I'm configuring a new Apache web server on Oracle Linux 9 (comparable with RedHat/CentOS according to Oracle). The version of httpd is 2.4.51 and the version of php is 8.0.13. However, the service failed to start with the following error (with journalctl -xeu:
httpd.service: Failed with result 'exit-code'.
I look up and many of similar error appear related to config file. But apachectl configtest returned Syntax OK, httpd --help give no output.
So I tried to comment out some config in http.conf, after commenting out the mod-security related line, it throws out new error message:
httpd.service: Failed with result 'protocol'.
No other useful error message can be retrieved from journalctl.
Commenting out the php related lines also doesn't help. Besides, I found that to install mod_security2 I have several other "module" to install, but I download this mod_security2 from aap stream. To make sure the problem does not come from this module, I installed the required modules (except libapr and libapr-utilbecause error occurs on building, therpmbuildcannot finddoxygen` even though I installed it) that are required in its documentation.
—————Update————
error_log:
[core:notice] [pid 4944:tid 4944] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[suexec:notice] - - AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)AH00016: Configuration Failed
[core:notice] [pid 4963:tid 4963] SELinux policy enabled; httpd running as context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[suexec:notice] - - AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[-:error] - - SecServerSignature: original signature too short. Please set ServerTokens to Full.
[-:notice] - - ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
[:notice] [pid 4963:tid 4963] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
[:notice] [pid 4963:tid 4963] ModSecurity: PCRE compiled version="8.44 "; loaded version="8.44 2020-02-12"
[:notice] [pid 4963:tid 4963] ModSecurity: LUA compiled version="Lua 5.4"
[:notice] [pid 4963:tid 4963] ModSecurity: YAJL compiled version="2.1.0"
[:notice] [pid 4963:tid 4963] ModSecurity: LIBXML compiled version="2.9.12"
[-:notice] - - ModSecurity: Original server signature: Apache
[:notice] [pid 4963:tid 4963] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
[lbmethod_heartbeat:notice] - - AH02282: No slotmem from mod_heartmonitor
[-:error] - - SecServerSignature: original signature too short. Please set ServerTokens to Full.
[core:notice] - - AH00094: Command line: 'httpd'
AH00016 seem to be related with ssl cert, so I also attached the error log for ssl.
ssl_error_log:
[ssl:emerg] - - AH02562: Failed to configure certificate www.example.com:443:0 (with chain), check /etc/pki/tls/certs/example-wildcard.crt
[ssl:emerg] - - SSL Library Error: error:8000000D:system library::Permission denied (calling fopen(/etc/pki/tls/certs/example-wildcard.crt, r))
[ssl:emerg] - - SSL Library Error: error:10080002:BIO routines::system lib
[ssl:emerg] - - SSL Library Error: error:0A080002:SSL routines::system lib
I found a permission denied error to read my wildcard cert, and I noticed it was because I have the wrong ownership. I changed to what it should be, with a right of 644.
BTW, httpd -t also returns Syntax OK.
Now that I rerun httpd -t with no root right returns error to file permission (solved by changing the ownership to apache):
# sudo -u apache httpd -t
AH00526: Syntax error on line 39 of /etc/httpd/conf.d/mod_security.conf:
ModSecurity: Failed to open debug log file: /etc/httpd/logs/modsec_debug.log
Weird enough, when I check port listener I saw:
$ sudo netstat -punta | grep LISTEN
tcp6 0 0 :::443 :::* LISTEN 4964/httpd
tcp6 0 0 :::80 :::* LISTEN 4964/httpd
httpd is listening when it failed to start?
Maybe SELinux is denying access, probe this: