[Top] [Prev] [Next] [Last] Download PDF:   US   UK Download Postscript:   US   UK

Chapter 5

Troubleshooting

This chapter provides a list of common errors, their meanings, and possible solutions. Errors are divided into three categories:

• startup errors
  
  
• runtime errors
  
  
• browser errors
  
  

If you have a problem that is not covered in this chapter, contact Stronghold technical support and include any include relevant log entries or configuration files:

In the United States	Elsewhere Worldwide
stronghold-support@c2.net	support@int.c2.net

---

Startup Errors

These errors occur on startup. Stronghold prints them to standard output.

License Block Errors

These errors are cause by invalid, missing, or incorrectly installed license blocks.

LICENSE: No StrongholdLicenseFile directive

The StrongholdLicenseFile directive is missing from httpd.conf. Add this directive to the global configuration portion of the file.

LICENSE: License file does not exist

The StrongholdLicenseFile directive specifies a nonexistent license file. Edit this directive to point to the correct file.

LICENSE: License not valid, see http://www.int.c2.net/stronghold/lbfail

The license block is invalid. If you are using an old license block that looks like this

33:5d:7f:c7:6b:a6:82:47

then you must convert it to the current format using an HTML form at one of the following URLs:

• in the United States:
  
  

  https://www.c2.net/products/stronghold/23to24/

• elsewhere worldwide:
  
  

  http://www.int.c2.net/stronghold/23to24/

Certificate and Key File Errors

These errors are caused by problems with key files (located in ServerRoot/ssl/private/) and certificate files (located in ServerRoot/ssl/certs/).

hostname:port: WARNING: Cert file unspecified

The SSLCertificateFile directive for the specified hostname and port is missing from httpd.conf. Add this directive to the host's <VirtualHost hostname:port> container.

hostname:port: WARNING: Key file unspecified

The SSLCertificateKeyFile directive for the specified hostname and port is missing from httpd.conf. Add this directive to the host's <VirtualHost hostname:port> container.

hostname:port: WARNING: SSLLogFile not set

The SSLLogFile directive is missing from httpd.conf.

bad base64 decode

The certificate file's BASE64 encoding is corrupt. Use a backup copy or request a new certificate.

hostname:port: Cannot initialise SSL: Key file error. Host disabled

There is a problem with the specified host's key file; SSL is disabled for that host. Check for the following problems:

• An incorrect pass phrase was entered during server startup.
  
  
• The private keys in ServerRoot/ssl/private do not all use the same pass phrase.
  
  

  If you are running multiple SSL/TLS hosts (each with its own private key and certificate), make sure that all the private keys share the same pass phrase. To change the pass phrase for one or more private keys, use the change_pass utility. Another option is to use the decrypt_key utility to decrypt the private keys, eliminating the need to enter a passphrase during startup.

• The SSLCertificateKeyFile directive for this host specifies an invalid path or filename.
  
  

hostname:port: Cannot initialise SSL: Cert file error. Host disabled.

There is a problem with the specified host's certificate file; SSL is disabled for that host. Check for the following problems:

• The SSLCertificateFile directive for this host specifies an invalid directory path or filename.
  
  
• The SSLRoot directive is not set or specifies an invalid path. In most cases, it should be set to ServerRoot/ssl.
  
  
• The certificate file for this host has no end line. Edit the file and append this end line to it:
  
  -----END CERTIFICATE-----
  
  
• The certificate file has no start line.
  
  

  The file may be empty. Locate the missing file or use genreq to request a new one. The file may be valid except for the missing start line. Edit the file and prepend this start line to it:

  -----BEGIN CERTIFICATE-----
  
  

hostname:port: Cannot initialize SSL: Can't set key. Host disabled

There is a problem with the specified host's key file; SSL is disabled for that host. Check for the following problems:

• The key file in ServerRoot/ssl/private and certificate file in ServerRoot/ssl/certs for the disabled secure host are mismatched. Use the checkcert utility to verify that this is the case:
  
  # checkcert servername
  
  

  If checkcert confirms that the key file and certificate file do not match, see "Troubleshooting Mismatched Certificates and Keys" on page 2-14 for information about reconciling them.

• The SSLCertificateFile defined in the secure host container, references an incorrect certificate file in ServerRoot/ssl/certs.
  
  
• The SSLCertificateKeyFile defined in the secure host container, references an incorrect private key file in ServerRoot/ssl/private.
  
  

RSA decrypt error - i=-1 enc_bits=5

The key file and certificate file for this host are mismatched. Use the checkcert utility to verify that this is the case:

# checkcert servername

If checkcert confirms that the key file and certificate file do not match, see "Troubleshooting Mismatched Certificates and Keys" on page 2-14 for information about reconciling them. Your configuration may specify the wrong site certificate, or the browser may have an obsolete site certificate.

hostname:port: WARNING: Certificate expires in n day(s)

The certificate for the specified host is temporary and must be replaced within n days. If you have not received a permanent certificate by that time, create another temporary certificate using the gencert utility as explained in "Generating a Test Certificate" on page 2-38.

Other Startup Errors

These are miscellaneous errors that may occur on startup.

fopen: No such file or directory
httpd: could not open document config file filename

The path in the startup script is not the same as the actual path to httpd.conf. The server cannot start without a configuration file.

• If you are using the start script that comes with Stronghold Web Server, keep in mind that it uses the path you set when you install the server. If this path has changed, edit the script to reflect the new path.
  
  
• If you are using a custom startup script or you are starting the server manually, be sure to include the -f flag with the correct path to httpd.conf:
  
  httpsd -f ServerRoot/conf/httpd.conf
  
  

httpd: bad group name groupname

The groupname specified by the Group directive is invalid. The server cannot start without a valid group.

httpd: bad user name username

The username specified by the User directive is invalid. The server cannot start without a valid user.

/usr: write failed, file system is full

The partition /usr is full and needs to be expanded or cleaned up.

---

Runtime Errors

These errors occur when a Web transaction fails. Stronghold Web Server records them in the requested host's error log, SSL error log, or any custom log that includes the error string field.

SSL: 32077:error:1408A0C0:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:732

• The file specified by SSLCertificateFile, SSLProxyMachineCertFile, or SSLCertificateKeyFile may be missing or corrupted. Check the appropriate SSL/TLS <VirtualHost> container in httpd.conf to make sure these directives specify the correct files.
  
  
• The ciphers allowed by SSLCipherList, SSLProxyCipherList, or SSLRequireCipher may not be compatible with the browser that sent the request, or the browser may be using ciphers that are prohibited with SSLBanCipher.
  
  
• The pass phrase for this virtual host may not match the pass phrases for all other virtual hosts. Since Stronghold only asks for one pass phrase on startup, any virtual host with a different pass phrase is unable to perform SSL/TLS transactions. Check to see whether this virtual host has a different pass phrase than the rest. If so, use change_pass to change the pass phrase.
  
  
• The SSLRoot directive may be missing from httpd.conf. Check the <VirtualHost hostname:443> container and add this directive.
  
  

(2)No such file or directory: access to filename failed for client-IP, reason: unable to verify the first certificate

The SSLCACertificatePath and/or SSLCACertificateFile directives for the requested host are set incorrectly in httpd.conf:

• If SSLCACertificateFile is set, the file must include PEM-encoded certificate filenames.
  
  
• If SSLCACertficatePath is set, the directory it specifies must include PEM certificate files, with appropriate hash symlinks.
  
  
• Make sure that SSLCACertificateFile and/or SSLCACertficatePath contain CA certificates from the CAs that signed the client certificates that site visitors are submitting.
  
  

rsa routines:RSA_EAY_PRIVATE_DECRYPT:block type is not 02 SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa decrypt

The site certificate sent by Stronghold conflicts with an existing certificate already cached in the browser. The browser user must open the Site Certificates dialog box and delete the cached certificate that belongs to this host.

fcntl: F_SETLKW: No record locks available

SSL/TLS session cache locking has failed. Make sure that your SSLSessionLockFile directive points to a local file, not an NFS-mounted one.

accept: (client_socket): Permission denied

The system has run out of file descriptors. Solaris, for example, allows no more than 256 open file descriptors. If there are more than 256 virtual hosts, each with one or more logs of its own, Stronghold cannot open all the log files to record transactions.

To resolve this problem, use one log file for all hosts on your server. Add the following to httpd.conf, and remove all logging directives from the <VirtualHost> containers:

TransferLog ServerRoot/logs/one-true-log-file.log
LogFormat "%v [etc]"

This establishes a single transfer log instead of separate logs for all virtual hosts, and causes the log to specify a virtual host for each entry. Do the same for your error logs, SSL/TLS logs, and custom logs, if you have separate files for each virtual host.

error:0406406A:rsa routines:RSA_EAY_PRIVATE_DECRYPT:block type is not 02:rsa_enc.c:284
error:14087074:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa decrypt:s3_srvr.c:1094
SSL accept error

You are using a key size less than 512 bits with SSL version 3 or TLS version 1, which only support key sizes greater than or equal to 512 bits. To solve this problem, you can

• generate a new key pair of 512 bits or more, then request a new certificate for this key pair, or
  
  
• set SSLProtocol to "SSLv2" in order to force compliance with SSL version 2, which supports key sizes of less than 512 bits.
  
  

Slow server performance

Server performance varies dramatically between hardware platforms and UNIX implementations. Improving performance usually requires some experimentation. There are several possible solutions to slow server performance:

• implement encryption acceleration hardware such as nCipher's nFast product
  
  
• set HostnameLookups to "off"
  
  
• upgrade to a faster processor
  
  

The Apache Web site contains more detailed information about improving performance. See http://www.apache.org/docs/misc/perf.html.

Server status report does not work

To obtain full statistics, the server must be compiled with a special directive. Make sure that the following line is included in the Configuration file:

AUX_CFLAGS= -DSTATUS

If not, add this line and recompile Stronghold as described in "Recompiling Stronghold" on page 8-9.

---

Browser Errors

These are browser-generated errors that may have been provoked by the server. They must be remedied by the browser user.

Clients cannot connect using HTTPS

Make sure that SSLFlag is set to "on." SSLFlag is the crucial directive that enables HTTPS connections.

Missing images under SSL/TLS

When a client uses HTTPS to request a page that references its images with HTTP, the client cannot retrieve the images and displays a broken image instead. For example, the following HTML tag does not work when the document is retrieved using HTTPS:

<img src=http://www.yourhost.com/images/images.gif>

To ensure that image references work regardless of whether clients request pages via HTTP or HTTPS, reference the images without specifying a protocol, like this:

<img src=/images/images.gif>

An I/O error occurred during security authorization. Please try your connection again.

The site certificate that was presented is conflicting with an existing certificate already cached in the browser. Enter the browser's Site Certificates dialog box and delete the cached certificate for this host.

The security library has experienced a database error. You will probably be unable to connect to this site securely.

The site certificate that was presented is conflicting with an existing certificate already cached in the browser. Enter the browser's Site Certificates dialog box and delete the cached certificate for this host.

Internet Explorer cannot download from the Internet site.

Certain releases of Stronghold have experienced problems with Microsoft Internet Explorer 4.0 being unable to download files that require both user authentication and a secure environment. Try using a Netscape browser to access the URL.

---

[Top] [Prev] [Next] [Last]

© 1998 C2Net International Feedback: stronghold-docs@c2.net