mikesjn
asked on
Outlook Web Access using Apache2
I have got lumbered with a system that I did not build , but was working . Our mail system is an Exchange 2000 System, but users can access the system using an external Apache2 we server. This same server is running Postfix server acting as a mail scanner and relay to the above server. All was working until we had a system crash. The mail relay works and users can again access there mail using squirrel mail. But when users try to access Outlook Web Access (to the same exchange server) they get an error.
Here is a copy of the apache2/error_log
************************** ********** ********** ********** ********** ********** ******
smtp:/var/log/apache2 # tail -n 30 error_log
[Fri Jul 01 10:12:27 2005] [notice] child pid 3252 exit signal Segmentation fault (11)
[Fri Jul 01 10:32:47 2005] [error] Re-negotiation handshake failed: Not accepted by client!?
[Fri Jul 01 10:32:49 2005] [notice] child pid 3001 exit signal Segmentation fault (11)
[Fri Jul 01 10:34:48 2005] [notice] child pid 3288 exit signal Segmentation fault (11)
[Fri Jul 01 10:38:57 2005] [error] Re-negotiation handshake failed: Not accepted by client!?
[Fri Jul 01 10:38:59 2005] [notice] child pid 3004 exit signal Segmentation fault (11)
[Fri Jul 01 10:39:34 2005] [notice] caught SIGTERM, shutting down
[Fri Jul 01 10:39:41 2005] [warn] RSA server certificate CommonName (CN) `*.biowisdom.com' does NOT match server name!?
[Fri Jul 01 10:39:41 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Fri Jul 01 10:39:41 2005] [warn] RSA server certificate CommonName (CN) `*.biowisdom.com' does NOT match server name!?
[Fri Jul 01 10:39:42 2005] [notice] Apache/2.0.53 (Linux/SUSE) configured -- resuming normal operations
[Fri Jul 01 10:40:14 2005] [notice] child pid 5567 exit signal Segmentation fault (11)
[Fri Jul 01 10:40:20 2005] [notice] child pid 5568 exit signal Segmentation fault (11)
[Fri Jul 01 10:40:29 2005] [notice] child pid 5569 exit signal Segmentation fault (11)
[Fri Jul 01 10:43:34 2005] [error] [client 172.16.1.1] File does not exist: /srv/www/htdocs/squirrelma il/favicon .ico
[Fri Jul 01 10:43:34 2005] [error] [client 172.16.1.1] unable to include "include/bottom.html" in parsed file /usr/share/apache2/error/H TTP_NOT_FO UND.html.v ar
[Fri Jul 01 10:43:45 2005] [notice] child pid 5629 exit signal Segmentation fault (11)
[Fri Jul 01 10:43:55 2005] [notice] child pid 5571 exit signal Segmentation fault (11)
[Fri Jul 01 10:44:07 2005] [notice] child pid 5623 exit signal Segmentation fault (11)
[Fri Jul 01 10:44:09 2005] [notice] child pid 5625 exit signal Segmentation fault (11)
[Fri Jul 01 10:48:25 2005] [notice] caught SIGTERM, shutting down
[Fri Jul 01 10:49:57 2005] [warn] RSA server certificate CommonName (CN) `*.biowisdom.com' does NOT match server name!?
[Fri Jul 01 10:49:57 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Fri Jul 01 10:49:57 2005] [warn] RSA server certificate CommonName (CN) `*.biowisdom.com' does NOT match server name!?
[Fri Jul 01 10:50:05 2005] [notice] Apache/2.0.53 (Linux/SUSE) configured -- resuming normal operations
[Fri Jul 01 11:36:14 2005] [notice] child pid 3050 exit signal Segmentation fault (11)
[Fri Jul 01 13:10:39 2005] [error] Re-negotiation handshake failed: Not accepted by client!?
[Fri Jul 01 13:10:43 2005] [notice] child pid 6452 exit signal Segmentation fault (11)
[Fri Jul 01 13:36:40 2005] [notice] child pid 6457 exit signal Segmentation fault (11)
[Fri Jul 01 14:33:08 2005] [notice] child pid 6445 exit signal Segmentation fault (11)
smtp:/var/log/apache2 #
************************** ********** ********** ********** ********** ********** ********** *******
Here is the config file with regard to this
DocumentRoot /srv/www/htdocs/squirrelma il
<IfModule mod_dir.c>
DirectoryIndex index.html index.php
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^/(.*) https://%{HTTP_HOST}/ [redirect=permanent]
</IfModule>
<VirtualHost _default_:443>
SSLEngine on
<Location />
SSLRequireSSL
</Location>
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA :+HIGH:+ME DIUM:+LOW: +SSLv2:+EX P
SSLCertificateFile /etc/apache2/ssl.crt/biowi sdom.com.2 004.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/biowi sdom.com.2 004.key
SSLCertificateChainFile /etc/apache2/ssl.crt/CA_ke ys.2004.cr t
SSLVerifyDepth 1
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Exchange proxying with certificate checking
<IfModule mod_proxy.c>
SSLProxyEngine on
ProxyRequests Off
SSLCACertificateFile /etc/apache2/ssl.crt/BioWi sdomCA.crt
SSLCARevocationFile /etc/apache2/ssl.crl/BioWi sdomCA.crl
SSLVerifyClient none
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
<Location /exchange>
SSLRequire %{SSL_CLIENT_S_DN_O} eq "BioWisdom Ltd."
SSLVerifyClient require
SSLOptions +OptRenegotiate
ProxyPass https://comms.biowisdom.com/Exchange
ProxyPassReverse https://comms.biowisdom.com/Exchange
</Location>
<Location /Exchange>
SSLRequire %{SSL_CLIENT_S_DN_O} eq "BioWisdom Ltd."
SSLVerifyClient require
SSLOptions +OptRenegotiate
ProxyPass https://comms.biowisdom.com/Exchange
ProxyPassReverse https://comms.biowisdom.com/Exchange
</Location>
<Location /Public>
SSLRequire %{SSL_CLIENT_S_DN_O} eq "BioWisdom Ltd."
SSLVerifyClient require
SSLOptions +OptRenegotiate
ProxyPass https://comms.biowisdom.com/public
ProxyPassReverse https://comms.biowisdom.com/public
</Location>
<Location /exchweb>
SSLRequire %{SSL_CLIENT_S_DN_O} eq "BioWisdom Ltd."
SSLVerifyClient require
SSLOptions +OptRenegotiate
ProxyPass https://comms.biowisdom.com/exchweb
ProxyPassReverse https://comms.biowisdom.com/exchweb
</Location>
</IfModule>
</VirtualHost>
This is a SuSE 9.2 server. With these modules installed.
apache2-mod_php4-4.3.10-14 .4
apache2-2.0.53-10
apache2-prefork-2.0.53-10
The certificates are all valid and I can read with openssl
I know a fair mount of Linux admin, but it is not my main job- I don't want to make this worse.
Any suggestions
Mike
Here is a copy of the apache2/error_log
**************************
smtp:/var/log/apache2 # tail -n 30 error_log
[Fri Jul 01 10:12:27 2005] [notice] child pid 3252 exit signal Segmentation fault (11)
[Fri Jul 01 10:32:47 2005] [error] Re-negotiation handshake failed: Not accepted by client!?
[Fri Jul 01 10:32:49 2005] [notice] child pid 3001 exit signal Segmentation fault (11)
[Fri Jul 01 10:34:48 2005] [notice] child pid 3288 exit signal Segmentation fault (11)
[Fri Jul 01 10:38:57 2005] [error] Re-negotiation handshake failed: Not accepted by client!?
[Fri Jul 01 10:38:59 2005] [notice] child pid 3004 exit signal Segmentation fault (11)
[Fri Jul 01 10:39:34 2005] [notice] caught SIGTERM, shutting down
[Fri Jul 01 10:39:41 2005] [warn] RSA server certificate CommonName (CN) `*.biowisdom.com' does NOT match server name!?
[Fri Jul 01 10:39:41 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Fri Jul 01 10:39:41 2005] [warn] RSA server certificate CommonName (CN) `*.biowisdom.com' does NOT match server name!?
[Fri Jul 01 10:39:42 2005] [notice] Apache/2.0.53 (Linux/SUSE) configured -- resuming normal operations
[Fri Jul 01 10:40:14 2005] [notice] child pid 5567 exit signal Segmentation fault (11)
[Fri Jul 01 10:40:20 2005] [notice] child pid 5568 exit signal Segmentation fault (11)
[Fri Jul 01 10:40:29 2005] [notice] child pid 5569 exit signal Segmentation fault (11)
[Fri Jul 01 10:43:34 2005] [error] [client 172.16.1.1] File does not exist: /srv/www/htdocs/squirrelma
[Fri Jul 01 10:43:34 2005] [error] [client 172.16.1.1] unable to include "include/bottom.html" in parsed file /usr/share/apache2/error/H
[Fri Jul 01 10:43:45 2005] [notice] child pid 5629 exit signal Segmentation fault (11)
[Fri Jul 01 10:43:55 2005] [notice] child pid 5571 exit signal Segmentation fault (11)
[Fri Jul 01 10:44:07 2005] [notice] child pid 5623 exit signal Segmentation fault (11)
[Fri Jul 01 10:44:09 2005] [notice] child pid 5625 exit signal Segmentation fault (11)
[Fri Jul 01 10:48:25 2005] [notice] caught SIGTERM, shutting down
[Fri Jul 01 10:49:57 2005] [warn] RSA server certificate CommonName (CN) `*.biowisdom.com' does NOT match server name!?
[Fri Jul 01 10:49:57 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Fri Jul 01 10:49:57 2005] [warn] RSA server certificate CommonName (CN) `*.biowisdom.com' does NOT match server name!?
[Fri Jul 01 10:50:05 2005] [notice] Apache/2.0.53 (Linux/SUSE) configured -- resuming normal operations
[Fri Jul 01 11:36:14 2005] [notice] child pid 3050 exit signal Segmentation fault (11)
[Fri Jul 01 13:10:39 2005] [error] Re-negotiation handshake failed: Not accepted by client!?
[Fri Jul 01 13:10:43 2005] [notice] child pid 6452 exit signal Segmentation fault (11)
[Fri Jul 01 13:36:40 2005] [notice] child pid 6457 exit signal Segmentation fault (11)
[Fri Jul 01 14:33:08 2005] [notice] child pid 6445 exit signal Segmentation fault (11)
smtp:/var/log/apache2 #
**************************
Here is the config file with regard to this
DocumentRoot /srv/www/htdocs/squirrelma
<IfModule mod_dir.c>
DirectoryIndex index.html index.php
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^/(.*) https://%{HTTP_HOST}/ [redirect=permanent]
</IfModule>
<VirtualHost _default_:443>
SSLEngine on
<Location />
SSLRequireSSL
</Location>
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA
SSLCertificateFile /etc/apache2/ssl.crt/biowi
SSLCertificateKeyFile /etc/apache2/ssl.key/biowi
SSLCertificateChainFile /etc/apache2/ssl.crt/CA_ke
SSLVerifyDepth 1
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Exchange proxying with certificate checking
<IfModule mod_proxy.c>
SSLProxyEngine on
ProxyRequests Off
SSLCACertificateFile /etc/apache2/ssl.crt/BioWi
SSLCARevocationFile /etc/apache2/ssl.crl/BioWi
SSLVerifyClient none
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
<Location /exchange>
SSLRequire %{SSL_CLIENT_S_DN_O} eq "BioWisdom Ltd."
SSLVerifyClient require
SSLOptions +OptRenegotiate
ProxyPass https://comms.biowisdom.com/Exchange
ProxyPassReverse https://comms.biowisdom.com/Exchange
</Location>
<Location /Exchange>
SSLRequire %{SSL_CLIENT_S_DN_O} eq "BioWisdom Ltd."
SSLVerifyClient require
SSLOptions +OptRenegotiate
ProxyPass https://comms.biowisdom.com/Exchange
ProxyPassReverse https://comms.biowisdom.com/Exchange
</Location>
<Location /Public>
SSLRequire %{SSL_CLIENT_S_DN_O} eq "BioWisdom Ltd."
SSLVerifyClient require
SSLOptions +OptRenegotiate
ProxyPass https://comms.biowisdom.com/public
ProxyPassReverse https://comms.biowisdom.com/public
</Location>
<Location /exchweb>
SSLRequire %{SSL_CLIENT_S_DN_O} eq "BioWisdom Ltd."
SSLVerifyClient require
SSLOptions +OptRenegotiate
ProxyPass https://comms.biowisdom.com/exchweb
ProxyPassReverse https://comms.biowisdom.com/exchweb
</Location>
</IfModule>
</VirtualHost>
This is a SuSE 9.2 server. With these modules installed.
apache2-mod_php4-4.3.10-14
apache2-2.0.53-10
apache2-prefork-2.0.53-10
The certificates are all valid and I can read with openssl
I know a fair mount of Linux admin, but it is not my main job- I don't want to make this worse.
Any suggestions
Mike
I would suggest that you backup your apache binaries, configuration and certificates and re-install / upgrade apache. The fact that you're getting a segfault is somewhat concerning, as this is not generally related to a configuration error. If you have access to the original RPMs, just remove the existing Apache rpm's and re-install.
ASKER
Tried forcing an upgrade which it did and still the same!!
Segmentation fault can result from:
- broken application binaries
- some broken (php,perl) code
some suggestions:
- was there a filesystem check after crash
- do these segfaults logged if you access your exchange stuff ('tail -f yourerror.log' and try to access)
> But when users try to access Outlook Web Access (to the same exchange server) they get an error.
what is the error?
- broken application binaries
- some broken (php,perl) code
some suggestions:
- was there a filesystem check after crash
- do these segfaults logged if you access your exchange stuff ('tail -f yourerror.log' and try to access)
> But when users try to access Outlook Web Access (to the same exchange server) they get an error.
what is the error?
ASKER
OWA works from the internal network going stright to the server, and the rights on IIS are set correctly for the Apache properly. Squirrel mail from the same apache server is working correctly but the error from using a revers proxy is page is not displayed. The Config file is shown above. The error using IE is "The Page Cannot be displayed", in Firefox it hangs - the page does not change, but I can see the certificate from the IIS sever loaded. It seems like a problem displaying the page - as opposed to it cannot find it. I have heard the possibility of it being a header modification on the Apache server? I would not know how to add headers, my knowledge of Apache is not that good.
I would like to resolve this quickly- sorry for delay but I have been extremely busy.
Mike
I would like to resolve this quickly- sorry for delay but I have been extremely busy.
Mike
ASKER
I have added tried to add
<IfModule mod_headers.c>
Header set Front-End-Https: on
</IfModule>
to configuration above, where should it go and does this look correct, apparently the front end server needs this- it has worked for months without it. I have added mod_headers, by the way.
<IfModule mod_headers.c>
Header set Front-End-Https: on
</IfModule>
to configuration above, where should it go and does this look correct, apparently the front end server needs this- it has worked for months without it. I have added mod_headers, by the way.
ASKER
Also getting, cannot find server error in IE top bar but Mozilla gets certificate and hangs
ASKER
I setup (again) using this document http://3cx.org/item/46. Something must have changed with an update, now working fine
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.