Monday, July 1, 2013

Apache Error [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

Problem: One day I woke up and my Apache server which had been running for several years was down and wouldn't restart. I checked the Apache error log and found the following error message:

[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

This particular error message caused Uncle Google to speak in riddles, many of the forum posts that were found led to non answers. After fumbling around a bit, I noticed that another Apache log " nss_error_log" was being updated and displayed the following error messages:

[error] Certificate not verified: 'Server-Cert'
[error] SSL Library Error: -8181 Certificate has expired
[error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.


Now we've found the root cause of our issue it is in a module called nss.  I never noticed it before so another visit to Uncle Google actually turned up some interesting reading and several solutions. In short mod_nss is an alternative to mod_ssl it does a few things that mod_ssl doesn't do, and can run along side mod_ssl. 

Since I'm not now an expert on mod_nss, I'll leave the gory details of how to set it up and what it does to these articles [What is mod_nssOn Setting up Mod_NSS ,More detail ] but suffice it to say chances are if you didn't know you were using it you may not need it. If you are inheriting a system you probably want to dig deeper into why it is there. Below I'm listing four possible solutions. 

  1. Simply do as the error message above says add NSSEnforceValidCerts off to your nss.conf file which is usually located in /etc/httpd/conf.d.   The downside to this is that your nss_error_log will continue to get messages like "SSL Library Error: -8181 Certificate has expired"
  2. Remove nss.conf from /etc/httpd/conf.d this will of course cause mod_nss to not be loaded.
  3. Uninstall/re-install your nss rpm modules on re-installation a new certificate will be generated and your problem will go away for a few more years
  4. Properly setup your nss db or trust store using the certutil command. (you can Google for more details) 


No comments:

Post a Comment