The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Rebuilding Apache after SSLv3 fix

Discussion in 'EasyApache' started by drp, Oct 21, 2014.

  1. drp

    drp Member

    Joined:
    Sep 4, 2014
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    I'm attempting this fix for SSLv3 here: http://forums.cpanel.net/f185/sslv3...y-ckb-how-adjust-cipher-protocols-432641.html


    On three of my servers, this has ran without any problems. However, I've got another one with a different hosting provider where I'm unable to rebuild Apache after the making the fix. The message I get is:

    Code:
    Apache restart failed. Unable to load pid from pid file and no httpd process found in process list.
    
    If apache restart reported success but it failed soon after, it may be caused by oddities with mod_ssl.
    
    You should run /usr/local/cpanel/scripts/ssl_crt_status as part of your troubleshooting process. Pass it --help for more details.
    
    Also be sure to examine apache's various log files.
    Apache Restart Output:
    
    Log:
    [Tue Oct 21 05:32:46.004569 2014] [:notice] [pid 17995] ModSecurity: LUA compiled version="Lua 5.1"
    [Tue Oct 21 05:32:46.004574 2014] [:notice] [pid 17995] ModSecurity: LIBXML compiled version="2.9.1.20140611"
    [Tue Oct 21 05:32:46.004578 2014] [:notice] [pid 17995] Status engine is currently disabled, enable it by set SecStatusEngine to On.
    [Tue Oct 21 05:32:47.002030 2014] [ssl:warn] [pid 17996] AH01906: myhostname.mydomain.com:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Tue Oct 21 05:32:47.005662 2014] [mpm_prefork:notice] [pid 17996] AH00163: Apache/2.4.10 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 configured -- resuming normal operations
    [Tue Oct 21 05:32:47.005707 2014] [core:notice] [pid 17996] AH00094: Command line: '/usr/local/apache/bin/httpd -D SSL'
    [Tue Oct 21 05:33:27.339167 2014] [mpm_prefork:notice] [pid 17996] AH00169: caught SIGTERM, shutting down
    [Tue Oct 21 05:33:29.000791 2014] [ssl:emerg] [pid 18050] AH01898: Unable to configure permitted SSL ciphers
    [Tue Oct 21 05:33:29.001224 2014] [ssl:emerg] [pid 18050] SSL Library Error: error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command
    [Tue Oct 21 05:33:29.001243 2014] [ssl:emerg] [pid 18050] AH02312: Fatal error initialising mod_ssl, exiting.
    AH00016: Configuration Failed
    Running ssl_cert_status reveals nothing. I've then tried running /scripts/rebuildhttpdconf but all that gave me was similar to this: info [rebuildhttpdconf] Missing owner for domain, force lookup to root | SingleRack Hosting Solution, which I've now fixed.

    What should my next fix be? If I roll back the SSLv3 fix, everything is hunky-dory again and Apache restarts fine.
    Thanks,
    Clive
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,852
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Please post the output from:

    Code:
    rpm -qa | grep openssl
    cat /etc/redhat-release
    Also, post the contents from the /usr/local/apache/conf/includes/pre_main_global.conf file on your system.

    Thank you.
     
  3. drp

    drp Member

    Joined:
    Sep 4, 2014
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for your help. Here you go:

    Code:
    root@server1 [/]# rpm -qa | grep openssl
    openssl-1.0.1e-30.el6_5.2.x86_64
    openssl-devel-1.0.1e-30.el6_5.2.x86_64
    root@server1 [/]# cat /etc/redhat-release
    CentOS release 6.5 (Final)
    root@server1 [/]#
    and
    Code:
    root@server1 [/usr/local/apache/conf/includes]# vi pre_main_global.conf
    SSLProtocol All -SSLv2 -SSLv3
    SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+
    SSLHonorCipherOrder on
    ~
     
  4. drp

    drp Member

    Joined:
    Sep 4, 2014
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    While this doesn't fix the problem specifically, rather than make the SSLv3 fix in the link above, I've instead updated OpenSSL as fixed here: https://www.openssl.org/news/secadv_20141015.txt, thereby avoiding the problem caused by editing the pre_main_global include.
    Thanks,
    Clive
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,852
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page