From: "Lewis G Rosenthal" Received: from [50.73.8.217] (account lgrosenthal@2rosenthals.com HELO [192.168.200.21]) by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10) with ESMTPSA id 11062654 for ecs-isp@2rosenthals.com; Fri, 04 Oct 2024 13:58:08 -0400 Subject: Re: [eCS-ISP] SSL certs & apache 2.4.61 To: eCS ISP Mailing List References: Organization: Rosenthal & Rosenthal, LLC Message-ID: <67002CB1.2060607@2rosenthals.com> Date: Fri, 4 Oct 2024 13:58:09 -0400 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0 SeaMonkey/2.35 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi... On 10/04/24 11:39 am, Steven Levine wrote: > In , on 10/04/24 > at 09:29 AM, "Massimo S." said: > > Hi Massimo, > >> apache do not restart anymore with this error: >> AH00526: Syntax error on line 894 of X:\\apache/conf/httpd.conf: >> SSLCertificateFile: file >> 'X:/MPTN/ETC/ssl/uacme/www.mywebsite.it/cert.pem' does not exist or is >> empty This is working as designed. > Do you have a reason for not testing your config file changes before > attempting to restart httpd? > > This is why the httpd -t switch exists. > I don't quite think that's getting to the heart of what Max is asking (though it is the most correct approach). What the actual question is (AFAICT) is whether there is a way to start httpd without one or more (mis)configured vhosts. As an example, say I have a server with 20 vhosts configured, and all but one get proper cert updates, leaving that one site "broken." httpd will refuse to start, and the other 19 vhosts are then also taken offline, just because of a single failure. So, is there a way to force Apache to ignore the broken vhost? The answer, of course, is no, there is no magic option to pass to httpd or put in the vhosts.conf (IF_NOT_BROKEN) to allow for such behavior. However, it is not necessary to go to great lengths to script anything, either. Put the vhost configurations in a directory as separate files, and include that directory to load the vhosts. As part of the script which updates the certs, verify that all required files are in place. If any are missing, move the conf to an "offline" directory, and optionally notify the admin that one or more vhosts have been taken offline due to missing files. This will allow the remaining confs in the directory to be loaded, starting the "good" vhosts. https://httpd.apache.org/docs/current/mod/core.html#include There is still some scripting to do, but you can avoid having to manually comment blocks in a monolithic vhosts.conf (or - - httpd.conf). Most *nix distributions now use directories for vhost confs. -- Lewis ------------------------------------------------------------- Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA Rosenthal & Rosenthal, LLC www.2rosenthals.com visit my IT blog www.2rosenthals.net/wordpress -------------------------------------------------------------