Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B00719845 for ; Wed, 22 Aug 2012 12:35:56 +0000 (UTC) Received: (qmail 34244 invoked by uid 500); 22 Aug 2012 12:35:53 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 34188 invoked by uid 500); 22 Aug 2012 12:35:53 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 34171 invoked by uid 99); 22 Aug 2012 12:35:53 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Aug 2012 12:35:53 +0000 X-ASF-Spam-Status: No, hits=3.2 required=5.0 tests=FROM_12LTRDOM,SPF_HELO_PASS,SPF_PASS,URI_OBFU_WWW X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ben@indietorrent.org designates 205.186.134.222 as permitted sender) Received: from [205.186.134.222] (HELO indietorrent.org) (205.186.134.222) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Aug 2012 12:35:45 +0000 Received: from localhost (localhost.localdomain [127.0.0.1]) by indietorrent.org (Postfix) with ESMTP id 51A696A300B5 for ; Wed, 22 Aug 2012 05:35:23 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at indietorrent.org Received: from indietorrent.org ([127.0.0.1]) by localhost (indietorrent.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4TACLtpckdmL for ; Wed, 22 Aug 2012 05:35:22 -0700 (PDT) Received: from [127.0.0.1] (cpe-76-179-0-31.maine.res.rr.com [76.179.0.31]) (Authenticated sender: ben@indietorrent.org) by indietorrent.org (Postfix) with ESMTPSA id C89E06A3005E for ; Wed, 22 Aug 2012 05:35:22 -0700 (PDT) Message-ID: <5034D204.70701@indietorrent.org> Date: Wed, 22 Aug 2012 08:35:16 -0400 From: Ben Johnson User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: users@httpd.apache.org X-Enigmail-Version: 1.4.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] Apache fails to start, without explanation, when certain SSL-related directives are misconfigured Hello, I find it extremely troubling that when Apache fails to start due to an SSL-related misconfiguration nothing is logged to that effect. For example, if a certificate and private key do not match, Apache will fail to start and, from what I can tell, fails to log anything at all. Maybe there is some alternate log file location of which I'm not aware, but tailing /var/log/apache2/error.log (on Debian), or the site-specific log at /var/www/example.com/log/error.log, reveals absolutely nothing about the issue's cause. How can the world's "most mature", "most advanced" Web-server be brought to its knees due to an SSL misconfiguration with one site? I find this to be inexcusable. Even if Apache did log every detail regarding the cause for the failed service start-up, the fact that Apache has no mechanism for handling such a misconfiguration gracefully is disappointing. To the contrary, Dovecot, for example, failed gracefully in the same instance; it reported a very specific message in its logs (key/cert. mismatch) and still started-up. Due to the fact that the certificate was malformed, Dovecot dropped its TLS capabilities, but it still started the server and bound to the non-secure port. The "apache2ctl configtest" command seems to be ineffective when the required files exist and are not empty. This utility seems not to check for a match between the private key and the certificate. Perhaps this utility could be modified to use the `openssl` executable (if it can be found) to check these items, too. Am I missing something here? Thank you for any insight, -Ben --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org