[olug] Apache will no longer run in Red Hat after a reboot

Justin Reiners justin at hotlinesinc.com
Tue Jan 27 23:07:48 CST 2015


Many, many, many Xenserver farms here, never had that happen to me, even
sniping the domains does not cause that kind of failures, yikes. I did get
that weird corruption when I used VMWare and the owner hit the red button
in the datacenter and killed the rack. It was three phase so it killed the
room. I was on vacation, and the boss was reminded how useful I really am.

On Tue, Jan 27, 2015 at 10:58 PM, T. J. Brumfield <enderandrew at gmail.com>
wrote:

> He was running CentOS inside of Microsoft Hyper-V. The box decided it
> wanted to reboot on its own. I suspect it didn't shut down the guest OS
> cleanly.
>
> Object lesson: Don't use Hyper-V.
>
> On Tue, Jan 27, 2015 at 9:48 PM, Justin Reiners <justin at hotlinesinc.com>
> wrote:
>
> > Was there a power loss or something? Wonder how they corrupted. We have
> nss
> > on every application server and have never had that happen.
> >
> > Makes sense though.
> > On Jan 27, 2015 8:45 PM, "T. J. Brumfield" <enderandrew at gmail.com>
> wrote:
> >
> > > SELinux was on, but wasn't the problem. Permissions were fine. NSS
> > couldn't
> > > read the key stores because they were corrupt.
> > >
> > > certutil: function failed: security library: bad database.
> > >
> > > And the RPM db was corrupt. So was yum repo data.
> > >
> > > On Tue, Jan 27, 2015 at 3:52 PM, Kevin <sharpestmarble at gmail.com>
> wrote:
> > >
> > > > Is SELinux turned on? If it is and if it's the thing doing the
> > blocking,
> > > > then it will manifest as a confusing permissions issue. Try this:
> > > > `setenforce Permissive` and see if it starts working.
> > > >
> > > > On Tue, Jan 27, 2015 at 2:26 PM, Damian Harouff <cekkent at gmail.com>
> > > wrote:
> > > >
> > > > > If this is stock RHEL-provided Apache, SSL should already be
> compiled
> > > in,
> > > > > which can be confirmed with:
> > > > >
> > > > > root at svr [~]# httpd -t -D DUMP_MODULES | grep ssl
> > > > >  ssl_module (static)
> > > > > root at svr [~]#
> > > > >
> > > > > Otherwise you'll have to compile it in or load the module.
> > > > >
> > > > > Once you get over that hurdle, getting SSL going should be as easy
> as
> > > > > specifying an additional VirtualHost directive on port 443 inside
> the
> > > > > site's configuration:
> > > > >
> > > > > <VirtualHost 192.168.1.1:443>
> > > > >         SSLEngine on
> > > > >         SSLCipherSuite
> > > > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> > > > >
> > > > >         SSLCertificateFile      /etc/ssl/star.example.com.crt
> > > > >         SSLCertificateKeyFile   /etc/ssl/star.example.com.key
> > > > >
> > > > >         ServerName      "two.example.com"
> > > > >         DocumentRoot    "/var/www/html/two"
> > > > >
> > > > >         CustomLog       "/var/log/httpd/two-access.log" combined
> > > > >         ErrorLog        "/var/log/httpd/two-error.log"
> > > > >
> > > > >         <Directory /var/www/html>
> > > > >                 AllowOverride none
> > > > >
> > > > >                 Order Allow,Deny
> > > > >                 Allow from all
> > > > >         </Directory>
> > > > > </VirtualHost>
> > > > >
> > > > >
> > > > >
> > > > > On Tue, Jan 27, 2015 at 2:16 PM, T. J. Brumfield <
> > > enderandrew at gmail.com>
> > > > > wrote:
> > > > >
> > > > > > Yeah, that's what I tried. I httpd.conf is inheriting any *.conf
> > file
> > > > in
> > > > > > /etc/httpd/conf.d so I just renamed nss.conf to nss.conf.bak
> (since
> > > > > > nss.conf was the file actually loading mod_nss) and when I did
> > that,
> > > > > Apache
> > > > > > would start, but SSL wasn't working.
> > > > > >
> > > > > > On Tue, Jan 27, 2015 at 2:14 PM, Damian Harouff <
> cekkent at gmail.com
> > >
> > > > > wrote:
> > > > > >
> > > > > > > I hate to be "that guy", but: is he even using mod_nss? Red Hat
> > > tends
> > > > > to
> > > > > > > enable a lot of things arbitrarily. I know that NSS is more
> > "open",
> > > > but
> > > > > > > mod_ssl might get him back online sooner.
> > > > > > >
> > > > > > > On Tue, Jan 27, 2015 at 2:11 PM, T. J. Brumfield <
> > > > > enderandrew at gmail.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > I'll try 644. Every article I saw on this said it must be a
> > > > > permission
> > > > > > > > issue access the *.db files in /etc/httpd/alias but the
> > > permissions
> > > > > > > appear
> > > > > > > > to be set correctly.
> > > > > > > >
> > > > > > > > On Tue, Jan 27, 2015 at 2:05 PM, Lou Duchez <
> lou at paprikash.com
> > >
> > > > > wrote:
> > > > > > > >
> > > > > > > > > https://www.centos.org/forums/viewtopic.php?t=5818
> > > > > > > > >
> > > > > > > > > The fix seems to be:
> > > > > > > > >
> > > > > > > > > cd /etc/httpd
> > > > > > > > > chmod -R +r alias
> > > > > > > > >
> > > > > > > > > I don't think that 640 is right; I think you're looking for
> > > 644.
> > > > > > > > >
> > > > > > > > >  I got a call from a friend whose business depends on an
> > Apache
> > > > web
> > > > > > > > server,
> > > > > > > > >> but he doesn't know much about Linux. He is running Red
> Hat
> > > > inside
> > > > > > of
> > > > > > > a
> > > > > > > > >> Windows Hyper-V VM. He bounced the Windows box for
> patching,
> > > > which
> > > > > > in
> > > > > > > > turn
> > > > > > > > >> rebooted his VM. He doesn't remember the last time he
> > > installed
> > > > > > > updates
> > > > > > > > in
> > > > > > > > >> Red Hat, but he does it from time to time.
> > > > > > > > >>
> > > > > > > > >> /var/log/httpd/error_log is just full of this:
> > > > > > > > >>
> > > > > > > > >> [error] NSS_Initialize failed. Certificate database:
> > > > > > /etc/httpd/alias.
> > > > > > > > >> [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED
> > > > > > > > >>
> > > > > > > > >> I've never used NSS personally. I Googled for the error
> and
> > > > > > literally
> > > > > > > > >> every
> > > > > > > > >> hit I found was a permissions issue, that the apache
> wasn't
> > > > > running
> > > > > > > > under
> > > > > > > > >> the right group or that group couldn't access the files
> > under
> > > > > > > > >> /etc/httpd/alias.
> > > > > > > > >>
> > > > > > > > >> The problem is that doesn't appear to the problem with my
> > > buddy.
> > > > > > Every
> > > > > > > > >> httpd process is running under apache:apache and all the
> > *.db
> > > > > files
> > > > > > in
> > > > > > > > >> /etc/httpd/alias are 640 and owned by the apache group,
> > > exactly
> > > > > how
> > > > > > > they
> > > > > > > > >> should be.
> > > > > > > > >>
> > > > > > > > >> My buddy's business is down until we can resolve this.
> > > > > > > > >>
> > > > > > > > >> Any suggestions from someone more familiar with Red
> > > > > > Hat/Fedora/CentOS
> > > > > > > > and
> > > > > > > > >> NSS?
> > > > > > > > >>
> > > > > > > > >> -- T. J. Brumfield
> > > > > > > > >> "I'm questioning my education
> > > > > > > > >> Rewind and what does it show?
> > > > > > > > >> Could be, the truth it becomes you
> > > > > > > > >> I'm a seed, wondering why it grows"
> > > > > > > > >> -- Pearl Jam, Education
> > > > > > > > >> _______________________________________________
> > > > > > > > >> OLUG mailing list
> > > > > > > > >> OLUG at olug.org
> > > > > > > > >> https://lists.olug.org/mailman/listinfo/olug
> > > > > > > > >>
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > OLUG mailing list
> > > > > > > > > OLUG at olug.org
> > > > > > > > > https://lists.olug.org/mailman/listinfo/olug
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > "I'm questioning my education
> > > > > > > > Rewind and what does it show?
> > > > > > > > Could be, the truth it becomes you
> > > > > > > > I'm a seed, wondering why it grows"
> > > > > > > > -- Pearl Jam, Education
> > > > > > > > _______________________________________________
> > > > > > > > OLUG mailing list
> > > > > > > > OLUG at olug.org
> > > > > > > > https://lists.olug.org/mailman/listinfo/olug
> > > > > > > >
> > > > > > > _______________________________________________
> > > > > > > OLUG mailing list
> > > > > > > OLUG at olug.org
> > > > > > > https://lists.olug.org/mailman/listinfo/olug
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > "I'm questioning my education
> > > > > > Rewind and what does it show?
> > > > > > Could be, the truth it becomes you
> > > > > > I'm a seed, wondering why it grows"
> > > > > > -- Pearl Jam, Education
> > > > > > _______________________________________________
> > > > > > OLUG mailing list
> > > > > > OLUG at olug.org
> > > > > > https://lists.olug.org/mailman/listinfo/olug
> > > > > >
> > > > > _______________________________________________
> > > > > OLUG mailing list
> > > > > OLUG at olug.org
> > > > > https://lists.olug.org/mailman/listinfo/olug
> > > > >
> > > > _______________________________________________
> > > > OLUG mailing list
> > > > OLUG at olug.org
> > > > https://lists.olug.org/mailman/listinfo/olug
> > > >
> > >
> > >
> > >
> > > --
> > > "I'm questioning my education
> > > Rewind and what does it show?
> > > Could be, the truth it becomes you
> > > I'm a seed, wondering why it grows"
> > > -- Pearl Jam, Education
> > > _______________________________________________
> > > OLUG mailing list
> > > OLUG at olug.org
> > > https://lists.olug.org/mailman/listinfo/olug
> > >
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > https://lists.olug.org/mailman/listinfo/olug
> >
>
>
>
> --
> "I'm questioning my education
> Rewind and what does it show?
> Could be, the truth it becomes you
> I'm a seed, wondering why it grows"
> -- Pearl Jam, Education
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>



-- 

[image: Hotlines Inc] <http://www.partshotlines.com>

Justin Reiners /
800.308.9712/ Justin at HotlinesInc.com

Hotlines Inc Office: 800.807.2867 / Fax: 800.211.0843
427 E. Kanesville Blvd. Suite 403, Council Bluffs, IA 51503
http://www.partshotlines.com

[image: Google Plus] <http://htmlsig.com/#%23%23%23> [image: Linkedin]
<http://htmlsig.com/#%23%23%23> [image: Skype] <http://htmlsig.com/jreiners>

This e-mail message may contain confidential or legally privileged
information and is intended only for the use of the intended recipient(s).
Any unauthorized disclosure, dissemination, distribution, copying or the
taking of any action in reliance on the information herein is prohibited.
E-mails are not secure and cannot be guaranteed to be error free as they
can be intercepted, amended, or contain viruses. Anyone who communicates
with us by e-mail is deemed to have accepted these risks. Company Name is
not responsible for errors or omissions in this message and denies any
responsibility for any damage arising from the use of e-mail. Any opinion
and other statement contained in this message and any attachment are solely
those of the author and do not necessarily represent those of the company.


More information about the OLUG mailing list