We''ve been having a weird periodic problem with our site. Every week
our secure server stops making secure connections. When we try and access a
secure page with Netscape it will give the following error in an alert box
A Network error occurred while Netscape was sending data.
(Network Error: I/O Error)
Try connecting again
And connecting again does nothing.
A seemingly related error in the web logs is the following
[error] mod_ssl: SSL handshake interrupted by system
[Hint: Stop button pressed in browser?!] (system error follow)
[error] System: Connection reset by peer (errno:104)
I suspect it has to do with the logrotation that goes on Sunday morning, and
possibly the fact that the secure server is password protected. I have
WebTrends set up to alert me if the secure server goes down, but it never sends
an alert for this problem, so somehow the secure server does not go down, but it
won''t make the connections.
Has anyone encountered this sort of thing before?
-Eric Stokien
CCNAMES.CC
From mail@mail.redhat.com Tue Jun 6 11:11:08 2000
Received: (qmail 14879 invoked from network); 6 Jun 2000 15:11:12 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 6 Jun 2000 15:11:12 -0000
Received: from zeus.crimsonnet.net ([151.205.132.2])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id LAA26016
for <redhat-secure-server@redhat.com>; Tue, 6 Jun 2000 11:11:08 -0400
Received: from huckfinn (huckfinn.crimsonnet.net [151.205.132.9])
by zeus.crimsonnet.net (8.9.3/8.9.3) with SMTP id LAA24650
for <redhat-secure-server@redhat.com>; Tue, 6 Jun 2000 11:18:17 -0400
Message-ID: <00f701bfcfcb$a39ba320$0984cd97@huckfinn>
From: "Adam Frey" <bugtraq@crimsonnetwork.com>
To: <redhat-secure-server@redhat.com>
References:
<01fb01bfcac9$58d2a3e0$0fcfb8c7@jdp2.webdms.com><200005311124100810.011A5852@mail.wnclink.com>
<200006051904050160.021133C4@ttone.com>
Subject: Re: SSL certificate problems?
Date: Tue, 6 Jun 2000 11:26:51 -0400
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
Yeah - I said something about my Secure Server locking up a few weeks ago
and no one from RedHat gave me an answer. Troy Miller was kind enough to
give some info on building my own Secure Server, but I haven''t had the
time
to follow that up yet (btw: Thanks Troy). Redhat didn''t even respond to
the
email - what good is the list if Redhat doesn''t put some input in when
a
question is directed towards them?
On another note, I did upgrade from secureweb-3.1-1 to secureweb-3.1-2 and
when I restarted the Secure web daemon, I got the following:
<snip>
Starting httpsd:
[Tue Jun 6 07:49:34 2000] [warn] Loaded DSO modules/mod_php.so uses plain
Apache 1.3 API, this module might crash under EAPI! (please recompile it
with -DEAPI)
[Tue Jun 6 07:49:34 2000] [warn] Loaded DSO modules/libphp3.so uses plain
Apache 1.3 API, this module might crash under EAPI! (please recompile it
with -DEAPI)
[Tue Jun 6 07:49:34 2000] [warn] Loaded DSO modules/libperl.so uses plain
Apache 1.3 API, this module might crash under EAPI! (please recompile it
with -DEAPI)
[Tue Jun 6 07:49:34 2000] [warn] Loaded DSO modules/libdav.so uses plain
Apache 1.3 API, this module might crash under EAPI! (please recompile it
with -DEAPI)
[Tue Jun 6 07:49:34 2000] [warn] Loaded DSO modules/mod_roaming.so uses
plain Apache 1.3 API, this module might crash under EAPI! (please recompile
it with -DEAPI)
Apache/1.3.9 mod_ssl/2.4.10 (Pass Phrase Dialog)
</snip>
Does anyone know if these modules come in RPM binaries already compiled with
the -DEAPI arg? If so, where do I get them? (I''ve looked at the ftp
site and
couldn''t find them - the only place I''ve been able to spot
them so far is on
the Secureweb CD). (I haven''t looked at Freshmeat though, so maybe I
should
do that?) Also, can anyone point me in the right direction for making all
this work without the crashing?
Thanks in Advance,
Adam Frey
Crimson Networks
http://www.crimsonnet.net
----- Original Message -----
From: "Eric Stokien" <support@ttone.com>
To: <redhat-secure-server@redhat.com>
Sent: Monday, June 05, 2000 10:04 PM
Subject: SSL certificate problems?
We''ve been having a weird periodic problem with our site. Every week
our
secure server stops making secure connections. When we try and access a
secure page with Netscape it will give the following error in an alert box
A Network error occurred while Netscape was sending data.
(Network Error: I/O Error)
Try connecting again
And connecting again does nothing.
A seemingly related error in the web logs is the following
[error] mod_ssl: SSL handshake interrupted by system
[Hint: Stop button pressed in browser?!] (system error follow)
[error] System: Connection reset by peer (errno:104)
I suspect it has to do with the logrotation that goes on Sunday morning, and
possibly the fact that the secure server is password protected. I have
WebTrends set up to alert me if the secure server goes down, but it never
sends an alert for this problem, so somehow the secure server does not go
down, but it won''t make the connections.
Has anyone encountered this sort of thing before?
-Eric Stokien
CCNAMES.CC
--
To unsubscribe: mail redhat-secure-server-request@redhat.com with
"unsubscribe" as the Subject.
From mail@mail.redhat.com Tue Jun 6 11:39:29 2000
Received: (qmail 27859 invoked from network); 6 Jun 2000 15:39:49 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 6 Jun 2000 15:39:49 -0000
Received: from mail.ausit.com (mail.ausit.com [203.41.163.235])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id LAA29538
for <redhat-secure-server@redhat.com>; Tue, 6 Jun 2000 11:39:29 -0400
Received: from wk1 (sun.ausit.com [203.41.163.240])
by mail.ausit.com (8.9.3/8.9.3/mail) with ESMTP id BAA03761
for <redhat-secure-server@redhat.com>; Wed, 7 Jun 2000 01:38:34 +1000
Message-ID: <200006070139210922.306CCF2D@mail.ausit.com>
In-Reply-To: <00f701bfcfcb$a39ba320$0984cd97@huckfinn>
References: <01fb01bfcac9$58d2a3e0$0fcfb8c7@jdp2.webdms.com>
<200005311124100810.011A5852@mail.wnclink.com>
<200006051904050160.021133C4@ttone.com>
<00f701bfcfcb$a39ba320$0984cd97@huckfinn>
X-Mailer: Calypso Version 3.10.03.02 (1)
Date: Wed, 07 Jun 2000 01:39:21 +1000
From: "Greg Wright" <greg@ausit.com>
To: redhat-secure-server@redhat.com
Subject: Re: SSL certificate problems?
Content-Type: text/plain; charset="us-ascii"
*********** REPLY SEPARATOR ***********
On 6/06/00 at 11:26 Adam Frey wrote:
>Yeah - I said something about my Secure Server locking up a few weeks ago
>and no one from RedHat gave me an answer. Troy Miller was kind enough to
>give some info on building my own Secure Server, but I haven''t had
the
time>to follow that up yet (btw: Thanks Troy). Redhat didn''t even
respond to
the>email - what good is the list if Redhat doesn''t put some input in
when a
>question is directed towards them?
>
Most of Redhats lists as a rule do not have any Redhat input, the only
resemblance being if any RH employee wished to partake in the list at thier
own free will, I could be wrong but thats my opinion after observance over
the years. I am not sure of the official support procedure, if you do
identify a bug, report it to bugzilla but, you may even want to check there
for open cases.
Regards
Greg Wright
--
IT Consultant Sydney Australia PH 0418 292020
Available for Global Contracts Int. +61 418 292020
web http://www.ausit.com e-mail greg@ausit.com
Trading As - AAA Computers, ITpro, Ozzie Soft, providers of IT services.
From mail@mail.redhat.com Tue Jun 6 12:19:46 2000
Received: (qmail 21316 invoked from network); 6 Jun 2000 16:19:46 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 6 Jun 2000 16:19:46 -0000
Received: from lepton.soltec.net (lepton.soltec.net [64.5.64.30])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id MAA02555
for <redhat-secure-server@redhat.com>; Tue, 6 Jun 2000 12:19:46 -0400
Received: from mail.ipat.com (mail.ipat.com [64.5.73.25])
by lepton.soltec.net (8.10.0.Beta12/8.10.0.Beta12) with ESMTP id e56GKlu29601
for <redhat-secure-server@redhat.com>; Tue, 6 Jun 2000 11:20:48 -0500
(CDT)
Received: from IPAT_SERVER/IMAILQ by mail.ipat.com (Mercury 1.48);
6 Jun 00 11:17:19 -0600
Received: from IMAILQ by IPAT_SERVER (Mercury 1.48); 6 Jun 00 11:17:17 -0600
Received: from khk (64.5.73.8) by mail.ipat.com (Mercury 1.48) with ESMTP;
6 Jun 00 11:17:09 -0600
Message-Id: <4.2.2.20000606105838.01584a80@mail.ipat.com>
X-Sender: adm@mail.ipat.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2
Date: Tue, 06 Jun 2000 11:17:52 -0500
To: redhat-secure-server@redhat.com
From: Alan Mead <adm@ipat.com>
Subject: Re: SSL certificate problems?
In-Reply-To: <200006051904050160.021133C4@ttone.com>
References: <200005311124100810.011A5852@mail.wnclink.com>
<01fb01bfcac9$58d2a3e0$0fcfb8c7@jdp2.webdms.com>
<200005311124100810.011A5852@mail.wnclink.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Eric,
I think this secureweb list has a fairly small following. I would report
the problem on a networking or apache list.
But here are some thoughts, starting with a summary: If I understand
correctly, every week something happens and after that something, your RH
Secureweb server stops responding to port 443 requests? And somehow you
fix it later, when you see the problem. Is that right?
I have some questions: How do you find out that things are broken? Can
you tell with any precision when it stops? What get''s logged when you
make
a connection after the problem occurs (the below snippet?)? How do you fix
things? When this happens, what processes are running? Connections to
port 80 still work fine? Are you logging to another host? Are any other
network connections/services affected? Have you configured your apache to
do hostname lookups?
If it stops Sunday morning at about 4:04AM then as you suggest the weekly
cron job seems like it has something to do with this. I would look at what
gets done in /etc/cron.weekly. I would consider stripping away stuff until
it works (e.g., disable log rotations for a week) to see what''s
happening. This will be less tedious if you can make it happen every evening.
Are you running portsentry or some other network monitoring software that
quashes port 443 requests? One of the things that log rotate does is stop
and restart things.
The connection reset by peer is a network error that I''m not sure I
understand (although others may and I think this is worth pursuing). I
wouldn''t be surprised if some other thing is broke which is stopping
your
httpsd children from responding.
If you try to make a connection and it is denied, list the files in
/var/log/httpd by date (ls -trl) and see if something has been written and
examine that something. Is that the below snippet?
I can tell you that I''ve run RH''s secure server on 5.2, 6.0
and now 6.2 and
never had this problem so it''s probably something is unique to your
setup. It sounds like something is preventing some clients from
communicating with your server.
-Alan
At 09:04 PM 6/5/00 , Eric Stokien wrote:>We''ve been having a weird periodic problem with our site. Every
week our
>secure server stops making secure connections. When we try and access a
>secure page with Netscape it will give the following error in an alert box
>
>A Network error occurred while Netscape was sending data.
>(Network Error: I/O Error)
>Try connecting again
>
>And connecting again does nothing.
>
>A seemingly related error in the web logs is the following
>[error] mod_ssl: SSL handshake interrupted by system
>[Hint: Stop button pressed in browser?!] (system error follow)
>[error] System: Connection reset by peer (errno:104)
>
>I suspect it has to do with the logrotation that goes on Sunday morning,
>and possibly the fact that the secure server is password protected. I
>have WebTrends set up to alert me if the secure server goes down, but it
>never sends an alert for this problem, so somehow the secure server does
>not go down, but it won''t make the connections.
>
>Has anyone encountered this sort of thing before?
From mail@mail.redhat.com Tue Jun 6 12:51:48 2000
Received: (qmail 12928 invoked from network); 6 Jun 2000 16:52:07 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 6 Jun 2000 16:52:07 -0000
Received: from mail.ausit.com (mail.ausit.com [203.41.163.235])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id MAA06689
for <redhat-secure-server@redhat.com>; Tue, 6 Jun 2000 12:51:48 -0400
Received: from wk1 (sun.ausit.com [203.41.163.240])
by mail.ausit.com (8.9.3/8.9.3/mail) with ESMTP id CAA03980
for <redhat-secure-server@redhat.com>; Wed, 7 Jun 2000 02:50:47 +1000
Message-ID: <200006070252000909.30AF5278@mail.ausit.com>
In-Reply-To: <4.2.2.20000606105838.01584a80@mail.ipat.com>
References: <200005311124100810.011A5852@mail.wnclink.com>
<01fb01bfcac9$58d2a3e0$0fcfb8c7@jdp2.webdms.com>
<200005311124100810.011A5852@mail.wnclink.com>
<4.2.2.20000606105838.01584a80@mail.ipat.com>
X-Mailer: Calypso Version 3.10.03.02 (1)
Date: Wed, 07 Jun 2000 02:52:00 +1000
From: "Greg Wright" <greg@ausit.com>
To: redhat-secure-server@redhat.com
Subject: Re: SSL certificate problems?
Content-Type: text/plain; charset="us-ascii"
*********** REPLY SEPARATOR ***********
On 6/06/00 at 11:17 Alan Mead wrote:
>Eric,
>
>I think this secureweb list has a fairly small following. I would report
>the problem on a networking or apache list.
Hey Al, theres you and me, thats not small ;-) it could be none.....
>
<cut>>
>If it stops Sunday morning at about 4:04AM then as you suggest the weekly
>cron job seems like it has something to do with this. I would look at
what >gets done in /etc/cron.weekly. I would consider stripping away stuff
until >it works (e.g., disable log rotations for a week) to see what''s
>happening. This will be less tedious if you can make it happen every
evening.>
Further to this, see if syslog has moved the logs around and done a restart
on the httpsd , if its got a lot of sites etc on it, it could just be that
its not starting correct or shutting down correct and dieing there, if that
is the case I can help with the startup script, however I am speculating
because cannot remember the original post
Regards
Greg Wright
--
IT Consultant Sydney Australia PH 0418 292020
Available for Global Contracts Int. +61 418 292020
web http://www.ausit.com e-mail greg@ausit.com
Trading As - AAA Computers, ITpro, Ozzie Soft, providers of IT services.
From mail@mail.redhat.com Tue Jun 6 13:25:53 2000
Received: (qmail 11184 invoked from network); 6 Jun 2000 17:25:54 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 6 Jun 2000 17:25:54 -0000
Received: from sterling.propagation.net ([63.249.213.1])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id NAA11051
for <redhat-secure-server@redhat.com>; Tue, 6 Jun 2000 13:25:53 -0400
Received: from procyon (rdu25-13-071.nc.rr.com [24.25.13.71])
by sterling.propagation.net (8.8.5/8.8.5) with ESMTP id MAA06927
for <redhat-secure-server@redhat.com>; Tue, 6 Jun 2000 12:24:25 -0500
Message-Id: <4.2.2.20000606132510.00aa1180@mail.astrum.com>
X-Sender: sws@mail.astrum.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2
Date: Tue, 06 Jun 2000 13:25:38 -0400
To: redhat-secure-server@redhat.com
From: "S. William Schulz" <sws@astrum.com>
Subject: Re: SSL certificate problems?
In-Reply-To: <200006070252000909.30AF5278@mail.ausit.com>
References: <4.2.2.20000606105838.01584a80@mail.ipat.com>
<200005311124100810.011A5852@mail.wnclink.com>
<01fb01bfcac9$58d2a3e0$0fcfb8c7@jdp2.webdms.com>
<200005311124100810.011A5852@mail.wnclink.com>
<4.2.2.20000606105838.01584a80@mail.ipat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 02:52 AM 6/7/00 +1000, you wrote:
>*********** REPLY SEPARATOR ***********
>
>On 6/06/00 at 11:17 Alan Mead wrote:
>
> >Eric,
> >
> >I think this secureweb list has a fairly small following. I would
report
> >the problem on a networking or apache list.
>
>
>Hey Al, theres you and me, thats not small ;-) it could be none.....
Plus at least one... :)
From mail@mail.redhat.com Tue Jun 6 13:30:23 2000
Received: (qmail 27765 invoked from network); 6 Jun 2000 17:30:24 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 6 Jun 2000 17:30:24 -0000
Received: from ttone.com (www.ttone.com [207.178.181.11] (may be forged))
by mail.redhat.com (8.8.7/8.8.7) with SMTP id NAA11504
for <redhat-secure-server@redhat.com>; Tue, 6 Jun 2000 13:30:23 -0400
Received: from tt4 [207.178.181.24] by ttone.com with ESMTP
(SMTPD32-4.06) id A59B1C7028E; Tue, 06 Jun 2000 10:32:11 PDT
Message-ID: <200006061031180480.05623A4E@ttone.com>
In-Reply-To: <4.2.2.20000606105838.01584a80@mail.ipat.com>
References: <200005311124100810.011A5852@mail.wnclink.com>
<01fb01bfcac9$58d2a3e0$0fcfb8c7@jdp2.webdms.com>
<200005311124100810.011A5852@mail.wnclink.com>
<4.2.2.20000606105838.01584a80@mail.ipat.com>
X-Mailer: Calypso Version 3.10.00.08 (3)
Date: Tue, 06 Jun 2000 10:31:18 -0700
From: "Eric Stokien" <support@ttone.com>
To: redhat-secure-server@redhat.com
Subject: Re: SSL certificate problems?
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
>But here are some thoughts, starting with a summary: If I understand
>correctly, every week something happens and after that something, your RH
>Secureweb server stops responding to port 443 requests? And somehow you
>fix it later, when you see the problem. Is that right?
Basically.
>I have some questions: How do you find out that things are broken?
To be sure we actually have to attempt to make a secure transaction (I do this
by going through the registration process to the point where it goes secure)
Can >you tell with any precision when it stops?
I haven''t been able to tell with any real precision. But the bottom
snippet stuff appears in the logs starting on Sundays usually.
What get''s logged when you make >a connection after the problem occurs (the below snippet?)?
Yeah, I believe it is the bottom snippet that is being logged.
How do you fix >things?
I stop the web server, then start it again.
When this happens, what processes are running?
Not different than when it is not happening that I could tell, it runs several
copies of httpsd -DSSL, mSQL, Sendmail, at, cron, inetd, the usual sort of
things.
Connections to >port 80 still work fine?
Yep.
Are you logging to another host?
Logs are on the same machine.
Are any other >network connections/services affected?
No.
Have you configured your apache to >do hostname lookups?
Can you clarify what you mean by this?
>If it stops Sunday morning at about 4:04AM then as you suggest the weekly
>cron job seems like it has something to do with this. I would look at what
>gets done in /etc/cron.weekly. I would consider stripping away stuff until
>it works (e.g., disable log rotations for a week) to see what''s
>happening. This will be less tedious if you can make it happen every
evening.
>
>Are you running portsentry or some other network monitoring software that
>quashes port 443 requests? One of the things that log rotate does is stop
>and restart things.
>
>The connection reset by peer is a network error that I''m not sure I
>understand (although others may and I think this is worth pursuing). I
>wouldn''t be surprised if some other thing is broke which is
stopping your
>httpsd children from responding.
>
>If you try to make a connection and it is denied, list the files in
>/var/log/httpd by date (ls -trl) and see if something has been written and
>examine that something. Is that the below snippet?
>
>I can tell you that I''ve run RH''s secure server on 5.2,
6.0 and now 6.2 and
>never had this problem so it''s probably something is unique to your
>setup. It sounds like something is preventing some clients from
>communicating with your server.
>
>-Alan
>
>
>At 09:04 PM 6/5/00 , Eric Stokien wrote:
>>We''ve been having a weird periodic problem with our site.
Every week our
>>secure server stops making secure connections. When we try and access a
>>secure page with Netscape it will give the following error in an alert
box
>>
>>A Network error occurred while Netscape was sending data.
>>(Network Error: I/O Error)
>>Try connecting again
>>
>>And connecting again does nothing.
>>
>>A seemingly related error in the web logs is the following
>>[error] mod_ssl: SSL handshake interrupted by system
>>[Hint: Stop button pressed in browser?!] (system error follow)
>>[error] System: Connection reset by peer (errno:104)
>>
>>I suspect it has to do with the logrotation that goes on Sunday morning,
>>and possibly the fact that the secure server is password protected. I
>>have WebTrends set up to alert me if the secure server goes down, but it
>>never sends an alert for this problem, so somehow the secure server does
>>not go down, but it won''t make the connections.
>>
From mail@mail.redhat.com Tue Jun 6 15:07:42 2000
Received: (qmail 32072 invoked from network); 6 Jun 2000 19:07:43 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 6 Jun 2000 19:07:43 -0000
Received: from lepton.soltec.net (lepton.soltec.net [64.5.64.30])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id PAA24040
for <redhat-secure-server@redhat.com>; Tue, 6 Jun 2000 15:07:42 -0400
Received: from mail.ipat.com (mail.ipat.com [64.5.73.25])
by lepton.soltec.net (8.10.0.Beta12/8.10.0.Beta12) with ESMTP id e56J8nu03977
for <redhat-secure-server@redhat.com>; Tue, 6 Jun 2000 14:08:49 -0500
(CDT)
Received: from IPAT_SERVER/IMAILQ by mail.ipat.com (Mercury 1.48);
6 Jun 00 14:05:21 -0600
Received: from IMAILQ by IPAT_SERVER (Mercury 1.48); 6 Jun 00 14:05:12 -0600
Received: from khk (64.5.73.8) by mail.ipat.com (Mercury 1.48) with ESMTP;
6 Jun 00 14:05:09 -0600
Message-Id: <4.2.2.20000606133406.0206e370@mail.ipat.com>
X-Sender: adm@mail.ipat.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2
Date: Tue, 06 Jun 2000 14:05:54 -0500
To: redhat-secure-server@redhat.com
From: Alan Mead <adm@ipat.com>
Subject: Re: SSL certificate problems?
In-Reply-To: <200006061031180480.05623A4E@ttone.com>
References: <4.2.2.20000606105838.01584a80@mail.ipat.com>
<200005311124100810.011A5852@mail.wnclink.com>
<01fb01bfcac9$58d2a3e0$0fcfb8c7@jdp2.webdms.com>
<200005311124100810.011A5852@mail.wnclink.com>
<4.2.2.20000606105838.01584a80@mail.ipat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 12:31 PM 6/6/00 , Eric Stokien wrote:
>Can
> >you tell with any precision when it stops?
>
>I haven''t been able to tell with any real precision. But the
bottom
>snippet stuff appears in the logs starting on Sundays usually.
When you say usually, does it ever appear on Saturday? Let''s assume
the
weekly cron job whacks something.
My /etc/logrotate.conf is stock, it has no local extensions.
I have 8 logs between regular apache and virtual domains. My
/etc/logrotate.d/secureweb is a series of entries like this:
/var/log/httpd/referer_log-ssl {
missingok
postrotate
/usr/bin/killall -HUP httpsd 2> /dev/null || true
endscript
}
I noticed just now that the frequency of rotations is set in
/etc/logrotate.conf and not controlled by cron. In fact, the weekly cron
doesn''t call logrotate. So, you could easily test whether
it''s logrotate
by setting ''daily'' in logrotate.conf and then manually
executing
/etc/cron.daily/logrotate as root. Or by executing logrotate manually with
the -f option.
Or just issue that ''killall -HUP httpsd'' command from the root
prompt. I
just tried it and nothing bad happens on my machine. If it also works fine
on your machine, you can investigate what else gets rotated. If not, maybe
you could look into whether there is another way your apache wants to get
reloaded.
Earlier you mentioned something about password protecting the cert... I
don''t think that has anything to do with it. At least the one or two
times
I''ve lost power, the PEM passphrase prompt has been waiting patiently
for
me the next morning. To be honest, I have no idea what you could rotate
that would give you "connection reset by peer" messages... so
I''m guessing
that you will have to solve this by trial and error.
-Alan
From mail@mail.redhat.com Thu Jun 8 00:22:30 2000
Received: (qmail 30282 invoked from network); 8 Jun 2000 04:22:30 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 8 Jun 2000 04:22:30 -0000
Received: from ns.tellico.net (ns.tellico.net [205.217.100.2])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id AAA01565
for <redhat-secure-server@redhat.com>; Thu, 8 Jun 2000 00:22:30 -0400
From: apache@tellico.net
Received: from localhost (apache@localhost)
by ns.tellico.net (8.9.3/8.9.3) with ESMTP id WAA27613
for <redhat-secure-server@redhat.com>; Wed, 7 Jun 2000 22:26:02 -0400
Date: Wed, 7 Jun 2000 22:26:02 -0400 (EDT)
To: redhat-secure-server@redhat.com
Subject: Re: SSL certificate problems?
In-Reply-To: <00f701bfcfcb$a39ba320$0984cd97@huckfinn>
Message-ID: <Pine.LNX.4.10.10006072217490.27406-100000@ns.tellico.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Tue, 6 Jun 2000, Adam Frey wrote:
> Yeah - I said something about my Secure Server locking up a few weeks ago
> and no one from RedHat gave me an answer. Troy Miller was kind enough to
> give some info on building my own Secure Server, but I haven''t had
the time
> to follow that up yet (btw: Thanks Troy). Redhat didn''t even
respond to the
> email - what good is the list if Redhat doesn''t put some input in
when a
> question is directed towards them?
>
I did use the info Troy Miller gave and built my own. It uses the
PHP-4.0, but from what I read it is illegal to use it, when built this way
for e-commerce, due to the licensing of the rsaref-2.0 code.
Oh, by the way I am in the USA.
Does anyone know for sure if it is illegal to run the above for
e-commerce applications. If it is, does anyone know how to get licensing
for the rsaref code and how much it would cost, timewise and moneywise. I
am really impressed with the self built server, it''s kind of nice to be
able to build your web server to your specifications and tweak and fiddle
with it, until you get it just the way you want it.
Any info about doing it yourself and the legal implications would be
appreciated.
thanks
Kelley
PS: I dropped Troy a line, but I never got a reply back. Guess he''s a
busy
man.
From mail@mail.redhat.com Fri Jun 9 14:30:25 2000
Received: (qmail 31937 invoked from network); 9 Jun 2000 18:30:27 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 9 Jun 2000 18:30:27 -0000
Received: from ttone.com (www.ttone.com [207.178.181.11] (may be forged))
by mail.redhat.com (8.8.7/8.8.7) with SMTP id OAA12952
for <redhat-secure-server@redhat.com>; Fri, 9 Jun 2000 14:30:25 -0400
Received: from tt4 [207.178.181.24] by ttone.com with ESMTP
(SMTPD32-4.06) id A8311FA00CA; Fri, 09 Jun 2000 11:32:17 PDT
Message-ID: <200006091131440440.007B2936@ttone.com>
In-Reply-To: <4.2.2.20000606133406.0206e370@mail.ipat.com>
References: <4.2.2.20000606105838.01584a80@mail.ipat.com>
<200005311124100810.011A5852@mail.wnclink.com>
<01fb01bfcac9$58d2a3e0$0fcfb8c7@jdp2.webdms.com>
<200005311124100810.011A5852@mail.wnclink.com>
<4.2.2.20000606105838.01584a80@mail.ipat.com>
<4.2.2.20000606133406.0206e370@mail.ipat.com>
X-Mailer: Calypso Version 3.10.00.08 (3)
Date: Fri, 09 Jun 2000 11:31:44 -0700
From: "Eric Stokien" <support@ttone.com>
To: redhat-secure-server@redhat.com
Subject: Re: SSL certificate problems?
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
>Or just issue that ''killall -HUP httpsd'' command from the
root prompt. I
>just tried it and nothing bad happens on my machine. If it also works fine
>on your machine, you can investigate what else gets rotated. If not, maybe
>you could look into whether there is another way your apache wants to get
>reloaded.
Well I tried /usr/bin/killall -USR1 httpsd and it gives the Network Error
I tried /usr/bin/killall -HUP httpsd and it gives the Network Error
I tried /etc/rc.d/init.d/httpsd reload and it gives the Network Error
/etc/rc.d/init.d/httpsd restart gives a different connect error until the
password gets put in.
In other words there does not seem to be a way for even root to reload the
webserver without a password getting typed in.
>Earlier you mentioned something about password protecting the cert... I
>don''t think that has anything to do with it. At least the one or
two times
>I''ve lost power, the PEM passphrase prompt has been waiting
patiently for
>me the next morning. To be honest, I have no idea what you could rotate
>that would give you "connection reset by peer" messages... so
I''m guessing
>that you will have to solve this by trial and error.
>
I wish I knew what else it could be. I only mention it since it does seem that
any way that doesn''t involve a password fails.
Here is our standard entry in the logrotate.d/secureweb file
/var/log/httpd/access_log {
missingok
postrotate
/usr/bin/killall -USR1 httpsd
endscript
}