Category Archives: Software & Tools

How to restart Apache server in Linux

Learn how to restart Apache webserver in Linux from the command line. Know log file locations to look for troubleshooting during the restart process.

Apache webserver is one of the most widely used web servers for the Linux environment. Its easy webserver configuration, quick SSL configuration, separated log files make it easy to manage for sysadmin.

In this post, we will be seeing how to restart apache instances in Linux from the command line. We will also see its log files which can help us while troubleshooting the restart process.

Apache instance normally resides in /etc/httpd directory. If you have multiple instances running on the same machine then they might be in different directories under /etc/httpd/httpd-Name1, /etc/httpd/httpd-Name2 etc. It is recommended to have different user ids to run different instances so that they can be managed separately well.

Check running Apache:

Currently running Apache instance can be identified by using any of below commands :

root@kerneltalks # ps -ef |grep -i httpd
apache   15785 20667  0 07:50 ?        00:00:02 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -k start
apache   15786 20667  0 07:50 ?        00:00:02 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -k start
apache   15787 20667  0 07:50 ?        00:00:02 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -k start
apache   15788 20667  0 07:50 ?        00:00:02 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -k start
apache   15789 20667  0 07:50 ?        00:00:02 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -k start
apache   15790 20667  0 07:50 ?        00:00:02 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -k start

Since my machine has multiple Apache instances running, you can see the same PPID for all processes. This will be PPID of main httpd service.

root@kerneltalks # service httpd status httpd (pid  20667) is running... 

To stop Apache :

To stop Apache we need to invoke Apache control script and provide it with the configuration file name (so that it knows which instance to stop in case of multiple instances).

# /usr/sbin/apachectl -f /etc/httpd/conf/httpd.conf -k stop

In the above example apachectl is supplied with conf file location (-f) and option (-k) to stop. Once above command is executed, you will notice httpd processes are no more visible in ps -ef output.

In case of single instance only you can directly stop service to stop Apache.

# service httpd stop

Once apache is stopped you will also notice that /var/httpd/logs/access.log also stops populating.

To start Apache:

To start it again you need to invoke apachectl with start argument.

# /usr/sbin/apachectl -f /etc/httpd/conf/httpd.conf -k start

In case of single instance you can directly start service.

# service httpd start

Once Apache is started backup you will see httpd processes in ps -ef output. Also access.log will start populating again.

If Apache is not starting up (after you made changes in configurations) then you need to check error.log file for reasons. It resides under /etc/httpd/logs directory.

To restart Apache :

Above both operations can be combined with restart options. When invoked, it will stop the instance first and then start it again.

# /usr/sbin/apachectl -f /etc/httpd/conf/httpd.conf -k restart

# service httpd restart

Above both commands restart Apache instances.

How to install SSL certificate on Apache running on Linux

Learn how to install an SSL certificate on the Apache webserver running on the Linux machine. Steps include installation, configuration, and verification.

Before we start will SSL certificate steps lets run through below pre-requisite:

  1. You have an Apache webserver running on your Linux machine.
  2. You have generated a CSR file and submitted it to the certificate vendor. Read here: steps to generate CSR.
  3. You have received an SSL certificate file from the vendor.

SSL certificate you received from the certificate vendor should be a filename.crt file. This file can be opened with a text editor and looks like below :

-----BEGIN CERTIFICATE-----
OVowgZYxCzAJBgNVBAYTAk1ZMREwDwYDVQQIDAhTZWxhbmdv
cjEWMBQGA1UEBwwNUGV0YWxpbmcgSmF5YTEdMBsGA1UECgwUTEFGQVJHRSBBU0lB
IFNkbiBCaGQxFTATBgNVBAsMDExhZmFyZ2UgQXNpYTEmMCQGA1UEAwwdY3VzdG9t
ZXJwb3J0YWwubGFmYXJnZS5jb20ubXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQC5MP8NYcSJugZWWcRSKvtFFXaHNDHl9zTocAfKfxmFJyoHATRXPu1A
dRJKE3sKYxW+uEMdfsdpGKaXOv8y+72PEay/V/s3Wiyyv1SEpU1CqPbVkjTRBdmx
A7Xso9tkrBQUIf6ICn+HBZesJ+l2WOWs1xNL/XLx7MEaDKGnhnnxyCF1U7R6J8Bh
QGMHQzdDyXWjIRxyQIJ2VmFB7eJ0OJZUXpWZXTxyZjjQZr22Tr+xN+gu9LjavPxO
lVyDqXJG+V1ouFfk5zG6hXFnQeYzCAGVTpCRss/JW1fBCyTzJj+SEqPDzYj8hwww
RSJlFuGVYmybNW1SCUFxXRoDFjRh04yxAgMBAAGjggJ5MIICdTAoBgNVHREEITAf
gh1jdXN0b21lcnBvcnRhbC5sYWZhcmdlLmNvbS5teTAJBgNVHRMEAjAAMA4GA1Ud
DwEB/wQEAwIFoDBhBgNVHSAEWjBYMFYGBmeBDAECAjBMMCMGCCsGAQUFBwIBFhdo
dHRwczovL2Quc3ltY2IuY29tL2NwczAlBggrBgEFBQcCAjAZDBdodHRwczovL2Qu
c3ltY2IuY29tL3JwYTArBgNVHR8EJDAiMCCgHqAchhpodHRwOi8vc3Muc3ltY2Iu
Y29tL3NzLmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0j
BBgwFoAUX2DPYZBV34RDFIpgKrL1evRDGO8wVwYIKwYBBQUHAQEESzBJMB8GCCsG
AQUFBzABhhNodHRwOi8vc3Muc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8v
c3Muc3ltY2IuY29tL3NzLmNydDCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2AN3r
HSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7MAAABVirLn4IAAAQDAEcwRQIg
MiUcoABrkMnSdbc9U4zKUvKijKOsocUbhfeAAbCYFUYCIQCOfhqeLIgADRcxOW+h
HEazFjqFdwIAluchDlXLss3jvFxHpI0Tyg00NIR7kJivaP3
scDCpInpcg/xKTzM8aewc1cmkDM8hm9j2VZ0yQgcc+rd8ZHQibb0M4WAPDel/tFO
5YodvCGJtkLIItei20qtkqZ4fMuW5A
-----END CERTIFICATE-----

Installation :

Using FTP, sftp, etc, copy SSL certificate, intermediate certificate file (if any), and private key file (generated during CSR file generation step above) on Linux machine running Apache webserver. It is advisable to copy these files within the Apache installation directory and furthermore in separate directories if you want to maintain old files archives. For example, if the Apache installation directory is /etc/httpd then you can create a directory /etc/httpd/ssl_certs and keep new/old certificates in it. Same for keys you can create /etc/httpd/ssl_keys and keep new/old key files in it.

Normally certificate and key files should be readable to the owner and group to which Apache users belong.

Configuration :

Login to your Linux machine and navigate to your Apache installation directory where the configuration file resides. Most of the time it’s installed in /etc/httpd/ directory. If you are not where your Apache in installed, identify appropriate Apache instance in ps -ef output (in case multiple Apache instances running on the same machine). To check the Apache configuration file location use below command :

# /usr/sbin/httpd -V
Server version: Apache/2.2.17 (Unix)
Server built:   Oct 19 2010 16:27:47
Server's Module Magic Number: 20051115:25
Server loaded:  APR 1.3.12, APR-Util 1.3.9
Compiled using: APR 1.3.12, APR-Util 1.3.9
Architecture:   64-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

See the last line of above output which will show configuration file (i.e. httpd.conf) location. This is a relative path. The complete absolute path of the config file can be obtained by observing HTTPD_ROOT value in the above output. So complete path for config file will be HTTPD_ROOT/SERVER_CONFIG_FILE i.e. /etc/httpd/conf/httpd.conf in this case.

Once you are able to trace the configuration file, you need to edit this file with a text editor like vi and mention the SSL certificate path.  You need to define below three paths. If parameters are already in the file then just edit their paths.

SSLCertificateFile /<path to SSL cert>/filename.crt  
SSLCertificateKeyFile /<path to provate key>/private.key  
SSLCertificateChainFile /<path to intermediate cert>/intermediate.crt

These paths are the ones where you copied SSL cert, intermediate cert, and private key in the above step. Save and verify changes.

Final step :

You are done with configuration now but Apache instance doesn’t know these changes. You need to restart the Apache instance to take these new changes in action. You can restart Apache with below command :

# /usr/sbin/apachectl -f /<path of conf file>/httpd.conf -k stop
# /usr/sbin/apachectl -f /<path of conf file>/httpd.conf -k start

Verify if Apache is up and running using ps -ef command. If you don’t see Apache instance running then check error.log for troubleshooting. This log file is located under the Apache installation directory under the logs directory. The path can be identified from DEFAULT ERROR_LOG value in the above httpd -V output.

Verification :

Once Apache is up and running with this new configuration, verify if you installed your certificate correctly or not by visiting this online free tool by Symantec.

Also, you can visit your website/link which is being served by Apache in a fresh browser session and check certificate details by clicking the lock icon in the browser bar. Then clicking details on coming dropdown.

You will be presented with below screen, Click on view certificate to view certificate details.

This will show you below certificate details which include purpose, issue date, expiry date, organization, issuer, etc.

How to generate CSR file for SSL request on Linux

Step to generate a CSR file. CSR file is a request file that is then submitted to the vendor for getting an SSL certificate for a webserver.

CSR is a Certificate Signing Request file. It will be generated on the server on which the SSL certificate will be used. This file contains details about the organization and URL in an encrypted format. Whenever you approach any vendor for getting an SSL certificate for your web server, you have to submit this CSR file to them. Based on information in this CSR file your certificate will be generated.

How to generate CSR using OpenSSL

Let’s jump into creating our CSR using the most commonly used method ie. using OpenSSL. It’s a two-way process –

  1. Create a private key
  2. Generate CSR using the private key

Create a private key

Using openssl generate 2048 bit key file *.key. This key file will be used for the generation of CSR. This command will ask you for a password that will be assigned within the key file. Use the password of your choice. This password you need to supply while generating CSR.

[root@kerneltalks ~]# openssl genrsa -des3 -out kerneltalks.com.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
..............................................................................................................................................................................................................................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for kerneltalks.com.key:
Verifying - Enter pass phrase for kerneltalks.com.key:

Read also: How to install an SSL certificate on Apache webserver

Generate CSR file using key

Now generate CSR file using the key file we generated in the above step.

[root@kerneltalks ~]# openssl req -new -key kerneltalks.com.key -out kerneltalks.comcsr -sha256
Enter pass phrase for kerneltalks.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Maharashtra
Locality Name (eg, city) [Default City]:Mumbai
Organization Name (eg, company) [Default Company Ltd]:Personal
Organizational Unit Name (eg, section) []:Personal
Common Name (eg, your name or your server's hostname) []:kerneltalks.com
Email Address []:contact@kerneltalks.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Note that sha256 will generate CSR with the SHA2 algorithm which is preferred normally. If -sha256 argument is not given, CSR will be generated with SHA1 which is outdated and normally not preferred.

Once you get a CSR file, you cat check its using cat. Its a bunch of encrypted code which you can even decode and check information within on this link. If there is any typo in data you can regenerate CSR before submitting it to the vendor.

How to generate CSR using Java keytool

Some people create a CSR file using java Keystore. Let’s walk you through, how to create a certificate signing request using java keytool.

Firstly your web server must have java installed and you should have java binary directory know. This is where keytool command binary resides.

It’s too 2 step process –

  1. Create java Keystore
  2. Generate CSR using java Keystore

Create java Keystore

keytool is a java binary used to run below commands. Here while generating Keystore you will be asked all the website-related information.

# keytool -genkey -alias server -keyalg RSA -keystore kerneltalks.com.jks -keysize 2048
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  kerneltalks.com
What is the name of your organizational unit?
  [Unknown]:  Personal
What is the name of your organization?
  [Unknown]:  Personal
What is the name of your City or Locality?
  [Unknown]:  Mumbai
What is the name of your State or Province?
  [Unknown]:  Maharashtra
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=kerneltalks.com, OU=Personal, O=Personal, L=Mumbai, ST=Maharashtra, C=IN correct?
  [no]:  yes

Enter key password for <server>
        (RETURN if same as keystore password):

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore kerneltalks.com.jks -destkeystore kerneltalks.com.jks -deststoretype pkcs12".

Create CSR using java Keystore

Now use the above created Keystore i.e. jks file and generate CSR file.

[root@kerneltalks ~]# keytool -certreq -keyalg RSA -alias server -file kerneltalks.com.csr -keystore kerneltalks.com.jks
Enter keystore password:

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore kerneltalks.com.jks -destkeystore kerneltalks.com.jks -deststoretype pkcs12".

Once done you can give this CSR to your vendor for SSL certificate procurement.

How to restore nagios configuration from backup

Learn to restore Nagios configuration backup. If you messed up Nagios configuration, you can restore last known good config using these steps.

Restore Nagios configuration

Requirement

While troubleshooting or doing some configuration changes (R n D), sometimes you mess up the configuration in Nagios. This leads to no data dashboard. You need to revert back to the last known good configuration so that the tool can resume its work.

Also read: How to install & configure checkmk in Linux

Solution

Normally you should have daily (or frequency of your choice i.e. weekly, hourly, etc.) backups scheduled for tool configuration using services like cron. We will see how to configure this configuration backup in another article.

Now, navigate to the directory where configuration backups are kept. Normally they should be in gunzip format.

Once inside that directory run below restore command.

# check_mk --restore check_mk.11-Mar-2016.tar.gz

After restore to make sure, ownership is well in place, run below command

# chown -R apache:nagcmd /etc/check_mk/conf.d/wato/

Lastly, restart Nagios to take up restored configuration.

# check_mk -R --restart nagios-check_mk

Now go back to the dashboard and check its populated with values!