Apache startet nach Update von 4.2 nicht mehr

UCS - Univention Corporate Server
#1

Ich habe gestern die Updates für UCS 4.2 auf unserem Server eingespielt. Nun startet Apache nicht mehr. Die Fehlermeldung lautet wie folgt.

May 14 19:52:55 srv01 apache2[23317]: Stopping web server: apache2.
May 14 19:52:55 srv01 apache2[23317]: The apache2 configtest failed, so we are trying to kill it manually. This is almost certainly suboptimal, so please make sure your system is working as you'd expect now! ... (warning).
May 14 19:52:55 srv01 systemd[1]: Starting LSB: Apache2 web server...
May 14 19:52:55 srv01 apache2[23346]: Starting web server: apache2 failed!
May 14 19:52:55 srv01 apache2[23346]: The apache2 configtest failed. ... (warning).
May 14 19:52:55 srv01 apache2[23346]: Output of config test was:
May 14 19:52:55 srv01 apache2[23346]: AH00526: Syntax error on line 22 of /etc/apache2/sites-enabled/default-ssl.conf:
May 14 19:52:55 srv01 apache2[23346]: SSLCertificateFile: file '/etc/univention/letsencrypt/signed.crt' does not exist or is empty
May 14 19:52:55 srv01 apache2[23346]: Action 'configtest' failed.
May 14 19:52:55 srv01 apache2[23346]: The Apache error log may have more information.
May 14 19:52:55 srv01 systemd[1]: apache2.service: control process exited, code=exited status=1
May 14 19:52:55 srv01 systemd[1]: Failed to start LSB: Apache2 web server.
May 14 19:52:55 srv01 systemd[1]: Unit apache2.service entered failed state.

Ersuche um Hilfe.
Danke.
Helmut

#2

Hallo

Die Fehlermeldung ist ansich recht eindeutig.

May 14 19:52:55 srv01 apache2[23346]: AH00526: Syntax error on line 22 of /etc/apache2/sites-enabled/default-ssl.conf:
May 14 19:52:55 srv01 apache2[23346]: SSLCertificateFile: file '/etc/univention/letsencrypt/signed.crt' does not exist or is empty

Das angegebene CertFile in der Config existiert so nicht.

freundliche Grüße von der bytemine GmbH

#3

Moin!

Der Apache versucht ein Let’s Encrypt Zertifikat zu verwenden, das nicht vorhanden ist. Ich würde zuncähst die UCR-Variablen wieder auf den Default zurückstellen:

ucr unset apache2/ssl/certificate apache2/ssl/certificatechain apache2/ssl/key

Dann sollte zumindest Apache2 wieder starten (mit dem selbsignierten Zertifikat der UCS-PKI).

Um dann wieder Let’s-Encrypt-Zertifikate zu verwenden, ist es vermutlich am einfachsten /usr/share/univention-letsencrypt/setup-letsencrypt nochmal auszuführen. Spannend wäre noch, was in /var/log/univention/letsencrypt.log so drinsteht.

#4

Herzlichen Dank für die Hilfe. Ja - jetzt startet Apache wieder und somit ist auch Kopano etc. wieder erreichbar :slight_smile:

In der Letsencrypt.log steht folgendes:

Fre Apr 27 17:29:58 CEST 2018
Refreshing certificate for following domains:
ffozsrv01.no-ip.biz
Parsing account key...
Parsing CSR...
Registering account...
Registered!
Verifying xxx.dom.xx...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 123, in get_crt
    wellknown_path, wellknown_url))
ValueError: Wrote file to /var/www/.well-known/acme-challenge/PwISS-HsU8XD9nlZR-g5v_CzWGe1Jv4tMFIL7GgWKoY, but couldn't download http://xxx.dom.xx/.well-known/acme-challenge/PwISS-HsU8XD9nlZR-g5v_CzWGe1Jv4tMFIL7GgWKoY
Create letsencrypt/status
Module: zarafa-cfg
Module: kopano-cfg
Fre Apr 27 17:30:36 CEST 2018
Refreshing certificate for following domains:
xxx.dom.xx
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying xxx.dom.xx...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 123, in get_crt
    wellknown_path, wellknown_url))
ValueError: Wrote file to /var/www/.well-known/acme-challenge/PwISS-HsU8XD9nlZR-g5v_CzWGe1Jv4tMFIL7GgWKoY, but couldn't download http://xxx.dom.xx/.well-known/acme-challenge/PwISS-HsU8XD9nlZR-g5v_CzWGe1Jv4tMFIL7GgWKoY
Setting letsencrypt/status
Module: zarafa-cfg
Module: kopano-cfg
Fre Apr 27 17:31:00 CEST 2018
Refreshing certificate for following domains:
xxx.dom.xx
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying xxx.dom.xx...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 123, in get_crt
    wellknown_path, wellknown_url))
ValueError: Wrote file to /var/www/.well-known/acme-challenge/PwISS-HsU8XD9nlZR-g5v_CzWGe1Jv4tMFIL7GgWKoY, but couldn't download http://xxx.dom.xx/.well-known/acme-challenge/PwISS-HsU8XD9nlZR-g5v_CzWGe1Jv4tMFIL7GgWKoY
Setting letsencrypt/status
Module: kopano-cfg
Module: zarafa-cfg
Fre Apr 27 17:31:50 CEST 2018
Refreshing certificate for following domains:
xxx.dom.xx xxx.dom.local
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying xxx.dom.local...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 104, in get_crt
    raise ValueError("Error requesting challenges: {0} {1}".format(code, result))
ValueError: Error requesting challenges: 400 {
  "type": "urn:acme:error:malformed",
  "detail": "Error creating new authz :: Name does not end in a public suffix",
  "status": 400
}
Setting letsencrypt/status
Module: zarafa-cfg
Module: kopano-cfg
Fre Apr 27 17:32:31 CEST 2018
Refreshing certificate for following domains:
xxx.dom.xx
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying xxx.dom.xx...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 123, in get_crt
    wellknown_path, wellknown_url))
ValueError: Wrote file to /var/www/.well-known/acme-challenge/PwISS-HsU8XD9nlZR-g5v_CzWGe1Jv4tMFIL7GgWKoY, but couldn't download http://xxx.dom.xx/.well-known/acme-challenge/PwISS-HsU8XD9nlZR-g5v_CzWGe1Jv4tMFIL7GgWKoY
Setting letsencrypt/status
Module: zarafa-cfg
Module: kopano-cfg
Fre Apr 27 17:34:16 CEST 2018
Refreshing certificate for following domains:
xxx.dom.xx
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying xxx.dom.xx...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 123, in get_crt
    wellknown_path, wellknown_url))
ValueError: Wrote file to /var/www/.well-known/acme-challenge/PwISS-HsU8XD9nlZR-g5v_CzWGe1Jv4tMFIL7GgWKoY, but couldn't download http://xxx.dom.xx/.well-known/acme-challenge/PwISS-HsU8XD9nlZR-g5v_CzWGe1Jv4tMFIL7GgWKoY
Setting letsencrypt/status
Module: kopano-cfg
Module: zarafa-cfg
Fre Apr 27 17:35:49 CEST 2018
Refreshing certificate for following domains:
https://xxx.dom.xx
Parsing account key...
Parsing CSR...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 70, in get_crt
    raise IOError("Error loading {0}: {1}".format(csr, err))
IOError: Error loading /etc/univention/letsencrypt/domain.csr: unable to load X509 request
140134423606928:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: CERTIFICATE REQUEST

Setting letsencrypt/status
Module: zarafa-cfg
Module: kopano-cfg
Die Mai  1 03:30:05 CEST 2018
Refreshing certificate for following domains:
https://xxx.dom.xx
Parsing account key...
Parsing CSR...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 70, in get_crt
    raise IOError("Error loading {0}: {1}".format(csr, err))
IOError: Error loading /etc/univention/letsencrypt/domain.csr: unable to load X509 request
140669297419920:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: CERTIFICATE REQUEST

Setting letsencrypt/status
Module: kopano-cfg
Module: zarafa-cfg

LG
Helmut

Mastodon