Greetings, This is tested against 2.0.52, not appearing in the version list. My config hosts multiple name based virtualhosts, both HTTP and HTTPS. I have no 3rd party module running, apart from mod_security. This is on Debian Sarge, using Debian official packages for 2.0.52, in case it matters. The problem seems to be about SSL vhosts (name based, with wildcard certificate). If I attempt to load them in a certain order, Apache raises an error "[error] Oops, no RSA or DSA server certificate found?!" at startup. I have found out that changing the loading order of virtualhosts solves the problem and gets the server to start fine. Very strangely, the initial config has worked fine for months, and has started raising the error when I updated certificates and keys. (The former certificate was self-signed, and hence, the "SSLCACertificateFile" options were not present in the original, working config). I have attached and numbered config files below (this is a debian-like splitted config). The order that leads to the mentionned error is when loading extract configs in the order : 1 - 2 - 3. The order that leads to server starting fins is 1 - 3 - 2. For the story, and in case it matters, this is a reverse proxy installation, with several IP addresses. You will notice in attached files that the <VirtualHost> argument is not the same from one file to another. I tend to believe that is the source of the problem, and grouping similar IPs together sort of solves the problem. Changing the ServerName of the 2nd VirtualHost block of the file "3" also "solves" the problem, but is not acceptable to my setup. I am, of course, available for providing more details about this matter if this description is incomplete or unclear. Cheers, Vincent Deffontaines
Created attachment 13082 [details] File 1 included in the config as described inline
Created attachment 13083 [details] File 2 included in the config as described inline
Created attachment 13084 [details] File 3 included in the config as described inline
Can you put "LogLevel debug" in each vhost and then attach the complete error_log output for the failure case?
OK, good that you asked, cause your question has caused me to find more details. Trying to get back in reproducing the bug, I found out changing the order of vhosts is not a solution. I just found out the problem seems to come from the passphrase from the key. If the key has a passphrase, I get the error : "Oops, no RSA or DSA server certificate found?!". If I run "openssl rsa -in cert.key -out cert.key" on the key to remove the passphrase, apache loads just fine, no matter the order of the vhosts. You may want to close this bug, and have me open a new one for more clarity? Sorry for the confusion, I'm getting tired, performed the two changes [remove passphrase + change vhost order] at the same stage, which screwed my analysis. Attached is the debug error log you asked for anyway.
Created attachment 13086 [details] The error log obtained on the error condition.
Is this still reproducible in 2.0.54? It could be one of the random problems which are caused by not clearing the OpenSSL error stack enough.
Dear Joe, Exactly the same error happened with apache httpd-2.2.2, and as the original post proposed, the grouping of VirtualHosts helped. Setting loglevel to debug just prints the next three lines into the error log of the errorneous virtualhost: [Mon Jul 10 12:13:18 2006] [debug] ssl_engine_init.c(405): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [Mon Jul 10 12:13:18 2006] [debug] ssl_engine_init.c(601): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:!LOW:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP] [Mon Jul 10 12:13:18 2006] [error] Oops, no RSA or DSA server certificate found for 'my.hostname.hu:0'?! Best, Aron Ujvari
What version of OpenSSL? Can you narrow this down to an exact reproduction case: a single config file using self-signed certs? Also try using a vanilla httpd build rather than Debian's too.
I have the same problem in Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 DAV/2
Created attachment 26640 [details] probable fix The bug fixed in the trunk r1069765 and r1069772 is probably (but not definitely) the issue being seen here. Attached backport for 2.2.x.
*** Bug 41164 has been marked as a duplicate of this bug. ***
*** Bug 39192 has been marked as a duplicate of this bug. ***
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd. As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd. If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question. If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with. Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.