[Top] [Prev] [Next] [Last]

Chapter 8

Troubleshooting

This chapter provides a list of common errors, their meanings, and possible solutions. Errors are divided into three categories:

• startup errors
  
  
• runtime errors
  
  
• miscellaneous
  
  

If you have a problem that is not covered in this chapter, contact Stronghold technical support at stronghold-support@c2.net. Be sure to include any relevant log entries or configuration files.

---

Startup Errors

These errors occur on startup. Stronghold prints them to standard output.

LICENSE: StrongholdKey not set

The StrongholdKey directive is not set. Edit httpd.conf and insert your license key as the value for StrongholdKey. If you do not have a license key, visit http://www.c2.net or phone the C2Net offices at (510) 986-8770.

Error setting default verify locations

SSLCACertificatePath and/or SSLCACertificateFile are set incorrectly in httpd.conf:

• If SSLCACertificateFile is set, the file must include PEM-encoded certificate filenames.
  
  
• If SSLCACertficatePath is set, the directory it specifies must include PEM certificate files, with appropriate hash symlinks.
  
  

Can`t open certificate file hostname.cert.

The certificate file specified with SSLCertificateFile is unreadable.

• You may have specified an incorrect path or filename. Check the appropriate <VirtualHost hostname:443> container in httpd.conf to make sure SSLCertificateFile specifies the correct file.
  
  
• The certificate file may be corrupt. Use a backup copy or request a new certificate.
  
  

Error reading server certificate file hostname.cert.

The certificate file specified with SSLCACertificateFile is corrupt.

• Check to make sure it is a PEM-encoded certificate file. If it is a Netscape Commerce file, use the ns_convert utility to convert it to PEM format:
  
  # ns_convert directory hostname
  
  
• Check to make sure the file is not empty.
  
  

Can`t open key file hostname.key.

The key file specified with SSLCertificateKeyFile is unreadable.

• You may have specified an incorrect path or filename. Check the appropriate <VirtualHost hostname:443> container in httpd.conf to make sure SSLKeyFile specifies the correct file.
  
  
• The key file may be corrupt. Use a backup copy or generate a new key pair and request a matching certificate.
  
  

Error reading private key file hostname.key.

The key file is corrupt, or the pass phrase is incorrect.

• The pass phrase for this virtual host may not match the pass phrases for all other virtual hosts. Since Stronghold only asks for one pass phrase on startup, any virtual host with a different pass phrase is unable to perform SSL transactions. Check to see whether this virtual host has a different pass phrase than the rest. If so, use change_pass to change the pass phrase.
  
  
• The key file may be corrupt. Use a backup copy, or generate a new key pair and request a matching certificate.
  
  

No SSLRoot set for server hostname.

The SSLRoot directive is missing from httpd.conf. Check the <VirtualHost hostname:443> container and add this directive.

No SSL Certificate set for server hostname.

The SSLCertificateFile directive is missing from httpd.conf. Check the <VirtualHost hostname:443> container and add this directive.

Bad value for SSLVerifyClient (hostname).

SSLVerifyClient is less than 0 or greater than 2. Edit httpd.conf and set the value for this directive to 0, 1, or 2.

Required SSLLogFile missing.

The SSLLogFile directive is missing from httpd.conf.

httpd: could not open document config file

The path in the startup script is not the same as the actual path to httpd.conf.

• If you are using the start script that comes with Stronghold Web Server, keep in mind that it uses the path you set when you install the server. If this path has changed, edit the script to reflect the new path.
  
  
• If you are using a custom startup script, make sure it includes this line:
  
  httpsd -f ServerRoot/conf/httpd.conf
  
  

setgid: Invalid argument - unable to set group id

The user Stronghold runs as is not a member of the group specified by the Group directive. Check httpd.conf and set Group to a valid groupname. This error aborts Stronghold on startup, although the server logs it to the error_log instead of printing it to standard output.

bad base64 decode

The certificate file's BASE64 encoding is corrupt. Use a backup copy or request a new certificate.

bad decrypt

The pass phrase for the encrypted certificate file is incorrect:

• You may have entered an incorrect pass phrase. Try restarting Stronghold Web Server and entering it again.
  
  
• The pass phrase for this virtual host may not match the pass phrases for all other virtual hosts. Since Stronghold Web Server only asks for one pass phrase on startup, any virtual host with a different pass phrase is unable to perform SSL transactions. Check to see whether this virtual host has a different pass phrase than the rest.
  
  

bad end line

The certificate file for this host has no end line. Edit the file and append this end line to it:

-----END CERTIFICATE-----

no start line

The certificate file has no start line:

• The file may be empty. Locate the missing file or use genreq to request a new one.
  
  
• The file may be valid except for the missing start line. Edit the file and prepend this start line to it:
  
  -----BEGIN CERTIFICATE-----
  
  

RSA decrypt error - i=-1 enc_bits=5

The key file and certificate file for this host are mismatched. Use the checkcert utility to verify that this is the case:

# checkcert servername

If checkcert confirms that the key file and certificate file do not match, see "Troubleshooting Mismatched Certificates and Keys" on page 6-26 for information about reconciling them. Your configuration may specify the wrong site certificate, or the browser may have an obsolete site certificate.

---

Runtime Errors

These errors occur when a Web transaction fails. Stronghold Web Server records them in your error log and in any custom logs that include the error string field.

SSL_Accept failed: Undefined error: 0
error:1E066401:RSAref routines:func(102) :reason(1025)
error:14089004:SSL routines:SSL_RSA_PRIVATE_DECRYPT:RSA lib
error:1406A068:SSL routines:GET_CLIENT_MASTER_KEY:bad rsa decrypt

The key file and certificate file for this host are mismatched. Use the checkcert utility to verify that this is the case:

# checkcert servername

If checkcert confirms that the key file and certificate file do not match, see "Troubleshooting Mismatched Certificates and Keys" on page 6-26 for information about reconciling them. Your configuration may specify the wrong site certificate, or the browser may have an obsolete site certificate.

accept: (client_socket): Permission denied

This problem occurs under Solaris, which only allows 256 simultaneously open file descriptors. If you have more than 256 virtual hosts, each with its own transfer log, Stronghold cannot open all the log files to record transactions. You may also encounter this problem if you have fewer than 256 virtual hosts but each host has more than one log.

To resolve this problem, use one log file for all hosts on your server. Add the following to httpd.conf, and remove all logging directives from the <VirtualHost> containers:

TransferLog ServerRoot/logs/one-true-log-file.log
LogFormat "%v [etc]"

This establishes a single transfer log instead of separate logs for all virtual hosts, and causes the log to specify a virtual host for each entry. Do the same for your error logs, SSL logs, and custom logs, if you have separate files for each virtual host.

error:0406406A:rsa routines:RSA_EAY_PRIVATE_DECRYPT:block type is not 02:rsa_enc.c:284
error:14087074:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa decrypt:s3_srvr.c:1094
[Thu Apr 10 18:43:51 1997] SSL accept error

You are using a key size less than 512 bits with SSL version 3, which only supports key sizes greater than or equal to 512 bits. To solve this problem, you can

• generate a new key pair of 512 bits or more, then request a new certificate for this key pair, or
  
  
• set SSLProtocol to "SSLv2" in order to force compliance with SSL version 2, which supports key sizes of less than 512 bits.
  
  

Clients cannot connect using HTTPS

Make sure that SSLFlag is set to "on." SSLFlag is the crucial directive that enables HTTPS connections.

Missing images under SSL

When a client uses HTTPS to request a page that references its images with HTTP, the client cannot retrieve the images and displays a broken image instead. For example, the following HTML tag does not work when the document is retrieved using HTTPS:

<img src=http://www.yourhost.com/images/images.gif>

To ensure that image references work regardless of whether clients request pages via HTTP or HTTPS, reference the images without specifying a protocol, like this:

<img src=/images/images.gif>

Slow server performance

Server performance varies dramatically between hardware platforms and UNIX implementations. Improving performance usually requires some experimentation. There are several possible solutions to slow server performance:

• implement encryption acceleration hardware such as nCipher's nFast product
  
  
• set HostnameLookups to "off"
  
  
• upgrade to a faster processor
  
  

---

Miscellaneous

These are runtime errors that are not associated with a single error string, but create a variety of server difficulties.

Server status report does not work

To obtain full statistics, the server must be compiled with a special directive. Make sure that the following line is included in the Configuration file:

AUX_CFLAGS= -DSTATUS

If not, add this line and recompile Stronghold as described in "Recompiling Stronghold" on page 4-6.

---

[Top] [Prev] [Next] [Last]

© 1997 C2Net International Feedback: stronghold-docs@c2.net