linux 中apache服务启动相关分析

时间:2022-04-26 10:32:10

apache服务不能启动一般有二种可能:

 1.  

启动apache时出现

[root@centos apache2]# /usr/local/apache2/bin/apachectl start
httpd: Could not reliably determine the server's fully qualified domain name, using 121.10.40.155 for ServerName

现在提供该问题的解决方法

1)进入apache配置文件的目录:(视个人安装情况而不同)

[root@centos /]# cd /etc/httpd //我安装时配置文件所在的目录为/etc/httpd

2)编辑httpd.conf文件,搜索"#ServerName",添加ServerName localhost:80

[root@centos httpd]# ls
conf.d  extra  httpd.conf  magic  mime.types  original

[root@centos httpd]# vi httpd.conf

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
更改为:

ServerName localhost:80

3)再重新启动apache 即可。

[root@centos httpd]# /usr/local/apache2/bin/apachectl restart

OK,启动成功啦!

2.如果上面的方法还是不能解决,还是提示faild,那么请看下面的方法

   查看日志:

      root账号下查看httpd的日志, 例如 /etc/httpd/logs/nss_error_log .    

[Mon Jun 15 18:11:47 2015] [error] Unable to verify certificate 'Server-Cert'. A
dd "NSSEnforceValidCerts off" to nss.conf so the server can start until the prob
lem can be resolved.
[Mon Jun 15 18:13:23 2015] [error] Certificate not verified: 'Server-Cert'
[Mon Jun 15 18:13:23 2015] [error] SSL Library Error: -8181 Certificate has expi
red

  根据提示,是证书过期导致。

 问题分析

1> 上述日志中已经提示,可加入NSSEnforceValidCerts off 禁止校验证书的参数来避免该问题。经确认,这是可行的。

    查看证书的有效时间   

[root@erp ~]# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=Certificate Shack,O=example.com,C=US"
Validity:
Not Before: Wed Jun 08 17:51:54 2011
Not After : Mon Jun 08 17:51:54 2015

看来证书的有效时间是4年

这是在安装mod_nss 包时生成的:

# rpm -q mod_nss --scripts
postinstall scriptlet (using /bin/sh):
umask 077

if [ "$1" -eq 1 ] ; then
    if [ ! -e /etc/httpd/alias/key3.db ]; then
        /usr/sbin/gencert /etc/httpd/alias > /etc/httpd/alias/install.log 2>&1
        echo ""
        echo "mod_nss certificate database generated."
        echo ""
    fi
fi

 2> 由于这台机器部署的时间很早,证书在2012年12月1日到期了。但之前没有重启HTTPD服务,没发现问题。而在最近重启机器时,故障才显现出来。

 解决问题
既然原因已知道,解决就很简单了,方法也很多:
1. 如果不需要用到mod_nss 模块的,那直接把/etc/httpd/conf.d/nss.conf 文件改名或删掉(此方法最方便)
2. 不验证证书过期时间的,那就在nss.conf 中加入NSSEnforceValidCerts off 配置即可;
3. 最佳的方式,是重新生成新的证书。如下。此方法不建议
生成新证书前,务必先删除旧证书数据库文件

 # cd /etc/httpd/alias
# rm -f *.db
# /usr/sbin/gencert /etc/httpd/alias > /etc/httpd/alias/install.log 2>&1
# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=Certificate Shack,O=example.com,C=US"
        Validity:
            Not Before: Thu Feb 07 07:02:53 2013
            Not After : Tue Feb 07 07:02:53 2017