1

I'm configuring a new Apache web server on Oracle Linux 9 (comparable with RedHat/CentOS according to Oracle). The version of httpd is 2.4.51 and the version of php is 8.0.13. However, the service failed to start with the following error (with journalctl -xeu:

httpd.service: Failed with result 'exit-code'.

I look up and many of similar error appear related to config file. But apachectl configtest returned Syntax OK, httpd --help give no output.

So I tried to comment out some config in http.conf, after commenting out the mod-security related line, it throws out new error message:

httpd.service: Failed with result 'protocol'.

No other useful error message can be retrieved from journalctl.

Commenting out the php related lines also doesn't help. Besides, I found that to install mod_security2 I have several other "module" to install, but I download this mod_security2 from aap stream. To make sure the problem does not come from this module, I installed the required modules (except libapr and libapr-utilbecause error occurs on building, therpmbuildcannot finddoxygen` even though I installed it) that are required in its documentation.

—————Update————

error_log:

[core:notice] [pid 4944:tid 4944] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[suexec:notice] - - AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)AH00016: Configuration Failed
[core:notice] [pid 4963:tid 4963] SELinux policy enabled; httpd running as context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[suexec:notice] - - AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[-:error] - - SecServerSignature: original signature too short. Please set ServerTokens to Full.
[-:notice] - - ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
[:notice] [pid 4963:tid 4963] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
[:notice] [pid 4963:tid 4963] ModSecurity: PCRE compiled version="8.44 "; loaded version="8.44 2020-02-12"
[:notice] [pid 4963:tid 4963] ModSecurity: LUA compiled version="Lua 5.4"
[:notice] [pid 4963:tid 4963] ModSecurity: YAJL compiled version="2.1.0"
[:notice] [pid 4963:tid 4963] ModSecurity: LIBXML compiled version="2.9.12"
[-:notice] - - ModSecurity: Original server signature: Apache
[:notice] [pid 4963:tid 4963] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
[lbmethod_heartbeat:notice] - - AH02282: No slotmem from mod_heartmonitor
[-:error] - - SecServerSignature: original signature too short. Please set ServerTokens to Full.
[core:notice] - - AH00094: Command line: 'httpd'

AH00016 seem to be related with ssl cert, so I also attached the error log for ssl.

ssl_error_log:

[ssl:emerg] - - AH02562: Failed to configure certificate www.example.com:443:0 (with chain), check /etc/pki/tls/certs/example-wildcard.crt
[ssl:emerg] - - SSL Library Error: error:8000000D:system library::Permission denied (calling fopen(/etc/pki/tls/certs/example-wildcard.crt, r))
[ssl:emerg] - - SSL Library Error: error:10080002:BIO routines::system lib
[ssl:emerg] - - SSL Library Error: error:0A080002:SSL routines::system lib

I found a permission denied error to read my wildcard cert, and I noticed it was because I have the wrong ownership. I changed to what it should be, with a right of 644.

BTW, httpd -t also returns Syntax OK. Now that I rerun httpd -t with no root right returns error to file permission (solved by changing the ownership to apache):

# sudo -u apache httpd -t
AH00526: Syntax error on line 39 of /etc/httpd/conf.d/mod_security.conf:
ModSecurity: Failed to open debug log file: /etc/httpd/logs/modsec_debug.log

Weird enough, when I check port listener I saw:

$ sudo netstat -punta | grep LISTEN
tcp6       0      0 :::443                  :::*                    LISTEN      4964/httpd          
tcp6       0      0 :::80                   :::*                    LISTEN      4964/httpd

httpd is listening when it failed to start?

Improve this question
8
  • Share error log from logs folder and httpd -t command output. Commented Oct 11, 2022 at 14:56
  • Error persist, even I changed ServerTokens to full as the log asked. @Pandurang Commented Oct 11, 2022 at 17:56
  • check mod_security.conf file(line 39) or share content in question Commented Oct 12, 2022 at 2:07
  • It has returned Syntax OK after I change the file ownership to apache. but the problem still exist (giving The unit httpd.service has entered the 'failed' state with result 'protocol'. in journal) Commented Oct 12, 2022 at 7:42
  • L39 is just defining the debug log file:SecDebugLog /etc/httpd/logs/modsec_debug.log Commented Oct 12, 2022 at 7:44

1 Answer 1

Reset to default
0

Maybe SELinux is denying access, probe this:

restorecon -vF /etc/pki/tls/certs/example-wildcard.crt
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This was the error message in my case: apache2.service: Failed with result 'protocol'. This solved the problem: "systemctl enable apache2.service". Now, upon "systemctl start apache2.service", there is no more error message, and "systemctl status apache2.service" gives this: ● apache2.service - The Apache Webserver Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled; preset: disabled) Active: active (running) since Mon 2025-09-01 09:54:15 CEST; 21min ago ... Good luck!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.