Redhat “httpd” can not start anymore. Showing “suEXEC” and “SELinux” notices

Sorry, I have found the reason. This is totally because of the SSL CERT problem. Not really because of above notices.


It was nothing to do with above mentioned Messages.
Therefore please just ignore them.


How do I do was that I enabled the Apache Detailed Logs and then that's the real move. It shows what really is happening, by showing the Failure at the loading of mod_ssl module, while starting the Apache. Then I realized it is because of ssl.conf (or the respective Vhost file) having the SSL Cert configurations inside.

There I made 2 mistakes. First, I didn't give read permissions to the CERT related files (.crt/ .key/ .csr). After that, more badly, one of the file was wrong.


Apache Error [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

One fine morning I have discovered that my Apache (httpd) service is down and can't be started :)

Step 1: Checking httpd Service Status:

#/etc/init.d/httpd status

httpd dead but pid file exists

Step 2: Search httpd processes and kill those

#ps -ef | grep httpd

# killall -9 httpd

Step 3: Remove httpd lock file if exist

# rm -f /var/lock/subsys/httpd

Step4: Restart Apache/httpd Service

# service httpd restart
Stop httpd    [FAILED]
Start httpd   [FAILED]

Need to dig down more.

Step 5: Check httpd error log file

# grep suexec /var/log/httpd/error_log
[Sun Sep 22 10:32:06 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Sep 22 10:33:51 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Sep 22 10:38:03 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Sep 22 10:45:53 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

Step 6: Check httpd nss error log file

#tail -300 /var/log/httpd/nss_error_log
[Sun Sep 22 04:03:27 2013] [error] Certificate not verified: 'Server-Cert'
[Sun Sep 22 04:03:27 2013] [error] SSL Library Error: -8181 Certificate has expired
[Sun Sep 22 04:03:27 2013] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

[Sun Sep 22 10:38:03 2013] [error] Certificate not verified: 'Server-Cert'
[Sun Sep 22 10:38:03 2013] [error] SSL Library Error: -8181 Certificate has expired
[Sun Sep 22 10:38:03 2013] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.
[Sun Sep 22 10:45:53 2013] [error] Certificate not verified: 'Server-Cert'
[Sun Sep 22 10:45:53 2013] [error] SSL Library Error: -8181 Certificate has expired
[Sun Sep 22 10:45:53 2013] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

root cause of this issue is in a module called nss. mod_nss is an alternative to mod_ssl; it does a few things that mod_ssl doesn't do, and can run along side mod_ssl. For more information's, please go through the links [What is mod_nss , On Setting up Mod_NSS ,More detail ]

Step 7: Remove nss.conf file from httpd conf.d directory

#cd /etc/httpd/conf.d
#mv nss.conf nss.conf.orig
#mv ssl.conf ssl.conf.orig
#/etc/init.d/httpd start
Start httpd   [OK]