7 Replies Latest reply on Jun 4, 2018 4:55 AM by Bernard Stern

    addm 11.3 failed to update SSL configuration files

    Bernard Stern
      Share This:

      I have installed addm 11.3 from scratch with centos 7 image, then restored the backup from the addm 11.2 instance, all went fine.

      I am now having trouble with HTTPS, I am getting the error

       

       

      The server key, certificate and CA cert are all OK, I used the same as under 11.2. Hostname and IP address are the same.

       

      In the log/tw_svc_security.log I see this line here:

       

      139862611379968: 2018-05-31 15:17:32,211: api.https: ERROR: Apache config invalid: AH00526: Syntax error on line 44 of /etc/httpd/conf.d/ssl.conf:

      ServerName takes one argument, The hostname and port of the server

       

      However, there is no such file /etc/httpd/conf.d/ssl.conf. Here is what I have in /etc/httpd:

       

      [root@sfa3100 httpd]# find /etc/httpd/ | sort

      /etc/httpd/

      /etc/httpd/alias

      /etc/httpd/alias/cert8.db

      /etc/httpd/alias/install.log

      /etc/httpd/alias/key3.db

      /etc/httpd/alias/libnssckbi.so

      /etc/httpd/alias/secmod.db

      /etc/httpd/conf

      /etc/httpd/conf.d

      /etc/httpd/conf.d/api.conf

      /etc/httpd/conf.d/documentation.conf

      /etc/httpd/conf.d/README

      /etc/httpd/conf.d/ssl.conf.preupgrade

      /etc/httpd/conf.d/webkit.conf

      /etc/httpd/conf/httpd.conf

      /etc/httpd/conf/magic

      /etc/httpd/conf.modules.d

      /etc/httpd/conf.modules.d/tw_modules.conf

      /etc/httpd/conf/ssl.crt

      /etc/httpd/conf/ssl.crt/ca-bundle.crt

      /etc/httpd/conf/ssl.crt/server.crt

      /etc/httpd/conf/ssl.key

      /etc/httpd/conf/ssl.key/server.key

      /etc/httpd/logs

      /etc/httpd/modules

      /etc/httpd/run

       

      There is a file /etc/httpd/conf.d/ssl.conf.preupgrade, with some content.

       

      The file ownership is the following:

       

      [root@sfa3100 conf]# ls -al

      total 44

      drwxr-xr-x. 4 root    root     4096 May 30 11:16 .

      drwxr-xr-x. 6 root    root     4096 May 31 15:17 ..

      -rw-r--r--. 1 root    root    11465 Mar 16 00:36 httpd.conf

      -rw-r--r--. 1 root    root    13077 Oct 19  2017 magic

      drwxr-xr-x. 2 tideway tideway  4096 May 30 11:16 ssl.crt

      drwxr-xr-x. 2 root    root     4096 May 30 11:16 ssl.key

       

      Under ADDM 11.2, I had to change the ServerName in this ssl.conf file after an upgrade, back from localhost to my actual hostname. Since there is no such file now, plus the ssl.conf.preupgrade shows the correct ServerName value, I am now out of options. Anyone some pointers to get this HTTPS working?

       

      BTW, these links on the doc Configuring HTTPS settings - BMC Discovery 11.3 - BMC Documentation point to the 11.1 doc:

       

        • 1. Re: addm 11.3 failed to update SSL configuration files
          Andrew Waters

          Because the configuration was invalid Discovery removed the ssl.conf file.

           

          When you say you used the same key and certificate what exactly did you do?

          1 of 1 people found this helpful
          • 2. Re: addm 11.3 failed to update SSL configuration files
            Bernard Stern

            I have a postinstall script handling the few customisation for our company.

            It puts the files

             

            /usr/tideway/etc/https/server.crt

            /usr/tideway/etc/https/server.key

            /usr/tideway/etc/https/ca-bundle.crt

             

            /etc/httpd/conf/ssl.crt/ca-bundle.crt

            /etc/httpd/conf/ssl.crt/server.crt

            /etc/httpd/conf/ssl.key/server.key

             

            into place among other stuff. I checked most of the other customisations (LDAP, users, groups), most are properly configured using the restore and the postinstall script. I had to slightly modify the postinstall due to the differences between CentOS 6 and 7. I really only have troubles with HTTPS as far as I have seen so far.

             

            Any way I could create a ssl.conf file from the ssl.conf.preupgrade?

            • 3. Re: addm 11.3 failed to update SSL configuration files
              Andrew Waters

              No you really do not want to be playing around like this. 11.3 will regenerate files significantly more frequently than trying to guess if can leave the httpd configuration files alone. You are very likely to give yourself significant pain.

               

              Your problem is that you have no /usr/tideway/etc/https/server.csr where you would have recorded the server name hence it ends up being blank.

              2 of 2 people found this helpful
              • 4. Re: addm 11.3 failed to update SSL configuration files
                Bernard Stern

                Hello Andrew

                Correct, I don't have a server.csr and will never have. My server.crt and server.key are official company certificates generated by a tool. This is the only way to get official company certificates that will cause no problems to users using the GUI. The tool generates a zip bundle containing the private and public key, but no server.csr. HTTPS is mandatory, we cannot leave HTTP running. What can I do to get it workiing? I tried to copy ssl.conf.preupgrade to ssl.conf, with very limited hope, and it did fail. I am really stuck now.

                • 5. Re: addm 11.3 failed to update SSL configuration files
                  Bernard Stern

                  I have this error:

                   

                  [root@sfa3100 conf.d]# apachectl configtest

                  AH00526: Syntax error on line 17 of /etc/httpd/conf.d/ssl.conf:

                  Invalid command 'SSLMutex', perhaps misspelled or defined by a module not included in the server configuration

                   

                  I commented line 17

                   

                  #SSLMutex default

                   

                  then

                   

                  [root@sfa3100 conf.d]# apachectl configtest

                  Syntax OK

                   

                  I can restart the httpd on the command line, but I'm still getting the error when enabling HTTPS in the GUI.

                   

                  I also found this in the tw_restore.log:

                   

                  140678394472256: 2018-05-30 10:18:39,163: backup.restore: INFO: Restore from version 11.2.0.1 - upgrade of HTTPS configu

                  ration needed

                  140678394472256: 2018-05-30 10:18:39,163: api.https: INFO: Upgrading HTTPS config

                  140678394472256: 2018-05-30 10:18:39,164: api.https: INFO: Saving old Apache config as /etc/httpd/conf.d/ssl.conf.preupg

                  rade

                  140678394472256: 2018-05-30 10:18:39,252: api.https: INFO: Enable HTTPS http_redirect=True, allow_api_via_http=False

                  140678394472256: 2018-05-30 10:18:39,654: api.https: ERROR: Apache config invalid: AH00526: Syntax error on line 24 of /

                  etc/httpd/conf.d/ssl.conf:

                  ServerName takes one argument, The hostname and port of the server

                  140678394472256: 2018-05-30 10:18:39,823: api.https: ERROR: HTTPS has been disabled as existing configuration files coul

                  d not be upgraded to this version of BMC Discovery

                  Traceback (most recent call last):

                    File "./https.py", line 323, in upgrade

                    File "./https.py", line 412, in enable

                    File "./https.py", line 531, in _raiseHTTPSConfigError

                  HTTPSConfigError: SecurityCORBA.HTTPSConfigError(message='Failed to update SSL configuration files: Web Server configura

                  tion is not valid - unable to restart')

                  140678394472256: 2018-05-30 10:18:39,833: api.https: INFO: Disable HTTPS allow_api_via_http=False

                  140678394472256: 2018-05-30 10:18:39,964: api.https: INFO: Restarting apache

                  • 6. Re: addm 11.3 failed to update SSL configuration files
                    Andrew Waters

                    SSLMutex is not valid on CentOS 7. If you were using the standard mechanism you would not find this line present on the CentOS 7 machines, only the CentOS 6 machines.

                     

                    The restore log error is exactly the same issue.

                     

                    You could create a CSR and just not use it. As long as it has the correct values.

                    3 of 3 people found this helpful
                    • 7. Re: addm 11.3 failed to update SSL configuration files
                      Bernard Stern

                      I backed the CentOS 6 using tw_backup.

                      I setup a new CentOS 7 appliance using the VM image.

                      I restored the backup using the GUI on the CentOS 7 box.

                      I configured the network using the netadmin user.

                       

                      The SSLMutex is my failed attempt at copying the preupgrade ssl.conf file.

                       

                      I now generated a server.csr file using openssl and placed this in /usr/tideway/etc/https/, and now it works.

                       

                       

                      Thanks for the help. Perhaps it would be a good idea to stress this point in the documentation, for me it is not obvious that you need a server.csr file even though you don't really use it.

                      2 of 2 people found this helpful