GUI broken after https ssl certificate install


(Pricie1991) #1

Hi All,

Today i installed our ssl certificate to enable https however it was ages installing then the gui didn’t load.
Now we are unable to get to the gui. I’ve logged into cli and tried service httpd restart and its fails.

● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2020-09-16 20:33:20 BST; 23s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 16174 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Process: 16173 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 16173 (code=exited, status=1/FAILURE)

Sep 16 20:33:20 freepbx.fortress.local systemd[1]: Starting The Apache HTTP Server…
Sep 16 20:33:20 freepbx.fortress.local httpd[16173]: [Wed Sep 16 20:33:20.205300 2020] [so:warn] [pid 16173] AH01574: module ssl_module is already loaded, skipping
Sep 16 20:33:20 freepbx.fortress.local systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Sep 16 20:33:20 freepbx.fortress.local kill[16174]: kill: cannot find process “”
Sep 16 20:33:20 freepbx.fortress.local systemd[1]: httpd.service: control process exited, code=exited status=1
Sep 16 20:33:20 freepbx.fortress.local systemd[1]: Failed to start The Apache HTTP Server.
Sep 16 20:33:20 freepbx.fortress.local systemd[1]: Unit httpd.service entered failed state.
Sep 16 20:33:20 freepbx.fortress.local systemd[1]: httpd.service failed.
[root@freepbx ~]#

Anyone have any ideas?


(TheWebMachine Networks (Sangoma Software Development Partner)) #2

Can you please explain the process with which you installed the certificate? Did you use Certificate Management? Is this a LetsEncrypt cert or one you obtained elsewhere?

In short, we need a bit more information about your situation before we can even begin to help you out.


(Pricie1991) #3

We used Certificate Management and uploaded a signed certificate from our CA.
We then went to System Admin > Https Setup. selected uploaded certificate and pressed install.

It sat on installing for 10 minutes + then gui stopped working. We have also tried restarting the server.


(Pricie1991) #4

anyone got any ideas? still have no gui thankfully call server still working.


(Shahin Nazir) #5

Hi @pricie1991
What about your PBX Modules update ? are up to date ?
Pls try to check first updates and check your ssl permissions. Could be your pbx Cert Manager module version are old.

  • fwconsole ma refreshsignatures
  • fwconsole ma showupgrades
  • fwconsole ma upgradeall
  • fwconsole chown
  • fwconsole r --verbose

Try to re-install your Custom SSL Certificate and check HTTPS Port from Port Management:

Admin --> System Admin --> 1-Port Management : HTTPS Port check 443 -->
2- HTTPS Setup --> Settings Tab --> Press to Install Button.

Then you can check from PBX CLI your FQDN name (SSL Certificate) with below command.

openssl s_client -connect pbx_fqdn_name:443

If all okay, You should see return on your PBX CLI Display below messages.

Verify return code: 0 (ok)
— read:errno=0


#6

He can’t do that because httpd isn’t running.


#7

My guess is the cert is hosed and causing apache to bomb out.

Try manually generating your own cert for apache from the command line:

mv /etc/pki/tls/private/localhost.key /etc/pki/tls/private/localhost.key.old
mv /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.crt.old
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/localhost.key -out  /etc/pki/tls/certs/localhost.crt
systemctl start httpd

With luck that may get the GUI operational and then you can try the import again.


(Pricie1991) #8

Did all you suggested and still came back with:

[root@freepbx ~]# systemctl start httpd
Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details.


(Pricie1991) #9

Just found this not sure if it helps?

[root@freepbx ~]# egrep -R “Listen” /etc/httpd/
/etc/httpd/conf/httpd.conf:# Listen: Allows you to bind Apache to specific IP addresses and/or
/etc/httpd/conf/httpd.conf:# Change this to Listen on specific IP addresses as shown below to
/etc/httpd/conf/httpd.conf:#Listen 12.34.56.78:80
/etc/httpd/conf.d/ssl.conf:Listen 443
/etc/httpd/conf.d/schmoozecom.conf:Listen 80
/etc/httpd/conf.d/schmoozecom.conf:Listen 82
/etc/httpd/conf.d/schmoozecom.conf:Listen 84
Binary file /etc/httpd/modules/mod_heartmonitor.so matches
Binary file /etc/httpd/modules/mod_mpm_event.so matches
Binary file /etc/httpd/modules/mod_mpm_prefork.so matches
Binary file /etc/httpd/modules/mod_mpm_worker.so matches


(Pricie1991) #10

cat /var/log/httpd/error_log
[Thu Sep 24 09:20:31.514337 2020] [suexec:notice] [pid 23983] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Sep 24 09:20:31.515175 2020] [ssl:emerg] [pid 23983] AH01903: Failed to configure CA certificate chain!
[Thu Sep 24 09:20:31.515192 2020] [ssl:emerg] [pid 23983] AH02312: Fatal error initialising mod_ssl, exiting.
[Thu Sep 24 09:29:36.317872 2020] [suexec:notice] [pid 25074] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Sep 24 09:29:36.318825 2020] [ssl:emerg] [pid 25074] AH01903: Failed to configure CA certificate chain!
[Thu Sep 24 09:29:36.318867 2020] [ssl:emerg] [pid 25074] AH02312: Fatal error initialising mod_ssl, exiting.
[Thu Sep 24 09:31:01.644409 2020] [suexec:notice] [pid 25285] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Sep 24 09:31:01.645173 2020] [ssl:emerg] [pid 25285] AH01903: Failed to configure CA certificate chain!
[Thu Sep 24 09:31:01.645191 2020] [ssl:emerg] [pid 25285] AH02312: Fatal error initialising mod_ssl, exiting.
[Thu Sep 24 09:31:34.153399 2020] [suexec:notice] [pid 25396] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Sep 24 09:31:34.154215 2020] [ssl:emerg] [pid 25396] AH01903: Failed to configure CA certificate chain!
[Thu Sep 24 09:31:34.154242 2020] [ssl:emerg] [pid 25396] AH02312: Fatal error initialising mod_ssl, exiting.
[Thu Sep 24 09:59:39.565089 2020] [suexec:notice] [pid 28563] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Sep 24 09:59:39.566245 2020] [ssl:emerg] [pid 28563] AH01903: Failed to configure CA certificate chain!
[Thu Sep 24 09:59:39.566288 2020] [ssl:emerg] [pid 28563] AH02312: Fatal error initialising mod_ssl, exiting.


#11

Apologies, I had paths for centos defaults in error.

Let’s try a simpler approach, try:

mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.old
systemctl restart http

Wouldn’t hurt to post the contents of the file too.


(Pricie1991) #13

Your suggestion worked I now have GUI access thank you.

systemctl restart httpd


(Pricie1991) #14

So I tried to reinstall the ssl certificate and ended backup in the same place.
I have to do:

mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.old
systemctl restart httpd

to get the gui back.
Any ideas how to install ssl certificate without having this issue?


#15

Post the /etc/httpd/conf.d/ssl.conf.old file

Have you tried generating a LetsEncrypt cert to see if that works?


(system) closed #16

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.