Apache questions

tmick · Tuesday at 9:44 PM

Hi all,
So I had Apache working yesterday but today it won't start. It gives a message that Apache failed to start.
I checked the http_error.log file it tells me that ssl failed because of no cert.
So question 1, is there a current set of instructions on how to create a cert?
2. does no cert block Apache from starting?
3. The section on Apache in the handbook follows DNS set up & zero conf, do I have to have them?
I'm on FreeBSD 15 if it matters.

Thanks in advance.

SirDice · Tuesday at 9:57 PM

tmick said:
So question 1, is there a current set of instructions on how to create a cert?

Self-signed? Proper certificate? Letsencrypt? What kind of certificate are you looking for? Letsencrypt is probably easy enough, cheap (free), has a limited lifespan (typically 3 months) but can be refreshed automatically through some scripts. Generally only useful if you want to provide access to the website/webserver from the internet though.

tmick said:
does no cert block Apache from starting?

If you enabled SSL/TLS and it cannot find the website's certificate, yes. You can run a webserver without SSL/TLS though. But you obviously won't have any encryption of the data.

tmick said:
The section on Apache in the handbook follows DNS set up & zero conf, do I have to have them?

Depends, you can access the webpage just on it's IP address, but that's usually a bit difficult to remember for us humans.

tmick said:
I'm on FreeBSD 15 if it matters.

Nothing at all.

tmick · Tuesday at 10:13 PM

Self-signed? Proper certificate? Letsencrypt? What kind of certificate are you looking for? Letsencrypt is probably easy enough, cheap (free), has a limited lifespan (typically 3 months) but can be refreshed automatically through some scripts. Generally only useful if you want to provide access to the website/webserver from the internet though.

self signed a proper cert, and what's the best way or program to do this with? It's been a few years since I've done this on Unix. All I can find for creating the cert is certbot and it doesn't install.

tmick · Wednesday at 3:52 AM

Okay so I found a command that creates a cert

Code:

openssl req -new -x509 -days 365 -keyout mykey.key -out mycert.crt

and I found the crt & Key files but it suggests moving them to a Cert folder, I don't have one but it can be created. So where are the files actually supposed to go ? Just leave them in etc or add them to /usr/local/etc/ apache24 ?

Espionage724 · Wednesday at 4:24 AM

On Linux I used to do this and keep the certs in a general folder:

Code:

openssl ecparam -name secp521r1 -genkey -out '/etc/ssl/certs/nginx.key

Code:

openssl req -new -x509 -key '/etc/ssl/certs/nginx.key' -out '/etc/ssl/certs/nginx.crt' -days 730

And pointed nginx to the certs:

Code:

ssl_certificate '/etc/ssl/certs/nginx.crt';
ssl_certificate_key '/etc/ssl/certs/nginx.key';

On FreeBSD I used py311-certbot Standalone (not webserver/plugin-specific) and pointed nginx to those files:

Code:

ssl_certificate '/usr/local/etc/letsencrypt/live/website.tld/fullchain.pem';
ssl_trusted_certificate '/usr/local/etc/letsencrypt/live/website.tld/fullchain.pem';
ssl_certificate_key '/usr/local/etc/letsencrypt/live/website.tld/privkey.pem';

tmick · Wednesday at 6:52 PM

Espionage724 When you say redirect Apache to the SSL Folder you created, are you making the change in httpd.conf or in the ssl.conf file?
Thanks for letting me know that I can create a folder for them and just point to it.

richardtoohey2 · Wednesday at 8:20 PM

I don't currently use automation, so doing it manually, I create

Code:

/usr/local/etc/apache24/certificates/sitex.com
/usr/local/etc/apache24/certificates/sitey.com

Make sure any key files (in particular) are root-only-readable.

Then in Apache configuration (/usr/local/etc/apache24/extra/httpd-ssl.conf) for a virtual host:

Code:

<VirtualHost *:443>
    ServerName sitex.com
    ...
    SSLEngine on
    SSLCertificateFile "/usr/local/etc/apache24/certificates/sitex.com/somecert.crt"
    ...
</VirtualHost>

You can split out the ssl configuration for each site if you don't want to put in your main httpd-ssl.conf.

So something like this in httpd-ssl.conf:

Code:

Include /somelocation/etc/apache24/*.conf

tmick · 2025-12-14T00:21:01+0000

So now it tells me it can't find /usr/local/etc/apache24/extra/httpd-ssl.conf.
I can 'cat' the file it shows up. When I 'ls' I can see the file. What did I do wrong? The path I have is /usr/local/etc/apache24/certs/, at a loss here.
Thanks for the help so far.

cracauer@ · 2025-12-14T00:25:21+0000

tmick said:
So now it tells me it can't find /usr/local/etc/apache24/extra/httpd-ssl.conf.
I can 'cat' the file it shows up. When I 'ls' I can see the file. What did I do wrong? The path I have is /usr/local/etc/apache24/certs/, at a loss here.
Thanks for the help so far.

Permissions?

What is the exact error message?

tmick · 2025-12-14T00:39:56+0000

The whole error when I try starting Apache is that there is an error on line 526 of httpd.conf. It states It can't find httpd-ssl.conf in the extra folder I'll check the permissions on the certs folder. The line I posted earlier is when I run 'http -t'.
That I know of the file should have the same permissions as before I added the path to my cert.

cracauer@ · 2025-12-14T01:26:10+0000

I was hoping for a copy'n'paste of the error.

atax1a · 2025-12-14T16:52:47+0000

the user the http server runs under must be able to read the key files. this means that all of the directories leading up to it must be at least mode 711. also, if you're running in a chroot, those file paths must be under the chroot.

personally we use acmed to get LetsEncrypt certs and have nginx use them. it's been a LONG time since we used apache...

tmick · 2025-12-14T20:45:01+0000

cracauer@ said:
I was hoping for a copy'n'paste of the error.

It doesn't let me copy and past from the VM to the local machine sorry. I could screenshot it here if it's so important. I put what it tells me with a little paraphrasing.

tmick · 2025-12-14T20:49:03+0000

atax1a said:
the user the http server runs under must be able to read the key files. this means that all of the directories leading up to it must be at least mode 711. also, if you're running in a chroot, those file paths must be under the chroot.

personally we use acmed to get LetsEncrypt certs and have nginx use them. it's been a LONG time since we used apache...

Is Apache that bad? You're like the 2nd or 3rd person to mention nginx, big sad

cracauer@ · 2025-12-14T20:51:36+0000

tmick said:
It doesn't let me copy and past from the VM to the local machine sorry. I could screenshot it here if it's so important. I put what it tells me with a little paraphrasing.

People sometimes turn a specific error message such as "permission denied" into a flapsy "can't open". That destroys our ability to help.

richardtoohey2 · 2025-12-14T20:52:01+0000

tmick said:
if it's so important

Yes, if you want help, then you need to show the exact error messages.

tmick said:
Is Apache that bad?

No, Apache is fine, but there are definitely alternatives if you want to explore other options. But you'll still need to create configuration files, set the correct permissions, etc.

atax1a · 2025-12-14T20:52:15+0000

it's not "bad" in our mind so much as "special purpose", like if you have a mod_perl app with apache-specific behaviors that you need to host. for 99% of modern deployments, nginx is simply easier to use, in our experience.

also it's easier to copy/paste out of a VM if you ssh into it, instead of using the VM console.

richardtoohey2 · 2025-12-14T20:56:19+0000

So is line 526 in your httpd.conf *exactly* as below?

Code:

Include etc/apache24/extra/httpd-ssl.conf

Do not worry about the certificates part, yet, sort out this issue first - getting Apache to see the httpd-ssl.conf file.

Apache questions

Administrator