Seth Berrier's picture

I was just trying out the trac appliance and I'm having a strange behavior out of the box that I need some help with.  After installation and first boot to set passwords and apply security updates, the server says its running and I CAN access the Webmin page.  However, navigating to the root page (both http and https) showing nothing (the browser says it cannot connect to server).  This makes me think that apache is somehow not listening on port 80 or 443 but is listening on the 12321 port.

This is my first time trying the trac appliance but I'm pretty sure there should be something on those ports to get into the various projects hosted on the revision systems and to get to trac.

/var/log/apache2/error.log shows the following (timestamps correspond to first and second boot):

[[Thu Nov 12 19:41:06.143570 2015] [ssl:error] [pid 2546:tid 140394725742464] AH02579: Init: Private key not found
[Thu Nov 12 19:41:06.143619 2015] [ssl:error] [pid 2546:tid 140394725742464] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Nov 12 19:41:06.143631 2015] [ssl:error] [pid 2546:tid 140394725742464] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Thu Nov 12 19:41:06.143641 2015] [ssl:error] [pid 2546:tid 140394725742464] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Nov 12 19:41:06.143651 2015] [ssl:error] [pid 2546:tid 140394725742464] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Thu Nov 12 19:41:06.143660 2015] [ssl:error] [pid 2546:tid 140394725742464] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Thu Nov 12 19:41:06.143669 2015] [ssl:error] [pid 2546:tid 140394725742464] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Nov 12 19:41:06.143679 2015] [ssl:error] [pid 2546:tid 140394725742464] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Thu Nov 12 19:41:06.143683 2015] [ssl:emerg] [pid 2546:tid 140394725742464] AH02312: Fatal error initialising mod_ssl, exiting.
[Thu Nov 12 19:41:06.143687 2015] [ssl:emerg] [pid 2546:tid 140394725742464] AH02564: Failed to configure encrypted (?) private key localhost:443:0, check /etc/ssl/certs/cert.pem
AH00016: Configuration Failed
[Thu Nov 12 19:31:28.338050 2015] [ssl:error] [pid 735:tid 140619460441984] AH02579: Init: Private key not found
[Thu Nov 12 19:31:28.339055 2015] [ssl:error] [pid 735:tid 140619460441984] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Nov 12 19:31:28.339073 2015] [ssl:error] [pid 735:tid 140619460441984] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Thu Nov 12 19:31:28.339083 2015] [ssl:error] [pid 735:tid 140619460441984] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Nov 12 19:31:28.339094 2015] [ssl:error] [pid 735:tid 140619460441984] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Thu Nov 12 19:31:28.339104 2015] [ssl:error] [pid 735:tid 140619460441984] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Thu Nov 12 19:31:28.339114 2015] [ssl:error] [pid 735:tid 140619460441984] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Nov 12 19:31:28.339124 2015] [ssl:error] [pid 735:tid 140619460441984] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Thu Nov 12 19:31:28.339129 2015] [ssl:emerg] [pid 735:tid 140619460441984] AH02312: Fatal error initialising mod_ssl, exiting.
[Thu Nov 12 19:31:28.339133 2015] [ssl:emerg] [pid 735:tid 140619460441984] AH02564: Failed to configure encrypted (?) private key localhost:443:0, check /etc/ssl/certs/cert.pem
AH00016: Configuration Failed
Forum: 
Tags: 
Seth Berrier's picture

As I'm digging around it seems that the errors above are specifically with SSL (can't find the private key) but this doesn't make sense.  The output of the first boot showed it being generated and It's there under /etc/ssl/private and the apache ssl.conf file is identical to every other TLK appliance I've ever used where SSL works file.

More that that, it doesn't explain why standard HTTP on port 80 is not working.  The 'ports.conf' shows it listening on port 80 and the sites-enabled/trac.conf shows it capturing port 80 and it looks reasonable.  Kind of baffled here.  Anyone else play with the trac appliance lately?  FYI, this was installed from the recently added v14 .ova file to our own vmware hypervisor server.

Thanks!
Seth B.

Jeremy Davis's picture

Looks like this one slipped through the testing...

I know exactly what the issue is! When we did the SSL hardening we moved the SSL cert to a new location. I thought that I had fixed all the appliance but obviously this one slipped through. :(

The fix is to remove the line (line #10) in /etc/trac/apache.conf (the line that declares the cert location). As of v14.0 SSL hardening efforts; the default cert location has moved and is set for Apache globally in the Apache SSL module. Local declarations (such as in the site apache config) will override the global; and that's why you are having this issue.

You will need to restart Apache after doing the fix.

Thanks so much for reporting this. We will rebuild this appliance ASAP with the fix applied so no other users have this problem...

BTW I did a bug report [update] I updated the link as now that it is fixed, it wasn't pointing the the right place...

Seth Berrier's picture

That fixed it. Just deleted that line in the trac apache.conf and everything seems peachy for http and https now. Thanks for the quick response! Seth B.
Jeremy Davis's picture

Did you download this a while ago, or recently?

We did initially have issues with the OTRS appliance (see here but we have already rebuilt it so the current downloads should work OOTB...

Jeremy Davis's picture

If so that makes sense. I just posted about that below...

Otherwise I'm a bit stumped.

Christian's picture

I just restored a backup to a tkl-lamp-based cloud server and can access webmin and shell, but not HTTPS.

Jeremy Davis's picture

It's the restore process that is bringing this issue in... It's not an issue in the appliance itself. We should document this!

[update] FWIW I have created a new page in the docs (here) detailing (the currently known) migration tweaks that are required when migrating from a previous version of TurnKey to v14 using TKLBAM.

Matthew's picture

Same SSL issue in the Docker image for Docker Hub. I removed the offending line from apache config in the running container, then issued a docker restart.

Cheers.
 

Jeremy Davis's picture

All the other build types are done. The Docker builds still need doing.

Add new comment