Apache httpd 2.4.25 built against OpenSSL 1.0.2j with http2 for Red Hat Enterprise Linux and CentOS

Apache httpd 2.4.25 with http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS added to repository. Mod_ssl is built statically against OpenSSL 1.0.2j. Links:

Alternatively, feel free to use our CentOS/RHEL repository. Please also note that this package depends on apr-util 1.5.0+ and libnghttp, which you can found in EPEL repository. So, the easiest way to use our builds of Apache HTTPd is to add EPEL repository, if you still do not have it: yum install -y epel-release

53 thoughts on “Apache httpd 2.4.25 built against OpenSSL 1.0.2j with http2 for Red Hat Enterprise Linux and CentOS”

  1. yum install httpd-2.4.25-1.el7.codeit.x86_64
    . . .
    Package matching httpd-2.4.25-1.el7.codeit.x86_64 already installed. Checking for update.
    Nothing to do

    what is installed is:

    httpd.x86_64 1:2.4.6-40.el7.centos.4.vm.2 @virtualmin
    httpd-tools.x86_64 1:2.4.6-40.el7.centos.4.vm.2 @virtualmin

    which does not have mod_http2.so

    I do not want to break Apache but – is a –force install safe – they both have the same etc/httpd . . . file structure ??

    1. Wilbur, yes, structure is the same.
      But config files can be incompatible. For example, I noticed that comments are no more allowed in allow/deny clauses on the same line.

      Also you will need to enable h2/h2c protocols in mod_ssl conf (we enabled h2 in default configuration file).
      I would suggest you to install our build to a virtual machine and use your current production config files to see it will work. And only then enable additional modules and http/2.

      1. That would be as problematic as removing it and a fresh yum install – so I did – and it brought your codeit httpd-tools and httpd-filesystem-2.4.25-1.el7.codeit.noarch as dependencies – so now a yum update will keep up with new builds codeit makes for the server and those files

        Turns out I did not have mod_fcgid (base repo) or mod_ssl (your codeit repo) – though no dependency revealed that – so I got that far and I assume when you say mod_ssl conf – you mean the ssl.conf in /etc/httpd/conf.d/ssl.conf where I see “Protocols h2 http/1.1” at line 7

        And so now I have minor httpd.conf and php issues as Virtualmin reports the Suexec command on my system is “configured to only run scripts under /var/www, but the Virtualmin virtual server home directory is /home. – so – CGI and PHP scripts run as domain owners will not be executed” – but the server comes up and displays the default page https and ssllabs – if I had a real certificate installed gives the ssl on the Apache server a STRAIGHT “A” rating – so I am happy – the rest is minor config stuff. The other version I removed got a “C-” so I am heading in the right direction. Next up multiple php

  2. Hi,

    On a fresh install of CentOS-7-x86_64-Minimal-1611.iso, i installed the httpd 2.4.25. Everything worked fine. But when try to start the httpd service, I got this error:

    Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details.

    Starting The Apache HTTP Server…
    httpd: Syntax error on line 56 of /etc/httpd/conf/httpd.conf: Syntax error on line 40 of /etc/httpd/conf.modules.d/00-base.conf: Cannot load modules/mod_http2.so into server: /etc/httpd/modules/mod_http2.so: cannot enable executable stack as shared object requires: Permission denied
    httpd.service: main process exited, code=exited, status=1/FAILURE
    Failed to start The Apache HTTP Server.

    Any hints?

    1. Iulian, looks like this problem is SELinux related. I’m able to reproduce it on clean installation.
      Will be fixed later.

      You can try to disable SELinux for testing purposes: “setenforce 0”.

    2. Iulian, debug shows that http2 module requires “execmem” and “execstack” permissions for “process” class.
      They can be simply added by executing the following command:

      setsebool -P httpd_execmem=1

      Please confirm.

      1. Well, how can I replace default httpd?

        if I try
        yum remove httpd

        Removal:
        httpd x86_64 1:2.4.6-40.el7.centos.4.vm.2 @virtualmin 9.4 M
        Removal because of dependencies:
        mailman x86_64 3:2.1.15-21.el7_1 @base 34 M
        mod_dav_svn x86_64 1.7.14-10.el7 @base 212 k
        mod_fcgid x86_64 2.3.9-4.el7 @base 228 k
        mod_perl x86_64 2.0.10-2.el7 @epel 6.2 M
        mod_ssl x86_64 2:2.4.6-40.el7.centos.4.vm.2 @virtualmin 224 k
        virtualmin-base noarch 5.0-4.rh @virtualmin 0.0
        webalizer x86_64 2.23_08-6.el7 @epel 329 k

        yum install httpd-2.4.25-1.el7.codeit.x86_64
        Package for httpd-2.4.25-1.el7.codeit.x86_64 it is already installed. Searching for updates.
        There’s nothing to do

        what about some yum replace? similiar as here
        https://webtatic.com/packages/php71/

        it is possible? Thanks!

          1. yum upgrade httpd
            Zavedené moduly: fastestmirror, replace
            Loading mirror speeds from cached hostfile
            * base: mirror.hosting90.cz
            * epel: mirror.hosting90.cz
            * extras: mirror.hosting90.cz
            * updates: mirror.hosting90.cz
            * webtatic: uk.repo.webtatic.com
            No packages marked for update

            yum repolist enabled
            CodeIT/x86_64 CodeIT repo 75
            CodeITmainline/x86_64 CodeIT mainline repo 91
            base/7/x86_64 CentOS-7 – Base 9 363
            epel/x86_64 Extra Packages for Enterprise Linux 7 – x86_64 11 087
            extras/7/x86_64 CentOS-7 – Extras 263
            updates/7/x86_64 CentOS-7 – Updates 799
            virtualmin/7/x86_64 RHEL/CentOS/Scientific 7 – x86_64 – Virtualmin 196
            virtualmin-universal Virtualmin Distribution Neutral Packages 77
            webtatic/x86_64 Webtatic Repository EL7 – x86_64 710
            repolist: 22 661

            httpd -v
            Server version: Apache/2.4.6 (CentOS)
            Server built: Jul 19 2016 13:15:57

            I dont know, what is wrong..

          2. rpm -qa | grep “httpd”

            httpd-filesystem-2.4.25-1.el7.codeit.noarch
            httpd-tools-2.4.6-40.el7.centos.4.vm.2.x86_64
            httpd-2.4.6-40.el7.centos.4.vm.2.x86_64

          3. Looks like v. 2.4.6 was protected by your “virtualmin” repo.
            Check files in /etc/yum.repos.d, search for “httpd” there and remove protection.
            Please also note that probably they have a good reason to protect their build (and you have virtualmin build, not CentOS one)!

          4. Well, you right, I have these errors

            The Suexec command on your system is configured to only run scripts under /var/www, but the Virtualmin virtual server home directory is /home. CGI and PHP scripts run as domain owners will not be executed

  3. Didn’t manage to upgrade without issues, fails on:

    [Sun Feb 05 20:43:28.075029 2017] [:notice] [pid 7971] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured.
    [Sun Feb 05 20:43:28.075067 2017] [:notice] [pid 7971] ModSecurity: APR compiled version=”1.4.8″; loaded version=”1.5.2″
    [Sun Feb 05 20:43:28.075073 2017] [:warn] [pid 7971] ModSecurity: Loaded APR do not match with compiled!
    [Sun Feb 05 20:43:28.075078 2017] [:notice] [pid 7971] ModSecurity: PCRE compiled version=”8.32 “; loaded version=”8.32 2012-11-30″
    [Sun Feb 05 20:43:28.075083 2017] [:notice] [pid 7971] ModSecurity: LUA compiled version=”Lua 5.1″
    [Sun Feb 05 20:43:28.075086 2017] [:notice] [pid 7971] ModSecurity: LIBXML compiled version=”2.9.1”
    [Sun Feb 05 20:43:28.075090 2017] [:notice] [pid 7971] Original server signature: Apache
    [Sun Feb 05 20:43:28.099901 2017] [ssl:warn] [pid 7971] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.0.2j 26 Sep 2016, version currently loaded is OpenSSL 1.0.2h 3 May 2016) – may result in undefined or erroneous behavior
    [Sun Feb 05 20:43:28.146343 2017] [mpm_prefork:notice] [pid 7971] AH00163: Apache/2.4.25 (centos) OpenSSL/1.0.2h configured — resuming normal operations
    [Sun Feb 05 20:43:28.146415 2017] [core:notice] [pid 7971] AH00094: Command line: ‘/usr/sbin/httpd -D FOREGROUND’

  4. @Alexander, I already reversed and removed CodeIt yum. I’ll let you know if’ll have this issues in future.

  5. In the case of Webmin / Virtualmin the server supplied is compatible in the file structure but will never get you over a “C” rating at SSLLABS. This below with get you a STRAIGHT A rating at SSLLABS

    If you follow this instruction and install apr >= 1.50 and libnghttp2 FIRST via yum IT GOES SMOOTHLY (Why Binyanin had trouble apr 1.48 was installed)

    apr.x86_64 1.5.2-1.el7.codeit @CodeIT
    apr-devel.x86_64 1.5.2-1.el7.codeit @CodeIT

    or whatever the latest one is in the repo – then remove the Webmins 2.4.6 server as shown above by Thomas Serge

    Or use rpm and find it to remove it. For instance, if you want to remove the package called “httpd.x86_64”, you could do the following.

    # rpm -qa | grep “httpd”
    httpd.x86_64
    # rpm -e –nodeps “httpd.86_64”

    The first “rpm -qa” lists all RPM packages and the grep finds the package(s) you want to remove. Then you copy the entire name and run the “rpm -e –nodeps” command on that package. It will, without prompting for confirmation, remove that package but none of its dependencies.

    If you do not do –nodeps – it will actually unistall Webmin / Virtualmin and PHP

    This also works as the command => yum list installed | grep httpd

    Do the httpd-tools FIRST – then immediately the codeit filesystem first then tools

    You can point yum to the codeit repo (assuming you configured for the repo first) by using the full name of the codeit file OR FIRST

    rpm -ivh –replacepkgs https://repo.codeit.guru/packages/centos/7/x86_64/httpd-filesystem-2.4.25-1.el7.codeit.noarch.rpm

    THEN

    rpm -ivh –replacepkgs https://repo.codeit.guru/packages/centos/7/x86_64/httpd-tools-2.4.25-1.el7.codeit.x86_64.rpm

    THEN ERASE the webserver as shown above – don’t worry – the erase will SAVE the httpd.conf – file – but a smart person always saves them themselves anyway

    rpm -ivh –replacepkgs https://repo.codeit.guru/packages/centos/7/x86_64/httpd-2.4.25-1.el7.codeit.x86_64.rpm

    THEN BE SURE and also uninstall your mod_ssl and then run

    rpm -ivh –replacepkgs https://repo.codeit.guru/packages/centos/7/x86_64/mod_ssl-2.4.25-1.el7.codeit.x86_64.rpm

    It will save the SSL.CONF file as a rpmnew and install a new one properly set up

    Edit the NEW SSL.CONF and put in your servername, doc root and the certificate paths by cut and paste – if you are not using something like WinSCP and EditPadLite which work together to access your VPS and let you edit fast – then get them on your machine FIRST

    THIS IS IMPORTANT as if you do not install the codeit mod_ssl the OLD cipher suites will STILL leave you with a “C” rating

    A check at SSLLABS now should yield an A rating – if you have a valid SSL certificate

    Then in Webmin / Virtualmin under Virtualmin=> System Settings => Virtualmin Configuration => under => Defaults for new domains => check => Home directory base and be sure it is set to /var/www or change the doc root to /home in the server and to /home there

    OTHERWISE . . . . the CodeIT setup is the same as the Webmin server as to file structure and if you follow this you should not loose anything and PHP will still be on the system available to work in the webserver even with the swap

    For best performance you should use php-fpm and sockets in a pool setup

  6. Forgot to mention above – then ADD this line to the virtualmin.repo file =>

    exclude=httpd httpd-tools mod_ssl

    in the etc/yum.repos.d directory to keep it from trying to update over your codeit server install in an update

  7. Actually regarding the above statement a more complete exclude statement is =>

    exclude=httpd httpd-tools mod_ssl httpd-debuginfo httpd-devel mod_ldap mod_session httpd-manual mod_proxy_html

    This will cause all yum (and Webmin update searches) searches to head to the codeit repo – if you have the repo configured – and it will not error out if you did a Webmin httpd replacment

  8. Hello,
    I succeeded to install by removing before all httpd*, now `rpm -qa | grep “httpd”` returns:

    httpd-2.4.25-1.el7.codeit.x86_64
    httpd-filesystem-2.4.25-1.el7.codeit.noarch
    httpd-tools-2.4.25-1.el7.codeit.x86_64

    The another problem I have now – ssl_module enabled and working (so far Ok), I have enabled also http2_module, but when I add in httpd.config

    Protocols h2 h2c http/1.1

    or in VirtualHost

    Protocols h2 http/1.1

    accessing the any website will show **403 Forbidden** with HTTP status 403 (not Ok).
    Any idea what is causing this error and how to fix it?

    1. Please provide output of “rpm -qa | grep apr”. I think you can have libs from Virtualmin repo, as Wilbur Union correctly pointed out. Please be sure to follow all the steps he described, looks like a impressive comprehensive guide for Virtualmin.

      1. I have Webmin. Here “rpm -qa | grep apr” result:
        “`
        apr-devel-1.5.2-1.el7.codeit.x86_64
        apr-util-devel-1.5.2-6.el7.x86_64
        apr-1.5.2-1.el7.codeit.x86_64
        apr-util-1.5.2-6.el7.x86_64
        “`

  9. Another issue – it shows me in httpd error_log:

    [ssl:warn] [pid 2688] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.0.2j 26 Sep 2016, version currently loaded is OpenSSL 1.0.2h 3 May 2016) – may result in undefined or erroneous behavior

    Any way to avoid/fix it?

      1. # rpm -qa | grep mod_
        mod_ssl-2.4.25-1.el7.codeit.x86_64
        mod_security_crs-2.2.9-1.el7.noarch
        mod_security-2.7.3-5.el7.x86_64
        # rpm -qa | grep httpd
        httpd-2.4.25-1.el7.codeit.x86_64
        httpd-filesystem-2.4.25-1.el7.codeit.noarch
        httpd-tools-2.4.25-1.el7.codeit.x86_64

        the packages are already from CodeIT repo, the same relevant for “403 Forbidden” issue. What is the fix for it?

        1. Please try to uninstall mod_security and other modules built against another software versions (mod_security and mod_security_crs in your example). Let’s check you won’t have warnings in logs.

          1. Done, now
            # rpm -qa | grep mod_
            mod_ssl-2.4.25-1.el7.codeit.x86_64

            still the same error 403 Forbidden and mod_ssl warning:

            [Thu Mar 02 18:50:23.100641 2017] [mpm_prefork:notice] [pid 5038] AH00170: caught SIGWINCH, shutting down gracefully
            [Thu Mar 02 18:51:53.363282 2017] [core:notice] [pid 5110] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
            [Thu Mar 02 18:51:53.363438 2017] [ssl:warn] [pid 5110] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.0.2j 26 Sep 2016, version currently loaded is OpenSSL 1.0.2h 3 May 2016) – may result in undefined or erroneous behavior
            [Thu Mar 02 18:51:53.367670 2017] [suexec:notice] [pid 5110] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
            [Thu Mar 02 18:51:53.385491 2017] [ssl:warn] [pid 5110] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.0.2j 26 Sep 2016, version currently loaded is OpenSSL 1.0.2h 3 May 2016) – may result in undefined or erroneous behavior
            [Thu Mar 02 18:51:53.440192 2017] [mpm_prefork:notice] [pid 5110] AH00163: Apache/2.4.25 (centos) OpenSSL/1.0.2h configured — resuming normal operations
            [Thu Mar 02 18:51:53.440269 2017] [core:notice] [pid 5110] AH00094: Command line: ‘/usr/sbin/httpd -D FOREGROUND’

            Any fixes?

  10. Binyamin

    I am not a CodeIT representative; and I could be wrong; however, I can tell you that the CodeIT mod_ssl package installs a properly configured ssl.conf file to Apache you need to edit to put your server info BACK into from the ssl.conf.rpmsave file

    Do not just rename your old file back to ssl.conf

    IF you have your ssl info in the httpd.conf file and/or as virtual hosts mixed in there you have a lot of analyzing to do – or cutting assunder ssl stuff.

    I recommend putting it in a ssl.conf file as the CodeIT apache server is setup under the conf.d directory

    ALSO if you have a SSL certificate that is https security enabled and you do not have it properly configured this may – in fact WILL – cause that error also.

    You do not say what SSL certificate you are using – if any – but if it is self signed; that may also be a problem. A 403 forbidden error can come from a number of places. see also https://www.cyberciti.biz/faq/apache-403-forbidden-error-and-solution/

    For instance I got a 403 forbidden – when cPanel – “automagically” installed its own ssl certs on all my sudomains where a true commercial “wildcard SSL” cert was handling that under domain access via Drupal. That was a no-brainer when I saw what cPanel had “automagically” done – BUT – only a reinstall of the entire user account would fix it. That was the big beginning of the end of my relationship with cPanel. And their support is horrible. since cpanel hacks up a Linux sever to their file structure – they do not know how a true CentOS system is really set up nor what is wrong when something they do does not work under Drupal (7 or 8) the cpanel “apache2” and “easy apache” setup has incompatible files to this CodeIT server because of the 1.02j static compile which is what gives the “A” rating at SSLLABS

    A cPanel 2.4.25 apache2 server still at this writing gives an “A-” rating at SSLLABS

    Needless to say – since I am talking about webmin now – I DUMPED cPanel and all its “automagically” created crap – and I am here to ALSO tell you if you are trying to use cPanel with this CodeIT setup -that TOO will not work. cPanel changes so many files in CentOS that it is really its own distribution and not WORTH the monthly license fee because they screw up a good CentOS system, and even if you have a CentOS 7 system that once had cPanel – you will have problems – even though the CodeIT 2.4.25 httpd server will install. Go to the CentOS.org forums and they will tell you right away – they will not even try to support a cPanel beast.

    Binyanin – your post “” [Sun Feb 05 20:43:28.075029 2017] [:notice] [pid 7971] ModSecurity for Apache/2.7.3 “” in part illustrates something a bit unusually strange about your server

    Needless to say this CodeIT 2.4.25 webserver also does not work on CentOS 6 – or likely nor on a hybrid upgraded one which may have mix-matched files – that technically might work with hacked upgaded GLIBC files.

    If you visit your website and then right click and inspect the page and get to the “security” section – it should STILL give you info on your certificate

    Also check the logs at /var/log/httpd for errors and access and ssl closely

    Just to make sure – do a “yum remove mod_security” to be sure it is not causing a problem – you can always install it again later

    It does seem to matter if you just erased with “nodeps” or uninstalled – that is used “yum remove” to get rid of previous files – especially mod_ssl. If you just “erase” and leave old dependencies – the latest version “may not” be updated when you install the new program – that is old files may be left behind.

    You should try a “yum update” and then LOOK at where the files are coming from – that is what repo – BEFORE you accept “y”.

    That does not mean an old dependency which needs to be updated is not actually satisfying a newly installed program file like the sslwarn error shows “might” be the case. This has LONG been a Red Hat dependency problem – old enough to cause a problem but new enough to satisfy another new program install dependency in an appearance-check only.

    If there is no conflict between a repo – and it is only updating an existing file the newer version dependency needed file will be ignored and NOT installed, updated or replaced. Yum also will not even check for a newer file from another repo – it will take the one compatible to the OLD existing file.

    A “yum update” – is NOT a “yum replace” (replacepkg) check for a dependency – and nor does it update or replace dependency files that satisfy another newer program in a range of greater than or equal to version – but NOT in its conflict.

    For instance this CodeIT server requires >- apr-util 1.5.0 and if you have 1.50 installed that will meet the dependency check – when it is better to have the current version at this writing which is 1.5.2. If you have 1.50 from another repo – it will NOT tell about version 1.52

    Also make sure your firewall or iptables are open to both port 80 and 443

    AND your user and group are properly set in the httpd.conf and ssl.conf – this WILL happen in php-fpm set ups where the pool file user does not match or in an httpd.conf where SuexecUserGroup is used

    Also try changing the statement – which is the default ssl.conf file setup to

    #

    That is comment out the original and copy a new one like above which is a wildcard ssl call to port 443

    If your ssl configuration is in the http.conf file that is a problem too

    All of those can cause 403 forbidden errors also

    The more manual editing you try to do the more likely you will create more problems

    IF you go to ssllabs.com and if runs and you do not get a “A” rating – you are using a mixed ssl configuration or wrong ssl.conf file

    Even if you are using a purchased ssl certificate – install the apache certbot and get a letsencrypt cert installed – because the certbot –apache will install the certs correctly to ssl.conf FOR YOU

    yum install python-certbot-apache

    see also https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7

    Then you can look at the ssl.conf and see what might be wrong – however the issue is very likely between your httpd.conf and ssl.conf files as to the 403 forbidden issue – OR php-fpm if you are running that.

    You can always EDIT the then working ssl.conf file back to your certificates ONLY and the rest will then work

    BUT as to the

    “” [ssl:warn] [pid 2688] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.0.2j 26 Sep 2016, version currently loaded is OpenSSL 1.0.2h 3 May 2016) – may result in undefined or erroneous behavior “”

    I have that also ON A FRESH install where the webmin httpd server nor any other mod_ssl was ever allowed to be installed

    That is I manually installed a new and virgin “sane” Centos 7 OS “image” – then did a yum update to 7.3.11 then added my previously configured repo files BACK to the new OS install – including the CodeIT repo and other repos and keys and did a new epel release install etc . . . and those repo files had excluded all the Virtualmin files I listed above and the SECOND command I ran after “yum update” was “yum install httpd-filesystem” which found the CodeIT file, and then “yum install httpd-tools” which found the CodeIT tools file and brought as a dependency httpd itself from codeIT – as httpd-2.4.25-1.el7.codeit.x86_64.

    THEN I did a “yum install perl” THEN I ran Virtualmin’s dependency files from the install.sh – but not the install.sh itself

    long but complete to be ready to install Wemin and virtualmin MANUALLY

    yum install bind bind-utils caching-nameserver postfix spamassassin procmail perl-DBD-Pg perl-DBD-MySQL quota iptables openssl python mailman subversion mysql mysql-server mysql-devel mariadb mariadb-server postgresql postgresql-server rh-postgresql rh-postgresql-server logrotate webalizer php php-xml php-gd php-imap php-mysql php-odbc php-pear php-pgsql php-snmp php-xmlrpc php-mbstring mod_perl mod_python cyrus-sasl dovecot spamassassin mod_dav_svn cyrus-sasl-gssapi mod_ssl ruby ruby-devel rubygems perl-XML-Simple perl-Crypt-SSLeay mlocate perl-LWP-Protocol-https

    Which must be noted completed the LAMP stack with a remi php56 install and installed MariaDB in the latest version (my repo files and key was already in the files I copied back up to the server for MariDB) – and at that point the webserver was working with PHP.

    Then I did a “yum install virtualmin” which brought as a dependency => webmin

    The “mod_ssl” install from the virtualmin dependency group above manually installed brought the CodeIT mod_ssl – as it was excluded in the Virtualmin repo files

    Then I got a new SSL cert from letsencrypt which installed it automatically to the ssl.conf file

    Then a check at SSLLABS brought an “A” rating and I installed the new letencrypt cert to Virtualmain /Webmin

    So I do not at this moment know where the ssl warn error comes from unless it is from perl-Crypt-SSLeay.x86_64 – but right now does not prevent access to the server

    Maybe hopefully Alexander Gerasimov can help on that

    1. Hi, Wilbur!
      Only after I add “Protocols h2 h2c http/1.1” in ssl.conf the pages returns error 403, without it it works fine (can’t enable HTTP/2 by some reason). Can it be SELinux related issue?
      Also only after “setsebool -P httpd_execmem on” I succeeded to make Apache run.

      1. Hi Binyadmin and Alexander

        I can confirn the new version compiled against 1.02k fixed the error – I get

        [mpm_prefork:notice] [pid 14057] AH00163: Apache/2.4.25 (centos) OpenSSL/1.0.2k PHP/5.6.30 SVN/1.7.14 mod_perl/2.0.10 Perl/v5.16.3 configured — resuming normal operations

        My 2 cents – I agree with Alexander – remove Mod_security = or AT LEAST begin a “yum remove mod_security” and see what dependencies it wants to take with it

        Binyanin – as I said above – the ssl.conf that comes down from Codeit comes with the proper protocols command in the ssl.conf – it is at the top of the file

        It should be Protocols h2 http/1.1 => not what you list – Protocols h2 h2c http/1.1

        I do not think this is now SELinux related – but as alexander said

        Alexander Gerasimov said January 11, 2017 at 1:25 pm

        “” You can try to disable SELinux for testing purposes: “setenforce 0”. “”

        I am fairly sure you cannot mix the h2c and h2 protocol

        see https://community.akamai.com/community/web-performance/blog/2016/06/22/understanding-how-the-http2-protocol-is-negotiated

        Use the command as CodeIT provided it and the server in SSL mode will work – and if you go to SSLLABS and get an “A” rating you cannot do any better – so the manual adds will not help any further

  11. There is a line above where the posting system left only the “pound” sign

    That should be

    Virtualhost _default_:443 (commented out)
    Virtualhost *:433 (replaced by)

    inside the left arrow and right arrow symbols in the httpd.conf and/or also ssl.conf files

  12. As to the 1.02j versus 1.02h mixmatch – the issue is announced in phpinfo

    Under apache2handler it reads

    “” Apache/2.4.25 (centos) OpenSSL/1.0.2h PHP/5.6.30 SVN/1.7.14 mod_perl/2.0.10 Perl/v5.16.3 “”

    On the Mac OS X: otool -L file will track a library and on Linux: it is the ldd file; but I am not having success using it

    This page says the webserver is compiled again 1.02j

    This was discussed also at https://github.com/Homebrew/homebrew-apache/issues/138 (which is of course NOT a centos 7 install – but the same issue is reported there)

    My openssl shows it is 1.01e and we know it cannot be upgraded to 1.02j – but i do not know the magic to enable 1.02j support other than what the above page says as:

    –enable-ssl-staticlib-deps
    –enable-mods-static=ssl

    So there may be a mismatch in the /usr/lib64/httpd/modules/mod_ssl.so
    and what is compiled into httpd-2.4.25-1.el7.codeit.x86_64

    This is sort of beyond me – can someone there look at this – or is this possible ??

    1. Wilbur, thank you for your help, I can confirm version mismatch issue, as mod_ssl-2.4.25-2 is missing in repo at the moment. We will upload it asap and versions will match for Binyamin after update.

      1. Thanks, Alexander! It fixed the SSL warning “… this version of mod_ssl was compiled against a newer library …”.
        Still when used “Protocols h2 h2c http/1.1” it returns error 403. Any idea why?
        Also error_log still has ModSecurity warning “Loaded APR do not match with compiled!”. Any way to fix it?

  13. My first reply got posted inside and under an older post

    HERE IT IS PASTED AGAIN BELOW (with some added edits) – ignore it if you already read it above

    Hi Binyadmin and Alexander

    Reading the phpinfo I could see that mod_ssl was not loading what the server was compiled with

    That is WHY above I said it was critically important to install the CodeIT mod_ssl file – becasue it gets an “A” rating meaning it is negotiating yhe proper cipher suites – whereas the virtualmin mod_ssl can only must a “C” rating at SSLLABS – but then i could see the mixmatch in the error logs and i knew it had to be between the server compile and mod_ssl package

    I can confirm the new version – httpd-2.4.25-3.el7.codeit.x86_64.rpm – compiled against 1.02k fixed the error – I now only get

    [mpm_prefork:notice] [pid 14057] AH00163: Apache/2.4.25 (centos) OpenSSL/1.0.2k PHP/5.6.30 SVN/1.7.14 mod_perl/2.0.10 Perl/v5.16.3 configured — resuming normal operations

    My 2 cents – I agree with Alexander – remove Mod_security = or AT LEAST begin a “yum remove mod_security” and see what dependencies it wants to take with it

    THEN reinstall it – if you must – and it may work properly

    Binyanin – as I said above – the ssl.conf that comes down from Codeit (in the original mod_ssl) comes with and provides the proper protocols command in the ssl.conf – it is at the top of the file – however an update likely will NOT provide it again – so if you want the ssl.conf remove it and reinstall it and it should save your ssl.conf as ssl.conf.rpmnew

    The proper command should be Protocols h2 http/1.1 => not what you list – Protocols h2 h2c http/1.1

    I do not think this is now SELinux related – but as Alexander said

    Alexander Gerasimov said January 11, 2017 at 1:25 pm

    “” You can try to disable SELinux for testing purposes: “setenforce 0”. “”

    I am fairly sure you cannot mix the h2c and h2 protocol

    see https://community.akamai.com/community/web-performance/blog/2016/06/22/understanding-how-the-http2-protocol-is-negotiated

    Use the command as CodeIT provided it and the server in SSL mode will work – and if you go to SSLLABS and get an “A” rating you cannot do any better – so the manual edits will not help any further – but only cause you problems as I said earlier

    To any readers just coming across this page – install ONLY httpd-2.4.25-3.el7.codeit.x86_64.rpm and its support files – NOTICE version “3” of httpd-2.4.25-3 – and not the earlier versions

  14. To Binyanin (if you return) and others who find their way here

    As to mod_security – I would suggest you consider version 2.90 or higher

    It can be found as a rpm for Fedora 24 and 2.91 for Fedora 25 at this writing which will work on this CodeIT server set up

    Fedora 19 or greater is => RHEL 7 which is also => CentOS 7

    mod_security 2.73 (which your system showed as installed) is the latest at this writing in the epel repo so you usually will not find 2.90 in a yum search usually at this writing

    mod_security 2.90 comes configured in the rpm to match this CodeIT server setup using *.conf includes and all it “technically” needs is server restart to call in a load of the modules and include confs which include rules

    mod_security 2.80 and above have support for CRS 3 and 2.73 does not so that module that shows you are using does not.

    You can read about it at http://www.modsecurity.org/crs/

    You can also download the crs git page into for instance /etc/httpd/crs where it will harmlessly be available for manual mods in the future – however do not just enable the example.conf like many sites suggest as it is ALREADY enabled in the form of the rpm install – you can look at and edit the existing conf files provided by the rpm as needed with other rules etc you want

    two library files are needed as a dependency to install mod_security 2.90

    yum install yajl

    and

    the ” lua53u-libs ”

    yum install lua53u-libs (which sometimes yum does not find in the ius repo)

    and is also available as lua53u-libs-5.3.4-1.ius.centos7.x86_64.rpm in the ius repo and a “few” other places around the web

    rpm -ivh https://dl.iuscommunity.org/pub/ius/stable/CentOS/7/x86_64/lua53u-libs-5.3.4-1.ius.centos7.x86_64.rpm

    as a ssh command should get it and install it from your shell or you can configure for the ius repo and search it by name ” lua53u-libs ” if a yum search does not find it

    https://dl.iuscommunity.org/pub/ius/stable/CentOS/7/x86_64/lua53u-5.3.4-1.ius.centos7.x86_64.rpm as well as the devel version is also there but you should not need them

    then

    rpm -ivh ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/linux/releases/24/Everything/x86_64/os/Packages/m/mod_security-2.9.0-6.fc24.x86_64.rpm

    will install mod_security 2.90

    of course you also then ” CAN “configure a Fedora 25 repo safely to keep it up to date; however, it is not advised – nor a ” Rawhide ” repo – not because the files in them are not compatible but because you risk overly “polluting” your CentOS 7 as a TRUE CentOS – OS

    Then you can “get” the ” git ” CRS 3 files by then making sure your system is up to date and installing things you might need from git – they now call ” owasp-modsecurity-crs ” to differentiate it from the 2.73 version only called ” mod_security_crs ”

    So yes ” yum remove mod_security mod_security_crs ” first if they not already uninstalled

    then

    yum -y update
    yum install gcc make httpd-devel libxml2 pcre-devel libxml2-devel curl-devel git

    httpd-devel should bring the CodeIT devel file to match this CodeIT server (unless you already have it installed) and if it does not then you do not have the CodeIT repo configured . . . so stop and do so or you risk polluting the CodeIT server

    then

    mkdir /etc/httpd/crs
    cd /etc/httpd/crs
    git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

    Then the entire owasp-modsecurity-crs git page ( crs 3 ) should be in the directory /etc/httpd/crs/owasp-modsecurity-crs — and is NOT installed anywhere but only now you have the latest rules of whatever version time the git repository was modified – but READ everything and compare what you want to add or do not need to add because the rpm has already installed and configured much of it integrated already

    You will not get compiled version errors then from mod_security – it works fine on my systems

  15. I disabled SELinux, removed mod_security, mod_security_crs and mod_ssl, and clean install mod_ssl (kept its original config file). But still the same 403 error when used “Protocols h2 http/1.1”. Any tips on how to actually make HTTP/2 working?

    I installed mod_security 2.9.1 and mod_security_crs 2.2.9 (from “wget -q -O – http://www.atomicorp.com/installers/atomic | sh”), and it continues to show warning “ModSecurity: Loaded APR do not match with compiled!”.

    The error_log now:

    [Sat Mar 04 21:10:36.479068 2017] [mpm_prefork:notice] [pid 2253] AH00170: caught SIGWINCH, shutting down gracefully
    [Sat Mar 04 21:12:06.700352 2017] [core:notice] [pid 2623] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
    [Sat Mar 04 21:12:06.703857 2017] [suexec:notice] [pid 2623] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
    [Sat Mar 04 21:12:06.703888 2017] [:notice] [pid 2623] ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/) configured.
    [Sat Mar 04 21:12:06.703905 2017] [:notice] [pid 2623] ModSecurity: APR compiled version=”1.4.8″; loaded version=”1.5.2″
    [Sat Mar 04 21:12:06.703912 2017] [:warn] [pid 2623] ModSecurity: Loaded APR do not match with compiled!
    [Sat Mar 04 21:12:06.703918 2017] [:notice] [pid 2623] ModSecurity: PCRE compiled version=”8.32 “; loaded version=”8.32 2012-11-30″
    [Sat Mar 04 21:12:06.703923 2017] [:notice] [pid 2623] ModSecurity: LUA compiled version=”Lua 5.1″
    [Sat Mar 04 21:12:06.703927 2017] [:notice] [pid 2623] ModSecurity: YAJL compiled version=”2.0.4″
    [Sat Mar 04 21:12:06.703956 2017] [:notice] [pid 2623] ModSecurity: LIBXML compiled version=”2.9.1”
    [Sat Mar 04 21:12:06.703963 2017] [:notice] [pid 2623] ModSecurity: Original server signature: Apache
    [Sat Mar 04 21:12:06.703967 2017] [:notice] [pid 2623] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
    [Sat Mar 04 21:12:06.778682 2017] [mpm_prefork:notice] [pid 2623] AH00163: Apache/2.4.25 (centos) OpenSSL/1.0.2k configured — resuming normal operations
    [Sat Mar 04 21:12:06.778774 2017] [core:notice] [pid 2623] AH00094: Command line: ‘/usr/sbin/httpd -D FOREGROUND’

  16. As I said I am not a CodeIT representative and it appears the CodeIT is running properly, but you are mixing now programs and as I said in an earlier post that can bring mixed library troubles. Also if you install a file via tarball and compile and install it – then do an rpm later – you will get that kind of error too.

    Not to take up CodeIT’s server space but in an effort to assist and show you what you have done

    Post the output of:
    cat /etc/redhat-release
    AND
    yum list installed | grep mod
    AND
    yum list installed | grep apr
    AND
    yum list installed | grep lua
    AND
    your rating when you run a test at SSLLABS.COM

    Remember manually installed programs not of an rpm nature will not show

    Your error log is telling you that you have mixed up files installed

    So the simple tip is fix the mis-matches

    You need to search for linux tools to tell you where the mis-matches are

    You can try

    whereis libaprutil-1.so.0

    To see where it is – how many there are, if there are ones in different locations, what the dates are, and if it links to other names et cetera – and from that point you need to KNOW what you are doing as to deleting files et cetera

    If you just “erased” an rpm with “nodeps” there is a chance that files were left behind

    If you have done a lot of “hosed” up commands like using that atomiccorp stuff your system may not be “sane” any longer and it will take a lot of manual work to “try” to straighten it out

    My previous post TOLD you to uninstall mod_security_crs and it told you that the NEW rules for mod_security version 2.80 and above is crs3 that is owasp-modsecurity-crs – NOT mod_security_crs – yet you reinstalled mod_security_crs when the post TOLD you NOT to because it was already configured with rules in the rpm

    You are also installing things from non-approved sources using manual methods when the best way to keep a Linux system “sane” is to use the automatic tools that come with it – namely yum

    http://www.atomicorp.com/installers/atomic IS NOT an approved source and is IN FACT a known listed PROBLEM SOURCE. See https://wiki.centos.org/AdditionalResources/Repositories

    So right now Binyanin, you are your own worst enemy it seems

    The simple tip on fixing your system is get that unapproved crap off your system, do not use unapproved and known problem software sources, configure to the approved repos correctly and use yum FIRST – and only if a file is NOT available then use another source AFTER best efforts to verify it is a safe source

    The CodeIT repo while not “officially listed” as approved – is often referred to at CentOS.org as a safe and well maintained repo – and the fact they posted a fix to the cutting edge h2 Apache 2.4.25 server build WITHIN A FEW HOURS – when the file mis-match was discovered is a testament to that. These problems you have is NOT due to their server at all as mine works fine and my error log is only four lines:

    [Sun Mar 05 03:14:07.028434 2017] [auth_digest:notice] [pid 32216] AH01757: generating secret for digest authentication …
    [Sun Mar 05 03:14:07.030156 2017] [lbmethod_heartbeat:notice] [pid 32216] AH02282: No slotmem from mod_heartmonitor
    [Sun Mar 05 03:14:07.083481 2017] [mpm_prefork:notice] [pid 32216] AH00163: Apache/2.4.25 (centos) OpenSSL/1.0.2k PHP/5.6.30 SVN/1.7.14 mod_perl/2.0.10 Perl/v5.16.3 configured — resuming normal operations
    [Sun Mar 05 03:14:07.083507 2017] [core:notice] [pid 32216] AH00094: Command line: ‘/usr/sbin/httpd -D FOREGROUND’

    Basically these are NOT errors but notices it is running properly

    Take off mod_security_crs and see if “some” errors go away – and re-read my last post

    mod_security WILL also cause 403 forbidden responses if configured improperly or you call to your server that breaks a rule- that is its function

    Also remember as I said you can get version mis-matches installing old versions – and if you do not remove them and their dependencies – or you installed them without dependencies – for instance did not use yum – then those dependency files may well remain or libraries and be the potential cause of problems later

    For instance the lua53u-libs-5.3.4-1.ius.centos7.x86_64.rpm WILL INSTALL against lua5.1 but it is good practice to remove lua5.1 and install lua5.3 to keep lua “sane” even though mod_security 2.90 only uses ONE file provided by lua53u-libs

    These are things YOU need to know as a linux admin and while I will look at the posts I requested of you – if you post them – I am not a CodeIT representative and this is their technical blog page, and nor am I being paid for this so my assistance to you is nearing its close.

    The CodeIT server is working fine it appears – and is working fine for me – excellent in fact

    The error log is telling what is wrong and it is all mod_security related it appears – yet I do not have those errors and I have mod_security 2.90 installed and mod_evasive and both are working fine with the CodeIT 2.4.25 / 1.02k server

    If Alexander has nothing to add, I cannot see how you can be helped further – the error log is TELLING you what is wrong, and I have told you ways you have mis-matched up your system possibly, and you need to search the problem and fix it

  17. Ignore it, I by mistake blocked HTTP/2.0 access with

    RewriteCond %{THE_REQUEST} !^(GET|HEAD|POST)\ /.*\ HTTP/(1\.1|2)$
    RewriteRule . – [F]

    … HTTP/(1\.1|2\.0) fixes it.

  18. Great post! We will be linking to this particularly great post
    on our site. Keep up the good writing.

  19. Hi ,

    I have configured Apache 2.4.29 version and Openssl version is 1.0.2 and SSL also configured.

    Added Protocols h2 h2c http/1.1 in virtual host file. but when i test the site in http2 test site, it says httpd2 is not enabled.

    My website is lrpv2.solverminds.net
    I’m using Centos 7

  20. Hi,

    I’m trying to build my own RPMS for the latest apache version using exactly how the default Centos7 Apache 2.4.6 was built. This means all the stock modules, the way it uses the default SSL, file location etc..

    Can you share how did you build your RPMS and how to make it compatible on all the default modules the stock Centos7 apache has?

    I want to have the same behavior as if i’m doing a yum update from a CentOS official repo with release apache 2.4.latest.

    Yes, your RPM is working fine and probably better, but is there a way to have it as close as CentOS official release?

Leave a Reply

Your email address will not be published. Required fields are marked *