Sunday, September 22, 2013

Apache Error [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

One fine morning I have discovered that my Apache (httpd) service is down and can't be started :)

Step 1: Checking httpd Service Status:
#/etc/init.d/httpd status
httpd dead but pid file exists

Step 2: Search httpd processes and kill those
#ps -ef | grep httpd

# killall -9 httpd

Step 3: Remove httpd lock file if exist
# rm -f /var/lock/subsys/httpd

Step4: Restart Apache/httpd Service
# service httpd restart
Stop httpd    [FAILED]
Start httpd   [FAILED]


Need to dig down more.

Step 5: Check httpd error log file
# grep suexec /var/log/httpd/error_log
[Sun Sep 22 10:32:06 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Sep 22 10:33:51 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Sep 22 10:38:03 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Sep 22 10:45:53 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

Step 6: Check httpd nss error log file
#tail -300 /var/log/httpd/nss_error_log
[Sun Sep 22 04:03:27 2013] [error] Certificate not verified: 'Server-Cert'
[Sun Sep 22 04:03:27 2013] [error] SSL Library Error: -8181 Certificate has expired
[Sun Sep 22 04:03:27 2013] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.
[Sun Sep 22 10:38:03 2013] [error] Certificate not verified: 'Server-Cert'
[Sun Sep 22 10:38:03 2013] [error] SSL Library Error: -8181 Certificate has expired
[Sun Sep 22 10:38:03 2013] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.
[Sun Sep 22 10:45:53 2013] [error] Certificate not verified: 'Server-Cert'
[Sun Sep 22 10:45:53 2013] [error] SSL Library Error: -8181 Certificate has expired

[Sun Sep 22 10:45:53 2013] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.


So, the root cause of this issue is in a module called nss. mod_nss is an alternative to mod_ssl; it does a few things that mod_ssl doesn't do, and can run along side mod_ssl.

Step 7: Remove nss.conf file from httpd conf.d directory
#cd /etc/httpd/conf.d
#mv nss.conf nss.conf.orig
#/etc/init.d/httpd start
Start httpd   [OK]

10 comments:

FuTuR said...

Hi, Working for me,

Many Many Many Thanks !

Carlos Eduardo said...

Perfect!

Rajendra said...

You Rock man !!

Shafi said...

Thanks its now working ..!!

after

Step 7: Remove nss.conf file from httpd conf.d directory
#cd /etc/httpd/conf.d
#mv nss.conf nss.conf.orig
#/etc/init.d/httpd start
Start httpd [OK]

Unknown said...

Thanks!!!!!!

S M Didarul Abedin said...

Cheers!!!

S M Didarul Abedin said...

Cheers!!!

S M Didarul Abedin said...

Pleasure :-)

S M Didarul Abedin said...

:-)

S M Didarul Abedin said...

Pleasure Sheikh.

Restore Archived Log into VMware Aria Operations for Logs (formerly known as vRealize Log Insight - vRLI)

As we cannot keep all logs in searchable space in vRLI production system due to performance and slowness issue, it is always recommended to ...