httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Johnson <>
Subject [users@httpd] Apache fails to start, without explanation, when certain SSL-related directives are misconfigured
Date Wed, 22 Aug 2012 12:35:16 GMT

I find it extremely troubling that when Apache fails to start due to an
SSL-related misconfiguration nothing is logged to that effect.

For example, if a certificate and private key do not match, Apache will
fail to start and, from what I can tell, fails to log anything at all.

Maybe there is some alternate log file location of which I'm not aware,
but tailing /var/log/apache2/error.log (on Debian), or the site-specific
log at /var/www/, reveals absolutely nothing
about the issue's cause.

How can the world's "most mature", "most advanced" Web-server be brought
to its knees due to an SSL misconfiguration with one site?

I find this to be inexcusable. Even if Apache did log every detail
regarding the cause for the failed service start-up, the fact that
Apache has no mechanism for handling such a misconfiguration gracefully
is disappointing.

To the contrary, Dovecot, for example, failed gracefully in the same
instance; it reported a very specific message in its logs (key/cert.
mismatch) and still started-up. Due to the fact that the certificate was
malformed, Dovecot dropped its TLS capabilities, but it still started
the server and bound to the non-secure port.

The "apache2ctl configtest" command seems to be ineffective when the
required files exist and are not empty. This utility seems not to check
for a match between the private key and the certificate. Perhaps this
utility could be modified to use the `openssl` executable (if it can be
found) to check these items, too.

Am I missing something here?

Thank you for any insight,


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message