Solved apache22 will not start with -DSSL

Early this morning ran pkg upgrade. It removed apache22 and some others, and installed apache24. Subsequently uninstalled apache24. Installed apache22.

When attempting to start apache22, it would not start.

if /etc/rc.conf is set with
Code:
apache22_flags="-DSSL"
apache22 will not start and it will produce core dump. It was also display an error [crit] (17)File exists: mod_rewrite: Parent could not create RewriteLock file /usr/local/etc/apache22/locks/systems.rewritelock

Apache22 will start in non ssl mode. When started without -DSSL it doesn't produce the mod_rewrite error and the file is created.

FreeBSD was upgraded to 10.3 from 9.2 while trying to figure out the issue since 9.2 is far too old. Hoped moving to 10.3 would automagically fix the issue. It didn't.

Have tried reinstalling apache22, php56*, openssl, apr1, and many others. Nothing we've tried seems to fix it. All we can tell is this issue is obviously related to SSL.

Fixed the issue with one command:
Code:
#portupgrade -rRf apr1 apache22
 
Please review in httpd(8) the significance of the -D flag. The parameter 'SSL' is just a name, which triggers a setting in the file httpd.conf or one of the configuration files which it includes. Perhaps there is a conditional configuration <IfDefine SSL> ... </IfDefine> somewhere, which wants to activate mod_rewrite a second time.
 
We've had the -DSSL flag for many years without issue. Without the -DSSL the site will not serve https. Our site is backup but without ssl (https) and no one can get anything of use.
 
I got several apache HTTPS installations up and running for several years as well, and I never ever specified -DSSL at the command line.
 
I got several apache HTTPS installations up and running for several years as well, and I never ever specified -DSSL at the command line.

How then do you get https working without /etc/rc.conf having apache22_flags="-DSSL" set?
 
How then do you get https working without /etc/rc.conf having apache22_flags="-DSSL" set?

I activate this in my virtual hosts configuration files which are included by httpd.conf. Since I got many virtual hosts, I separated the common TLS settings into a global configuration file global-tls.conf and the site specific settings go into a example.com-vhost.conf:

global-tls.conf
Code:
LoadModule ssl_module           libexec/apache24/mod_ssl.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLProtocol             All -SSLv2 -SSLv3
SSLCipherSuite          HIGH:!aNULL:!SSLv2
SSLHonorCipherOrder     on
SSLCompression          off

SSLPassPhraseDialog     builtin
SSLSessionCache         "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300

Header add Strict-Transport-Security "max-age=15768000"
example.com-vhost.conf
Code:
<VirtualHost www.example.com:443>
   ServerName www.example.com:443
   ServerAdmin mail@example.com

   DBDriver   pgsql
   DBDParams  "dbname=example user=example_admin password=EXAMPLE_PASSWORD"

   DocumentRoot "/usr/local/www/apache24/data/example.com"
   <Directory "/usr/local/www/apache24/data/example.com">
      <FilesMatch "\.(ico|txt)$">
         Require all granted
      </FilesMatch>
      <Files "apple-touch-icon-precomposed.png">
         Require all granted
      </Files>

      AuthType Digest
      AuthName Example
      AuthDigestDomain /

      AuthDigestProvider socache dbd
      AuthnCacheProvideFor dbd
      AuthnCacheContext example
      AuthDBDUserRealmQuery "SELECT passwd FROM users WHERE username = %s"

      Require valid-user

      SetOutputFilter DEFLATE
      SetEnvIfNoCase Request_URI "\.(?:gif|jpe?g|png)$" no-gzip
   </Directory>

   SSLEngine             on
   SSLCertificateFile    "/usr/local/etc/letsencrypt/live/example.com/fullchain.pem"
   SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/example.com/privkey.pem"

   <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
   </FilesMatch>
   <Directory "/usr/local/www/apache24/cgi-bin">
      SSLOptions +StdEnvVars
   </Directory>

   CustomLog "/var/log/httpd-ssl_request.log" "%t %h %u %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b"
</VirtualHost>
Usually I put all these virtual hosts configuration files into the subdirectory /usr/local/etc/apache2x/vhosts and let httpd.conf include the whole directory. That's it.
 
Back
Top