Apache fails to start

Refers to:

  • Plesk for Linux

Created:

2016-11-16 13:00:22 UTC

Modified:

2016-12-21 19:44:23 UTC

0

Was this article helpful?


Have more questions?

Submit a request

Apache fails to start

Symptoms

After manually disabling SSLv3 apache fails to start:

/etc/init.d/httpd start
Actual result that you got : [Failed]

The following error found in apache error log /var/log/httpd/error_log :

...
[Fri Oct 09 11:00:27 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Oct 09 11:00:43 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
...

Strace output contains:

# strace -tvfs4096 /etc/init.d/httpd start
...
[pid 22542] 11:00:43 write(10, "[Fri Oct 09 11:00:43 2015] [error] Unable to configure permitted SSL ciphers\

", 77) = 77 [pid 22542] 11:00:43 write(10, "[Fri Oct 09 11:00:43 2015] [error] SSL Library Error: 336486680 error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command\", 135) = 135 ...

Cause

Missing SSLCipherSuite variable in /etc/httpd/conf.d/ssl.conf and /etc/httpd/conf/httpd.conf file.

Resolution

Check apache configuration file and make sure the records bellow are present:

# grep SSLCipherSuite /etc/httpd/conf.d/ssl.conf
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

# grep SSLCipherSuite /etc/httpd/conf/httpd.conf
SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+

NOTE: To disable SSLv3 and protect from Poodle vulnerability please implement solution from KB article # 213410909 .

Have more questions? Submit a request
Please sign in to leave a comment.