Bug 64133 - sometimes upon SIGHUP it doesn't like certificates and apache STOPS
sometimes upon SIGHUP it doesn't like certificates and apache STOPS
Status: CLOSED CANTFIX
Product: Red Hat Linux
Classification: Retired
Component: mod_ssl (Show other bugs)
7.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-04-26 03:56 EDT by hvv
Modified: 2008-05-01 11:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-18 12:44:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description hvv 2002-04-26 03:56:11 EDT
Description of Problem:
In the standard RH72 config, logrotate rotates logs every day at 4:00.
 After rotating, it sends SIGHUP to apache to restart (see
 /etc/logrotate.d/apache for exact details).
Upon receipt of it, apache tries to restart. Today it failed to restart
(thus, web server stopped running!!!) due to mod_ssl that thought that
there are some problems with certificates. I didn't modify certificates
(they are standard certificates for localhost, shipped with RH72).
The server configuration was last modified 4 days ago.
 Of course manually issuing 'service httpd restart' solved the problem.

 Here is a content of the error.log:
[Fri Apr 26 04:02:03 2002] [notice] SIGHUP received.  Attempting to restart
Processing config directory: /etc/httpd/conf/casino-conf
 Processing config file: /etc/httpd/conf/x/davpages-test
 Processing config file: /etc/httpd/conf/x/srvconfig
 Processing config file: /etc/httpd/conf/x/subsystems
 Processing config file: /etc/httpd/conf/x/subsystems-auth.in
[Fri Apr 26 04:02:04 2002] [alert] httpd: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Fri Apr 26 04:02:04 2002] [error] mod_ssl: Init: (127.0.0.1:443) Ops, no RSA or DSA server certificate found?!
        [Fri Apr 26 04:02:04 2002] [error] mod_ssl: Init: (127.0.0.1:443) You have to perform a *full* server restart when you added or removed a certificate and/or key file

Version-Release number of selected component (if applicable):
apache-1.3.20-16
mod_ssl-2.8.4-9
glibc-2.2.4-19


How Reproducible:
That's the 1st time during 4 month of web server's life.

Solution:
I rewrote /etc/logrotate.d/apache this way:
------
/var/log/httpd/access_log /var/log/httpd/agent_log /var/log/httpd/error_log /var/log/httpd/referer_log /var/log/httpd/ssl_request_log /var/log/httpd/ssl_engine_log {
    missingok
    sharedscripts
    postrotate
        #/bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
        service httpd condrestart 2> /dev/null || true
    endscript
}
------

 - i.e. it restarts apache hard, thus guaranteeing that web server won't
stop.

 Also note: standard /etc/logrotate.d/apache doesn't direct to rotate
logs produced by ssl engine - namely /var/log/httpd/ssl_request_log and
/var/log/httpd/ssl_engine_log - I consider this a severe bug too. My version
of /etc/logrotate.d/apache lists them too. So please add these log files to
/etc/logrotate.d/apache - otherwise one can run out of space on a busy
https server.
Comment 1 Curtis Doty 2002-07-14 18:26:44 EDT
Simply editing the localhost name in /etc/hosts will cause apache to die when 
the next logrotate event occurs.

mod_ssl logs the following errors:
"Ops, no RSA or DSA server certificate found?!"
"You have to perform a *full* server restart when you added or removed a 
certificate and/or key file"
Comment 2 Bill Nottingham 2006-08-07 15:28:59 EDT
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Red Hat apologizes that these issues have not been resolved yet. We do
want to make sure that no important bugs slip through the cracks.
Please check if this issue is still present in a current Fedora Core
release. If so, please change the product and version to match, and
check the box indicating that the requested information has been
provided. Note that any bug still open against Red Hat Linux on will be
closed as 'CANTFIX' on September 30, 2006. Thanks again for your help.
Comment 3 Bill Nottingham 2006-10-18 12:44:57 EDT
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Closing as CANTFIX.

Note You need to log in before you can comment on or make changes to this bug.