cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1693
Views
0
Helpful
9
Replies

Apache will not start if ssl is enabled

lusbyr
Level 1
Level 1

Hello,

I recently upgraded from LMS 3.1 to LMS 3.2.  One of our end users pointed out that I forgot to enable https in the Common Services -> Server -> Security area.

I re-enabled https and now the 'Ciscoworks Web Server' will not start up.

If I disable https using ConfigSSL.pl from <NMS root>/MDC/Apache/bin then Ciscoworks comes up fine again.

The log file in <NMS root>/MDC/Apache/logs/error.log shows the message:

Failed to configure CA certificate chain!

I have deleted and regenerated the self-signed certificate several times and this pattern repeats.

I am running LMS on Windows Server 2003 R2.

Any suggestions would be appreciated.

Thanks.

9 Replies 9

Joe Clarke
Cisco Employee
Cisco Employee

Delete NMSROOT/MDC/Apache/conf/ssl/server.* and chain.ser.  Then run:

NMSROOT/bin/perl NMSROOT/MDC/Apache/ConfigSSL.pl -disable

NMSROOT/bin/perl NMSROOT/MDC/Apache/ConfigSSL.pl -enable

Fill out the cer values.  When done, check the permissions on NMSROOT/MDC/Apache/conf/ssl/server.* and chain.ser, and make sure casuser has full control.

Joe,

casusers has full permissions.  Do you want me to add casuser with full permission?

Thanks

Joe,

To update you, I gave casuser full permission to the files and nothing is working yet.

Still get the same error: "Failed to configure CA certificate chain!" when I start up Ciscoworks.

Thanks.

Bob

Post your server.crt, chain.cer, and httpd.conf files.

Joe,

As requested, here are the files.

I was able to force Apache to start using the Service control panel.

However, when I spawned a browser the error message is:

Forbidden

You don't have permission to access /cwhp/LiaisonServlet on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

Don't know what this means either.  Again, if I turn https off, everything comes up fine.

Thanks.

Bob

Post the server.key that was used to generate these files.

Joe,

OK, here you go.

Bob

Okay.  I tested your cert and key, and my Apache works fine.  We saw this once before, and the solution there was to reinstall LMS from scratch, then restore the previous backup.  The problem was due to a bad CS installation relating to OpenSSL.  Without remote access, I cannot offer more than that.  I can say that there is nothing wrong with your cert, though.

Joe,

Well, I was thinking I was going to have to do a complete reinstall.  Thanks for your help.

Bob

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco