Description of problem: In a customer's environment, httpd didn't start with the following error. [error] Oops, no RSA or DSA server certificate found for 'www.kennismakingslot.nl:0'?! For this vhost, SSLCertificateFile and SSLCertificateKeyFile is configured properly in the config file. The certificate should be inserted to a hash table in ssl_asn1_table_set() called in ssl_pphrase_Handle(). But, it's not executed for this vhost. void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) { ... /* * Walk through all configured servers */ for (pServ = s; pServ != NULL; pServ = pServ->next) { ... ucp = ssl_asn1_table_set(mc->tPublicCert, cp, length); ... if (pkey_mtime) { int i; for (i=0; i < SSL_AIDX_MAX; i++) { const char *key_id = ssl_asn1_table_keyfmt(p, cpVHostID, i); ssl_asn1_t *asn1 = ssl_asn1_table_get(mc->tPrivateKey, key_id); if (asn1 && (asn1->source_mtime == pkey_mtime)) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, pServ, "%s reusing existing " "%s private key on restart", cpVHostID, ssl_asn1_keystr(i)); return; <<==== (A) Before executing this for-loop for this vhost, this function returns at (A). Version-Release number of selected component (if applicable): httpd-2.2.3-43 How reproducible: Always Steps to Reproduce: 1. use the httpd configuration I will attach soon 2. service httpd start Actual results: httpd doesn's start. Expected results: httpd starts without any errors. Additional info: I created a proposed patch. I tested it and the httpd started without errors. I will attach it as well.
Created attachment 457717 [details] proposed patch
Created attachment 457720 [details] proposed patch
Thanks for the report and patch. I'm away from a machine on which I can repro the problem at the moment. The *-ssl.conf are using: <VirtualHost ssd09-app4:443> ServerName www.kennismakingslot.nl which is not quite correct; it should use a port-qualified ServerName throughout: ServerName www.kennismakingslot.nl:443 in all cases. Does it make a difference if this is changed throughout? (without the patch applied)
Hi Joe, I tested with "ServerName www.kennismakingslot.nl:443" on an environment without my patch. And, httpd didn't start with the same error. # date Sat Nov 6 08:19:50 IST 2010 # grep ServerName /etc/httpd/conf.d/ssd09-ssl.conf ServerName www.kennismakingslot.nl:443 # service httpd start Starting httpd: [FAILED] # tail -2 /var/log/httpd/ssd09-ssl-error_log [Sat Nov 06 08:19:58 2010] [debug] ssl_engine_init.c(602): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW] [Sat Nov 06 08:19:58 2010] [error] Oops, no RSA or DSA server certificate found for 'www.kennismakingslot.nl:443'?! Regards, Masahiro
Thanks for that. I have committed upstream two changes: http://svn.apache.org/viewvc?rev=1069765&view=rev ... a minor cleanup to the function. http://svn.apache.org/viewvc?rev=1069772&view=rev ... an adapted version of your patch. I do not see how the innermost loop there was necessary or correct, so I've removed it which both simplifies the code and the change needed to fix the bug.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1067.html