg] [pid 2087:tid 2087] SSL Library Error: error:0A00018F:SSL routines::ee key too small

That's clearly because of the default self-signed certificate...specifically the one here:

Code: Select all

ls -l /etc/ssl/apache2
total 16
-r--r--r-- 1 root root 1038 Nov 15  2009 server.crt
-r--r--r-- 1 root root  749 Nov 15  2009 server.csr
-r-------- 1 root root  887 Nov 15  2009 server.key
-r-------- 1 root root 1926 Nov 15  2009 server.pem

So I assume I have to re-generate that server.crt(?). Anyone familiar with how to do that offhand?

Thanks a million for the help! Wow that was tough.

Tom

tld · Post by **tld** » Tue Oct 15, 2024 9:40 pm

Wow. Any help with generating that God-awful self-signed cert would be greatly appreciated.

I'd forgotten how cryptic that mess is...have read about it and hoped I'd never have to do it. Now I remember why. Just horrible.

EDIT: OK. I was able to do that. After saving the old ones elsewhere, inside of /etc/ssl/apache2 I did this:

Code: Select all

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./server.key -out ./server.crt

That seems to have worked and I was able to restart apache. Upgrading back to the newer openssl now.

Tom

tld · Post by **tld** » Tue Oct 15, 2024 10:42 pm

OK....yup. With the new key I was able to upgrade openssl again and apache starts just fine. Thanks everyone for the help!!

Rom

gjaekel · Post by **gjaekel** » Fri Nov 01, 2024 12:38 pm

Thank you for solving this; I also just stepped into this issue while updating.

It happens on a bunch of quite older self-signed certifcates for different internal vhosts. It was difficult to discover, because it wan't logged in the main error log but in the vhosts error log file. And at first i had no clue what happens.

I found the unusable certificates with something like

Code: Select all

openssl x509 -in cert.pem -text -noout | grep 'Public-Key:.*1024'