[SOLVED] httpd with SSL will not start on OpenBSD 5.9 (amd64)

Issue

On the latest OpenBSD (5.9/amd64 at digitalocean.com), I'm able to start httpd without SSL using this httpd.conf file...

# cat /etc/httpd.conf
interface="egress"
domain="infmgr.com"
prefork 3
types { include "/usr/share/misc/mime.types" }
#server $domain {
#    listen on $interface tls port 443
#    tls {
#        certificate "/etc/ssl/server.crt"
#        key "/etc/ssl/private/server.key"
#    }
#    hsts
#    root "/htdocs/infmgr.com" # chrooted at /var/www/
#}
server $domain {
    listen on $interface port 80
    root "/htdocs/infmgr.com" # chrooted at /var/www/
#    block return 301 "https://$SERVER_NAME$REQUEST_URI"
}
# 

When I change the commented out lines like this...

# cat /etc/httpd.conf
interface="egress"
domain="infmgr.com"
prefork 3
types { include "/usr/share/misc/mime.types" }
server $domain {
    listen on $interface tls port 443
    tls {
        certificate "/etc/ssl/server.crt"
        key "/etc/ssl/private/server.key"
    }
    hsts
    root "/htdocs/infmgr.com" # chrooted at /var/www/
}
server $domain {
    listen on $interface port 80
#    root "/htdocs/infmgr.com" # chrooted at /var/www/
    block return 301 "https://$SERVER_NAME$REQUEST_URI"
}
# 

and restart httpd...

# rcctl restart httpd
httpd(ok)
httpd(ok)
# 

I get the following error in the log files...

# cd /var/log
# ls -alt|head -4
total 5804
-rw-r--r--   1 root  wheel    26447 Jun  7 08:39 messages
-rw-r-----   1 root  wheel     5451 Jun  7 08:39 daemon
-rw-r-----   1 root  wheel  2504053 Jun  7 07:49 authlog
# tail messages
...
Jun  7 06:00:02 infmgr syslogd: restart
Jun  7 08:39:26 infmgr httpd: could not parse macro definition TLS
Jun  7 08:39:26 infmgr httpd: could not parse macro definition TLS
Jun  7 08:39:26 infmgr /bsd: httpd(40862): syscall 5 "wpath"
Jun  7 08:39:26 infmgr /bsd: crash of httpd(40862) signal 6
Jun  7 08:39:26 infmgr httpd[41393]: parent: proc_dispatch: Broken pipe
# tail -15 daemon
...
Jun  7 08:39:25 infmgr httpd[4728]: logger exiting, pid 4728
Jun  7 08:39:25 infmgr httpd[80131]: server exiting, pid 80131
Jun  7 08:39:25 infmgr httpd[85373]: server exiting, pid 85373
Jun  7 08:39:25 infmgr httpd[15598]: server exiting, pid 15598
Jun  7 08:39:25 infmgr httpd[30462]: parent terminating, pid 30462
Jun  7 08:39:26 infmgr httpd[41393]: startup
Jun  7 08:39:26 infmgr httpd[41393]: parent: proc_dispatch: Broken pipe
Jun  7 08:39:26 infmgr httpd[62127]: logger exiting, pid 62127
Jun  7 08:39:26 infmgr httpd[73062]: server exiting, pid 73062
Jun  7 08:39:26 infmgr httpd[93325]: server exiting, pid 93325
# 

I've focused on these two errors... httpd could not parse macro definition TLS bsd httpd, syscall 5 wpath

I've spent hours googeling, and found only one mention that this may be a kernel bug. I've checked the OpenBSD 5.9 patch list, the OpenBSD 5.9 -current changes log.

I've struck out, seeking assistance... which is greatly appreciated!

Troy. #

UPDATE

Based upon Guest's answer, here is some notes...

I do appreciate the help!

I did not know about the httpd -d and running the command directly. Looking at the /etc/rc.d/httpd script, it should have been obvious :) I'll have to work with that some more.

The server.crt & server.key in the appropriate directories are correct. There was a set of commands I found someplace else that generated hashes that did compare, theoretically proving that the two should work. I even copied them into the chrooted directory, which did nothing :/

'httpd -n' returned 'configuration OK'...

I did make some changes to the /etc/rc.config.local file setting a parm of "-DSSL". Seeing the SSL macro parse errors (above), I replaced with "-DTLS" just to see the error would replace with TLS rather than SSL. It continued with SSL in the error. After the debug statement, it changed to TLS, so I removed the "-DTLS" from the local config... and that fixed the parse error. All that remain are the 'crash' and 'wpath' errors.

I am using the most -current version of OpenBSD, 2-Jun-2016.

UPDATE

I created this script to check the certificate...

# httpd_cert_verify.sh

echo "compare the following md5 hashes. They should be the same..."
openssl rsa -noout -modulus -in /etc/ssl/private/server.key | openssl md5
openssl x509 -noout -modulus -in /etc/ssl/server.crt | openssl md5

echo "Check the permissions on these files, they should be readable by 'system' (-r--------)"
ls -al /etc/ssl/private/server.key
ls -al /etc/ssl/server.crt

Ran it with the following results.

# sh httpd_cert_verify.sh  
compare the following md5 hashes. They should be the same...
Enter pass phrase for /etc/ssl/private/server.key:
(stdin)= 0e8abeb155ad81a8a8db0f6036fcca13
(stdin)= 0e8abeb155ad81a8a8db0f6036fcca13
Check the permissions on these files, they should be readable by 'system' (-r--------)
-r--------  1 root  wheel  1858 Jun  5 19:40 /etc/ssl/private/server.key
-rw-r--r--  1 root  wheel  2176 Jun  5 19:39 /etc/ssl/server.crt
#

Solution

I appreciate the referral to the 'misc' mailing list. A poster there was able to resolve the issue. They indicated that the key needs to be removed from the private ssl key. This is what I did... Carlin, That worked. Thank you!

# history
 1       cd /etc/ssl/pr
 2       cd /etc/ssl/private/
 3       cp server.key server.key.backup
 4       openssl rsa -in server.key -out server.key
 5       ls -al
 6       rcctl start httpd
 7       tail /var/log/messages
 8       date
 # exit 

Troy.

#

Answered By - Troy Frericks

Answer Checked By - Willingham (WPSolving Volunteer)