Problem
After the apache2 update, Apache no longer starts on the server. After some searching we found that the ssl module was disabled.
univention-apache (12.0.6-1) wird eingerichtet ...
Multifile: /etc/apache2/sites-available/default-ssl.conf
File: /etc/apache2/mods-available/ssl.conf
File: /etc/apache2/ports.conf
[...]
Module ssl disabled.
Investigation
It looks like the ssl module was disabled by the univention-apache package. So let’s take a look what the install script from that package is doing:
1. Download the package:
apt-get download univention-apache
2. Extract the package to the current directory:
ar -x univention-apache*.deb
3. Extract the control.tar.xz in which the install script is:
tar -xf control.tar.xz
4. Open the postinst file and look out for calls that disable the ssl module. We can find the following part where the script decides wether to enable or disable ssl:
#Check, whether we can safely enable ssl
#The private key could also be included inside the certificate file, so we don't require it here
ENABLE_SSL=yes
CERT_PATH="/etc/univention/ssl/$hostname.$domainname/cert.pem"
if [ ! -z "$apache2_ssl_certificate" ]; then
CERT_PATH="$apache2_ssl_certificate"
fi
if [ ! -f "$CERT_PATH" ]; then
ENABLE_SSL=no
fi
if [ $ENABLE_SSL = yes ]; then
a2enmod ssl
a2ensite default-ssl.conf || true
else
a2dismod ssl
a2dissite default-ssl.conf|| true
fi
5. Conclusion
The univention-apache package runs through a postinst script, which, among other things, checks the presence of a apache2 ssl certificate. However, the ucr variable apache2/ssl/certificate is primarily used. We checked the variable with ucr get apache2/ssl/certificate and noticed that the certificate is not present on the system, which is why the postinst script decides to disable SSL.
Solution
Correctly configure the ucr variable apache2/ssl/certificate and make sure that the certificate exists and is valid. For further help take a look at the following articles: