Sometimes, our secured web server or portal has down unpredictable. We could find the error symptom which located in apache error log. The same what we are facing now, the error log is shown like these :
[Wed May 11 19:21:33 2011] [error] Init: Unable to read server certificate from file /etc/apache2/ssl.crt/server.crt
[Wed May 11 19:21:33 2011] [error] SSL Library Error: 325329960 error:0D063218:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed May 11 19:21:33 2011] [error] SSL Library Error: 326295386 error:0D12003A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 e
When we check the apache daemon will be shown as like this :
root@websvr01 # ps -ef | grep httpd
webadmin 5302 5299 0 07:17:30 ? 0:00 /usr/apache2/bin/httpd -k start
webadmin 5310 5299 0 07:17:30 ? 0:00 /usr/apache2/bin/httpd -k start
webadmin 5317 5299 0 07:17:30 ? 0:00 /usr/apache2/bin/httpd -k start
webadmin 5354 5299 0 07:17:30 ? 0:00 /usr/apache2/bin/httpd -k start
root 6842 9512 0 09:29:35 pts/1 0:00 grep httpd
webadmin 7991 5299 0 07:17:30 ? 0:00 /usr/apache2/bin/httpd -k start
root 5299 1 0 07:17:30 ? 0:07 /usr/apache2/bin/httpd -k start
* No ssl indicated (-DSSL shown)
The problem is located at the /etc/apache2/ssl.crt/server.crt and /etc/apache2/ssl.key/server.key files. The troubleshoot could be starting by regenerate the server.crt and server.key file. I recomend to regenerate these server on the development/testing server. After all these files are ready we apply to the production servers.
Here's the steps to restart the apache with SSL :
1. shutdown the apache daemon :
/usr/apache2/bin/apachectl stop
2. Put the new certificate file to its right location
/etc/apache2/ssl.crt/server.crt
/etc/apache2/ssl.key/server.key
3. Start the apache daemon with SSL support :
/usr/apache2/bin/apachectl startssl
4. Check if the daemon has been running properly :
root@websvr01 # ps -ef | grep httpd
webadmin 7992 7983 0 10:23:45 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webadmin 7989 7983 0 10:23:45 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webadmin 7990 7983 0 10:23:45 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webadmin 7988 7983 0 10:23:45 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
root 8740 12512 0 11:53:35 pts/1 0:00 grep httpd
webadmin 7991 7983 0 10:23:45 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
root 7983 1 0 10:23:45 ? 0:07 /usr/apache2/bin/httpd -k start -DSSL
The ssl has been established in our portal agian. These steps is only my own way it will be vary. :)
[Wed May 11 19:21:33 2011] [error] Init: Unable to read server certificate from file /etc/apache2/ssl.crt/server.crt
[Wed May 11 19:21:33 2011] [error] SSL Library Error: 325329960 error:0D063218:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed May 11 19:21:33 2011] [error] SSL Library Error: 326295386 error:0D12003A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 e
When we check the apache daemon will be shown as like this :
root@websvr01 # ps -ef | grep httpd
webadmin 5302 5299 0 07:17:30 ? 0:00 /usr/apache2/bin/httpd -k start
webadmin 5310 5299 0 07:17:30 ? 0:00 /usr/apache2/bin/httpd -k start
webadmin 5317 5299 0 07:17:30 ? 0:00 /usr/apache2/bin/httpd -k start
webadmin 5354 5299 0 07:17:30 ? 0:00 /usr/apache2/bin/httpd -k start
root 6842 9512 0 09:29:35 pts/1 0:00 grep httpd
webadmin 7991 5299 0 07:17:30 ? 0:00 /usr/apache2/bin/httpd -k start
root 5299 1 0 07:17:30 ? 0:07 /usr/apache2/bin/httpd -k start
* No ssl indicated (-DSSL shown)
The problem is located at the /etc/apache2/ssl.crt/server.crt and /etc/apache2/ssl.key/server.key files. The troubleshoot could be starting by regenerate the server.crt and server.key file. I recomend to regenerate these server on the development/testing server. After all these files are ready we apply to the production servers.
Here's the steps to restart the apache with SSL :
1. shutdown the apache daemon :
/usr/apache2/bin/apachectl stop
2. Put the new certificate file to its right location
/etc/apache2/ssl.crt/server.crt
/etc/apache2/ssl.key/server.key
3. Start the apache daemon with SSL support :
/usr/apache2/bin/apachectl startssl
4. Check if the daemon has been running properly :
root@websvr01 # ps -ef | grep httpd
webadmin 7992 7983 0 10:23:45 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webadmin 7989 7983 0 10:23:45 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webadmin 7990 7983 0 10:23:45 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webadmin 7988 7983 0 10:23:45 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
root 8740 12512 0 11:53:35 pts/1 0:00 grep httpd
webadmin 7991 7983 0 10:23:45 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
root 7983 1 0 10:23:45 ? 0:07 /usr/apache2/bin/httpd -k start -DSSL
The ssl has been established in our portal agian. These steps is only my own way it will be vary. :)