topic Re: Apache startup failed (points!) in Linux-Based Community / Regional

Apache startup failed (points!)

Christian Deutsch_1 — Mon, 06 Dec 2010 13:33:00 GMT

Hi there,

Somewhat over a year ago I successfully configured apache httpd to work on a RHEL 5.3 system. Now I have Fedora 13 and startup of Apache httpd failed:

service httpd --full-restart
Stopping httpd: [FAILED]
Starting httpd: [FAILED]

I tried `chkconfig httpd on` and that returned no error message but still full-restart and also start failed.

Where to look?

If I posted in the wrong section please tell me where to post this question.

I already configured apache so hopefully configuration is correct.

Helpful answers will be rewarded generously with points!

Thanks, Christian

Re: Apache startup failed (points!)

Alzhy — Mon, 06 Dec 2010 14:59:10 GMT

go to /etc/httpd/logs

check error_log

post logs.

Re: Apache startup failed (points!)

Christian Deutsch_1 — Mon, 06 Dec 2010 15:04:22 GMT

ll /etc/httpd/logs
lrwxrwxrwx. 1 root root 19 Oct 6 09:39 /etc/httpd/logs -> ../../var/log/httpd
[root@smarty httpd]# ls /etc/httpd/logs
[root@smarty httpd]# ll /var/log/httpd
total 0

now what?

Re: Apache startup failed (points!)

Alzhy — Mon, 06 Dec 2010 15:10:51 GMT

Are you using the default httpd.conf still? If not - can you re-instate the original httpd.conf and try a start?

Or if you can just whack your existing http installation and re-install from yum repository.

Re: Apache startup failed (points!)

Steven Schweda — Mon, 06 Dec 2010 15:30:24 GMT

> Somewhat over a year ago I successfully
> configured apache httpd to work on a RHEL
> 5.3 system. Now I have Fedora 13 and
> startup of Apache httpd failed:

Is this "Fedora 13" system the same one as
the "RHEL 5.3" system? So, did you replace
the OS, but _not_ re-install Apache? If so,
then this advice sounds good to me:

> Or if you can just whack your existing http
> installation and re-install from yum
> repository.

And probably any number of other optional
products, too. You might be able to save the
Apache configuration files from the old
installation, unless the new Apache version
differs too much from the old one.

> Helpful answers will be rewarded generously
> with points!

What's that worth in US$?

Re: Apache startup failed (points!)

Christian Deutsch_1 — Mon, 06 Dec 2010 15:32:59 GMT

Uninstalled httpd, installed:

httpd-2.2.17-1.fc13.1.x86_64

ll /etc/httpd/conf/httpd.conf
-rw-r--r--. 1 root root 33738 Oct 27 14:26 /etc/httpd/conf/httpd.conf

service httpd start
Starting httpd: [FAILED]

ll /etc/httpd/logs
lrwxrwxrwx. 1 root root 19 Dec 6 16:20 /etc/httpd/logs -> ../../var/log/httpd
[root@smarty httpd]# ls /etc/httpd/logs
[root@smarty httpd]# ll /var/log/httpd
total 0

Thanks, Christian

Re: Apache startup failed (points!)

Christian Deutsch_1 — Mon, 06 Dec 2010 15:35:11 GMT

Steve:

Same hardware and hostname but now ext4 filesystems with encryption, before I had ext3 without encryption. I did not adopt any httpd configuration from the previous installation.

Christian

Re: Apache startup failed (points!)

Alzhy — Mon, 06 Dec 2010 15:38:52 GMT

Encryption?

I think that may very well be where your issue is?

What ext4 filesystems did you enable encryption on? Did you incldue /var by any chace in your ext4 encryption? And does user apache have access to those encyrpted filesystems?

Re: Apache startup failed (points!)

Christian Deutsch_1 — Tue, 07 Dec 2010 07:32:31 GMT

all filesystems should be "transparent" for encryption:

df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/luks-51cdeaa5-41c2-400f-aeae-b1b5323e6d7a
50G 8.3G 39G 18% /
tmpfs 6.0G 3.6M 6.0G 1% /dev/shm
/dev/sda1 485M 28M 432M 7% /boot
/dev/mapper/luks-f8ae7a61-a4ef-41aa-92a3-7c67a1fc5043
1001G 118G 833G 13% /home

1 filesystem and disk for /. /boot is also on that disk and part of /home. Only the rest of /home is on the second disk.

I cannot see an issue with file systems or encryption here.

Christian

Re: Apache startup failed (points!)

Chhaya_Z — Tue, 07 Dec 2010 10:53:26 GMT

Have you tried to check if the syntax of the httpd.conf is correct?
#/usr/sbin/httpd -t ==> should say syntax OK

or #/usr/sbin/apache-perl -T

or #apachectl configtest

Re: Apache startup failed (points!)

Christian Deutsch_1 — Tue, 07 Dec 2010 12:40:27 GMT

Wow Chhaya,

That brings me forward! Thank you so much!

So far I identified a problem with a file that I added:

/etc/httpd/conf.d/ssl.conf

Into this file I put:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

This is the cause of the fail.

In an older version of httpd (httpd-2.2.3-19.el5), this worked fine.

Any idea what is different in version httpd-2.2.17-1.fc13.1.x86_64 such that I get this error when I have these values in ssl.conf?

/usr/sbin/httpd -t
Syntax error on line 1 of /etc/httpd/conf.d/ssl.conf:
Invalid command 'SSLCertificateFile', perhaps misspelled or defined by a module not included in the server configuration

Thanks for further help if possible. Of course more points will come :)

Christian

Re: Apache startup failed (points!)

Goran Koruga — Tue, 07 Dec 2010 12:50:30 GMT

Dear Christian.

Are you sure you have "mod_ssl" module loaded? Verify with:

apache2ctl -M

The directive "SSLCertificateFile" is still valid for this module.

Re: Apache startup failed (points!)

Christian Deutsch_1 — Tue, 07 Dec 2010 13:20:18 GMT

Thanks Goran,

I am making some more progress now!

So now I installed:

mod_ssl-2.2.17-1.fc13.1.x86_64

/usr/sbin/httpd -t shows:

Syntax OK

But:

/usr/sbin/apachectl -M

returns no text and error code 1

And:

service httpd --full-restart
Stopping httpd: [ OK ]
Starting httpd: [FAILED]

Some more helpful ideas? (I could not find apache2ctl so I tried /usr/sbin/apachectl instead).

Thanks, Christian

Re: Apache startup failed (points!)

Chhaya_Z — Tue, 07 Dec 2010 13:22:43 GMT

Is SElinux Enabled?

Re: Apache startup failed (points!)

Chhaya_Z — Tue, 07 Dec 2010 13:34:16 GMT

Christian,

Please check the messages file for any errors while starting the httpd service

#tailf /var/log/messages

Re: Apache startup failed (points!)

Christian Deutsch_1 — Tue, 07 Dec 2010 13:34:29 GMT

Wow Chhaya!

Great work!

Now `/usr/sbin/apachectl -M` shows me the modules being loaded.

And `service httpd --full-restart` started httpd ok.

I changed SELinux Default and Current Enforcing Mode to Permissive. I was not aware that in Fedora 13 it seems that SELinux is enabled by default.

Now apache is running, let me see if everything else works as expected...

Thanks, Christian

Re: Apache startup failed (points!)

Chhaya_Z — Tue, 07 Dec 2010 13:40:16 GMT

Christian,

If you want to get Apache working when SElinux is enabled then you have to set a boolean.

you can try the below step

#setsebool â P httpd_disable_trans 1
Now restart the service and it should work fine.

I am glad that its working. It was my pleasure assisting you :)

Have a great day ahead.

Re: Apache startup failed (points!)

Chhaya_Z — Tue, 07 Dec 2010 13:56:26 GMT

In my previous response plz ignore those special characters in the command. It has to be as below

#setsebool -P httpd_disable_trans 1

Re: Apache startup failed (points!)

Christian Deutsch_1 — Wed, 08 Dec 2010 11:01:16 GMT

Chhaya,

I found these interesting messages in /var/log/messages:

Dec 7 14:06:51 smarty setroubleshoot: SELinux is preventing /usr/sbin/httpd "getattr" access to /etc/pki/tls/private/localhost.key. For complete SELinux messages. run sealert -l 6bf2a6f9-223c-41e9-9921-1fe975979551
Dec 7 14:07:23 smarty setroubleshoot: SELinux is preventing /usr/sbin/httpd "getattr" access to /etc/pki/tls/private/localhost.key. For complete SELinux messages. run sealert -l 6bf2a6f9-223c-41e9-9921-1fe975979551
Dec 7 14:18:21 smarty setroubleshoot: SELinux is preventing /usr/sbin/httpd "getattr" access to /etc/pki/tls/private/localhost.key. For complete SELinux messages. run sealert -l 6bf2a6f9-223c-41e9-9921-1fe975979551
Dec 7 14:24:22 smarty dbus: avc: received setenforce notice (enforcing=0)
Dec 7 14:24:22 smarty dbus: avc: received setenforce notice (enforcing=0)
Dec 7 14:24:22 smarty dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=0)#012: exe="?" sauid=81 hostname=? addr=? terminal=?
Dec 7 14:27:36 smarty setroubleshoot: SELinux is preventing /usr/sbin/httpd "getattr" access to /etc/pki/tls/private/localhost.key. For complete SELinux messages. run sealert -l 6bf2a6f9-223c-41e9-9921-1fe975979551
Dec 7 14:27:51 smarty setroubleshoot: SELinux is preventing /usr/sbin/httpd "read" access to /etc/pki/tls/private/localhost.key. For complete SELinux messages. run sealert -l 7dc6822e-3ea6-4a3d-8afe-3e93ba167dc5
Dec 7 14:27:51 smarty setroubleshoot: SELinux is preventing /usr/sbin/httpd "read" access to /etc/pki/tls/private/localhost.key. For complete SELinux messages. run sealert -l 7dc6822e-3ea6-4a3d-8afe-3e93ba167dc5
Dec 7 15:32:37 smarty setroubleshoot: SELinux is preventing /usr/sbin/httpd "getattr" access to /etc/pki/tls/private/localhost.key. For complete SELinux messages. run sealert -l 6bf2a6f9-223c-41e9-9921-1fe975979551
Dec 7 15:32:37 smarty setroubleshoot: SELinux is preventing /usr/sbin/httpd "read" access to /etc/pki/tls/private/localhost.key. For complete SELinux messages. run sealert -l 7dc6822e-3ea6-4a3d-8afe-3e93ba167dc5
Dec 7 15:32:37 smarty setroubleshoot: SELinux is preventing /usr/sbin/httpd "read" access to /etc/pki/tls/private/localhost.key. For complete SELinux messages. run sealert -l 7dc6822e-3ea6-4a3d-8afe-3e93ba167dc5
Dec 7 15:35:56 smarty setroubleshoot: SELinux is preventing /usr/sbin/httpd "getattr" access to /etc/pki/tls/private/localhost.key. For complete SELinux messages. run sealert -l 6bf2a6f9-223c-41e9-9921-1fe975979551
Dec 7 15:35:56 smarty setroubleshoot: SELinux is preventing /usr/sbin/httpd "read" access to /etc/pki/tls/private/localhost.key. For complete SELinux messages. run sealert -l 7dc6822e-3ea6-4a3d-8afe-3e93ba167dc5
Dec 7 15:35:56 smarty setroubleshoot: SELinux is preventing /usr/sbin/httpd "read" access to /etc/pki/tls/private/localhost.key. For complete SELinux messages. run sealert -l 7dc6822e-3ea6-4a3d-8afe-3e93ba167dc5
Dec 7 16:34:10 smarty dbus: avc: received setenforce notice (enforcing=1)
Dec 7 16:34:10 smarty dbus: avc: received setenforce notice (enforcing=1)
Dec 7 16:34:10 smarty dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=1)#012: exe="?" sauid=81 hostname=? addr=? terminal=?
Dec 7 16:34:11 smarty dbus: [system] Reloaded configuration
Dec 7 16:35:37 smarty setroubleshoot: SELinux is preventing /usr/sbin/httpd "getattr" access to /etc/pki/tls/private/localhost.key. For complete SELinux messages. run sealert -l 6bf2a6f9-223c-41e9-9921-1fe975979551
Dec 7 16:36:06 smarty setroubleshoot: SELinux is preventing /usr/sbin/httpd "getattr" access to /etc/pki/tls/private/localhost.key. For complete SELinux messages. run sealert -l 6bf2a6f9-223c-41e9-9921-1fe975979551
Dec 7 16:38:10 smarty dbus: avc: received setenforce notice (enforcing=0)
Dec 7 16:38:10 smarty dbus: avc: received setenforce notice (enforcing=0)
Dec 7 16:38:10 smarty dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=0)#012: exe="?" sauid=81 hostname=? addr=? terminal=?
Dec 7 16:38:26 smarty setroubleshoot: SELinux is preventing /usr/sbin/httpd "getattr" access to /etc/pki/tls/private/localhost.key. For complete SELinux messages. run sealert -l 6bf2a6f9-223c-41e9-9921-1fe975979551
Dec 7 16:38:26 smarty setroubleshoot: SELinux is preventing /usr/sbin/httpd "read" access to /etc/pki/tls/private/localhost.key. For complete SELinux messages. run sealert -l 7dc6822e-3ea6-4a3d-8afe-3e93ba167dc5
Dec 7 16:38:26 smarty setroubleshoot: SELinux is preventing /usr/sbin/httpd "read" access to /etc/pki/tls/private/localhost.key. For complete SELinux messages. run sealert -l 7dc6822e-3ea6-4a3d-8afe-3e93ba167dc5

When I ran `setsebool -P httpd_disable_trans 1` I got:

libsemanage.dbase_llist_set: record not found in the database (No such file or directory).
libsemanage.dbase_llist_set: could not set record value (No such file or directory).
Could not change boolean httpd_disable_trans
Could not change policy booleans

I guess the value you mean has a different name in my installation?

getsebool -a|grep httpd
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_read_user_content --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off

sealert -l 6bf2a6f9-223c-41e9-9921-1fe975979551

Summary:

SELinux is preventing /usr/sbin/httpd "getattr" access to
/etc/pki/tls/private/localhost.key.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by httpd. /etc/pki/tls/private/localhost.key may
be a mislabeled. /etc/pki/tls/private/localhost.key default SELinux type is
cert_t, but its current type is admin_home_t. Changing this file back to the
default type, may fix your problem.

File contexts can be assigned to a file in the following ways.

* Files created in a directory receive the file context of the parent
directory by default.
* The SELinux policy might override the default label inherited from the
parent directory by specifying a process running in context A which creates
a file in a directory labeled B will instead create the file with label C.
An example of this would be the dhcp client running with the dhclient_t type
and creating a file in the directory /etc. This file would normally receive
the etc_t type due to parental inheritance but instead the file is labeled
with the net_conf_t type because the SELinux policy specifies this.
* Users can change the file context on a file using tools such as chcon, or
restorecon.

This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.

If you believe this is a bug, please file a bug report against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/etc/pki/tls/private/localhost.key', if this
file is a directory, you can recursively restore using restorecon -R
'/etc/pki/tls/private/localhost.key'.

Fix Command:

/sbin/restorecon '/etc/pki/tls/private/localhost.key'

Additional Information:

Source Context unconfined_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:admin_home_t:s0
Target Objects /etc/pki/tls/private/localhost.key [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port
Host smarty.domain.com
Source RPM Packages httpd-2.2.17-1.fc13.1
Target RPM Packages
Policy RPM selinux-policy-3.7.19-10.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Plugin Name restorecon
Host Name smarty.domain.com
Platform Linux smarty.domain.com 2.6.33.3-85.fc13.x86_64 #1
SMP Thu May 6 18:09:49 UTC 2010 x86_64 x86_64
Alert Count 9
First Seen Tue Dec 7 14:06:48 2010
Last Seen Tue Dec 7 16:38:24 2010
Local ID 6bf2a6f9-223c-41e9-9921-1fe975979551
Line Numbers

Raw Audit Messages

node=smarty.domain.com type=AVC msg=audit(1291736304.119:3020): avc: denied { getattr } for pid=3623 comm="httpd" path="/etc/pki/tls/private/localhost.key" dev=dm-4 ino=1179673 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=smarty.domain.com type=SYSCALL msg=audit(1291736304.119:3020): arch=c000003e syscall=4 success=yes exit=0 a0=7f6c9e2e25a8 a1=7fff0fa02ab0 a2=7fff0fa02ab0 a3=1bb items=0 ppid=3622 pid=3623 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts7 ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

So I tried:

/sbin/restorecon '/etc/pki/tls/private/localhost.key'

and tried again. I will post again with more results.

Christian

Re: Apache startup failed (points!)

Christian Deutsch_1 — Wed, 08 Dec 2010 11:21:45 GMT

After applying the restorecon fix commands (see my previous post) now I get the following messages in /var/log/messages:

Dec 8 12:02:11 smarty dbus: avc: received setenforce notice (enforcing=1)
Dec 8 12:02:11 smarty dbus: avc: received setenforce notice (enforcing=1)
Dec 8 12:02:11 smarty dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=1)#012: exe="?" sauid=81 hostname=? addr=? terminal=?
Dec 8 12:02:11 smarty dbus: [system] Reloaded configuration
Dec 8 12:04:23 smarty dbus: avc: received setenforce notice (enforcing=0)
Dec 8 12:04:23 smarty dbus: avc: received setenforce notice (enforcing=0)
Dec 8 12:04:23 smarty dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=0)#012: exe="?" sauid=81 hostname=? addr=? terminal=?
Dec 8 12:05:37 smarty dbus: avc: received setenforce notice (enforcing=1)
Dec 8 12:05:37 smarty dbus: avc: received setenforce notice (enforcing=1)
Dec 8 12:05:37 smarty dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=1)#012: exe="?" sauid=81 hostname=? addr=? terminal=?
Dec 8 12:05:37 smarty dbus: [system] Reloaded configuration

Behaviour with SELinux is now:

Enforced mode: web page is not served (0 bytes are served)
Permissive mode: everything is fine

If you want me to try any more tweaks with SELinux you can give me some hints.

Christian