Apache breaks with SSL Certificate after Ubuntu Upgrade

R0gue_One · June 10, 2024, 1:08pm

Nextcloud version (eg, 29.0.5): 28.0.5
Operating system and version (eg, Ubuntu 29.04): Ubuntu 20.04
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.52
PHP version (eg, 8.3): 8.2

The issue you are facing: Upgrading Ubuntu from 20.04 > 22.04 breaks Apache server

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

Updated all dependencies and everything I can on existing Server
Upgrade Ubuntu performing the do release
Apache breaks during the last part of the upgrade, and cannot start

I fully realize this isn’t specifically a Nextcloud issue, but I’m using the HanssonIT pre built VM and was wondering if anyone has come across this? I’ve lagged behind on upgrading my actual server components and I’m at the point now to where I cannot upgrade Nextcloud due to Ubuntu version. I’ve spent the last four days updating the PHP version, PostgreSQL, repairing a corrupted index, and now I’m getting sidelined by Apache. During the last part of the Ubuntu upgrade, I see it do something with Apache. I don’t know what because it flashes by so fast, but once it does that and then prompts to reboot to finish the update, my site goes offline. Apache will not startup again. The error that I’ve found in the Apache error log is this:

[mpm_event:notice] [pid 379027:tid 140090768186496] AH00492: caught SIGWINCH, shutting down gracefully
[Mon Jun 10 06:46:55.906025 2024] [ssl:emerg] [pid 438493:tid 139925333211008] AH02407: "SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/live/mydomain.com/dhparam.pem" > (domain replaced for security)
[Mon Jun 10 06:46:55.906094 2024] [ssl:emerg] [pid 438493:tid 139925333211008] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information>
AH00016: Configuration Failed

I’m not sure what is occurring with Apache or what is wrong with my Lets Encrypt cert. I have verified the PEM files are still there, and they don’t seem corrupted. My searching so far hasn’t resulted in much that makes sense to me.

I’ve created a linked clone of my VM so I can continue to tinker with it, but any suggestions on where to start looking for this issue? My end goal is to update Ubuntu, update Nextcloud, make new snapshots, overhaul my database backup process, and then likely continue upgrading to Ubuntu 24 and probably PHP and PostgreSQL as well.

*edit, I just checked / compared the versions of Apache, and prior to upgrading Ubuntu it is version 2.4.41 and after the server upgrade, it is version 2.4.52. So that must be the flash of Apache string I see in the latter part of the server upgrade. So what is changing from .41 > .52 that I need to fix?

bb77 · June 10, 2024, 5:01pm

I would try to create a new dhparm file using the newer version of openssl that ships with Ubuntu 22.04…

openssl dhparam -out /etc/letsencrypt/live/mydomain.com/dhparam.pem 4096

R0gue_One · June 10, 2024, 5:48pm

Thank you for that suggestion, although I did find that command earlier, tried it, and it had no effect at all.

What I just found that worked was to comment out the line
#SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/live/YOUR_NEXTCLOUDDOMAIN/dhparam.pem

for the file /etc/apache2/sites-enabled/YOUR_NEXTCLOUDDOMAIN.conf

Once that was done, Apache started right up, and my site was live and I could disable Maintenance mode. I’m testing a few things now, but it seems fine, so now I just need to understand the ramifications of doing that, and what I can do to re-enable that line and keep it working

bb77 · June 11, 2024, 11:58am

Sorry, it’s a complex topic that I don’t fully understand myself, to be honest, but maybe the following links will help to understand it better:

https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters

https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html#toc_4

Im still pretty sure that re-creating the file will do the trick.

R0gue_One · June 11, 2024, 12:47pm

hm. Based on the second article, it says to upgrade to Apache 2.4.8 or later and OpenSSL 1.0.2 or later, you can use the command. I have Apache 2.4.52. So maybe it’s not working for me because Apache isn’t at 2.4.8?

bb77 · June 11, 2024, 1:30pm

The command I posted should work on Ubuntu 20.04. I know this because I used it countles time, also .52 is newer than .8 The latest version of Apache2 is 2.4.59 btw: Download - The Apache HTTP Server Project

Oh, and by the way, the VM seems to create it at 2048 bits, which should be sufficient, I think, and maybe saves a few CPU cycles on your server: vm/lib.sh at 2552d8764f6c3fcf7534694adcfebfdf53de9fbf · nextcloud/vm · GitHub

So the command would be:

openssl dhparam -out /etc/letsencrypt/live/mydomain.com/dhparam.pem 2048

R0gue_One · June 11, 2024, 1:33pm

Ah, I misread 2.4.8 as .80 I guess. My bad on that.

I’ll retry the command with the line uncommented out again and see what happens. I was originally trying 4096 and it did take a bit to write out the file