Redhat “httpd” can not start anymore. Showing “suEXEC” and “SELinux” notices
Sorry, I have found the reason. This is totally because of the SSL CERT
problem. Not really because of above notices
.
It was nothing to do with above mentioned Messages.
Therefore please just ignore them.
How do I do was that I enabled the Apache Detailed Logs and then that's the real move. It shows what really is happening, by showing the Failure at the loading of mod_ssl module, while starting the Apache. Then I realized it is because of ssl.conf
(or the respective Vhost file) having the SSL Cert configurations inside.
There I made 2 mistakes. First, I didn't give read permissions to the CERT related files (.crt/ .key/ .csr). After that, more badly, one of the file was wrong.
Apache Error [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
One fine morning I have discovered that my Apache (httpd) service is down and can't be started :)
Step 1: Checking httpd Service Status:
#/etc/init.d/httpd status
httpd dead but pid file exists
Step 2: Search httpd processes and kill those
#ps -ef | grep httpd
# killall -9 httpd
Step 3: Remove httpd lock file if exist
# rm -f /var/lock/subsys/httpd
Step4: Restart Apache/httpd Service
# service httpd restart
Stop httpd [FAILED]
Start httpd [FAILED]
Need to dig down more.
Step 5: Check httpd error log file
# grep suexec /var/log/httpd/error_log
[Sun Sep 22 10:32:06 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Sep 22 10:33:51 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Sep 22 10:38:03 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Sep 22 10:45:53 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
Step 6: Check httpd nss error log file
#tail -300 /var/log/httpd/nss_error_log
[Sun Sep 22 04:03:27 2013] [error] Certificate not verified: 'Server-Cert'
[Sun Sep 22 04:03:27 2013] [error] SSL Library Error: -8181 Certificate has expired
[Sun Sep 22 04:03:27 2013] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.
[Sun Sep 22 10:38:03 2013] [error] Certificate not verified: 'Server-Cert'
[Sun Sep 22 10:38:03 2013] [error] SSL Library Error: -8181 Certificate has expired
[Sun Sep 22 10:38:03 2013] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.
[Sun Sep 22 10:45:53 2013] [error] Certificate not verified: 'Server-Cert'
[Sun Sep 22 10:45:53 2013] [error] SSL Library Error: -8181 Certificate has expired
[Sun Sep 22 10:45:53 2013] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.
root cause of this issue is in a module called nss. mod_nss
is an alternative to mod_ssl
; it does a few things that mod_ssl
doesn't do, and can run along side mod_ssl
. For more information's, please go through the links [What is mod_nss , On Setting up Mod_NSS ,More detail ]
Step 7: Remove nss.conf file from httpd conf.d directory
#cd /etc/httpd/conf.d
#mv nss.conf nss.conf.orig
#mv ssl.conf ssl.conf.orig
#/etc/init.d/httpd start
Start httpd [OK]