Apache httpd 2.4.27 built against OpenSSL 1.0.2l with http2 for Red Hat Enterprise Linux and CentOS

Apache httpd 2.4.27 with http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS added to repository. Mod_ssl is built statically against OpenSSL 1.0.2l. Links:

Http2 Apache httpd module no longer supports prefork mpm, we experienced crashes with it in 2.4.26 and decided to keep builds private. If you need http2 module, please disable prefork mpm and enable worker mpm in /etc/httpd/conf.modules.d/00-mpm.conf.

Alternatively, feel free to use our CentOS/RHEL repository. Please also note that this package depends on apr-util 1.5.0+ and libnghttp, which you can found in EPEL repository. So, the easiest way to use our builds of Apache HTTPd is to add EPEL repository, if you still do not have it: yum install -y epel-release

46 thoughts on “Apache httpd 2.4.27 built against OpenSSL 1.0.2l with http2 for Red Hat Enterprise Linux and CentOS”

  1. After yum update these 2.4.27 packages ( before working with 2.4.25-3 packages) on virtualmin and also repel and Remi repo the HTTP/2 is gone! ( CENTOS 7.3x)
    Do you have a hint where to look and what to change to get http/2 and alpn back?

    Packages ( yum update) seems to be installed corect version is httpd -v 2.4.27 and so on.
    Sorry if i’m asking or doing something dumb ๐Ÿ˜‰

    1. John, we also see such behaviour and root of it (in our case) was prefork mpm.
      You can check if you also has this problem by looking in your apache httpd log.
      Http2 Apache httpd module no longer supports prefork mpm, we experienced crashes with it in 2.4.26 and decided to keep builds private.
      Please try disabling prefork mpm and enable worker mpm.

  2. Sorry a howto if possible.

    ON a other server DIRECTADMIN we have had some httpd 2.4.26 probs but solved them ourselves and after httpd 2.4.27 update stable and none. (all version from DA and source so no codeit)

    But want to test virtualmin and get some more knowledge also outside of panels and co, i’m (was) more windows person….

    But don’t know sure how about changing the prefork i had i mind something with event?

  3. Sorry it’s late here now i switched to event and http2 is back again thanks for pointing me in the right direction! ๐Ÿ˜‰

  4. O yea you GURU’S did very i nice job please go on … ๐Ÿ˜‰

    (Crashes with the httpd2.4.26 with our server was only with httpd gracefull restarts, not with real restart after stuf as cronjobs and co. , but yes that was not so nice version the 2.4.26 ๐Ÿ™ )

  5. Hello after update to the new release the service won’t start through systemctl. There was a hint that the address is already in use (443). I’ve checked the ports via lsof and netstat. There was nothing listening on the mentioned SSL Port. After rebooting to ensure that the sockets are gone, nothing changed. I couldn’t figure out the root cause with the logs so I had to roll back to the previous release through yum history undo. After that the problem was gone.

    Is there sth. similar known to the new package release?

  6. did you the update http2 package of codeit also? i started the install yum install http2 codeitrepo manualy, here it was not in yum update because http2… before other..
    mod_http2-1.10.10-1.codeit.x86_64.rpm

    and the mod_ssl update with the edits from ssl.conf in ssl.confrpmnew .. ?

    1. John,

      yes, mod_http2 is now built as separate package. 1.10.10-1 is current version.
      ssl.conf.rpmnew was made by rpm installer, not by us, because you modified it.
      In fresh installation on system without ssl.conf file with ssl defaults will be created as ssl.conf.

  7. i know but asked Martin to check himself for important changes in the ssl.conf.rpmnew don’t know could be some different config that cause.
    Also if he used copy the full ss.conf.rpmnew to ssl.conf without taking care fore the right settings of server then you have a problem. ( i tried this, just to be curiuous, cypherlist problems then therefore not starting and so on ๐Ÿ˜‰ )

      1. Ok, all thanks for the support. As mentioned, the issue seemed to be caused by a stupid administration error with two “Listen https 443” in the httpd.conf and ssl.conf. Umcommenting it in the ssl.conf fixed the problem.

  8. Hello,
    Congratulations on the good work! I have the following problem after upgrading to the latest version. In the new ssl.conf there are the following two directives:
    SSLCipherSuite PROFILE=SYSTEM
    SSLProxyCipherSuite PROFILE=SYSTEM
    With them, Apache does not want to start. What is the good practice in this case?

    1. Hello Nedelin,

      Please check default ssl.conf (probably it was created as ssl.conf.rpmnew on your system).

      We would recommend to use

      SSLCipherSuite "EECDH+AES128:EECDH+AES256:+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RSA+3DES:!DSS"
      SSLProxyCipherSuite "EECDH+AES128:EECDH+AES256:+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RSA+3DES:!DSS"
      SSLHonorCipherOrder on
      
      1. Hello,
        Thanks for your reply! Yes, exactly in the new file ssl.conf.rpmnew the default rows are as follows:
        SSLCipherSuite PROFILE=SYSTEM
        SSLProxyCipherSuite PROFILE=SYSTEM
        Is this a bug?

  9. In connection with this, http2 will not be supported by the prefork MPM. Whether it’s a good thing to change the worker MPM module is by default.

    1. I thought about this and probably you are right. In our environment, we run httpd with PHP and we still think worker MPM is not safe enough to be run with PHP.
      However, we do not see crashes in real environment on test hosts and on real websites that do not carry critical environment for two weeks, so probably we will change defaults and enable worker MPM by default.

  10. Hello again,
    I have seen the certificate on your website and I have the impression that you are using the same Let’s Encrypt certificate for several sites. I do not know if it is convenient to ask here how is this possible? As far as I know these free certificates are issued for one domain.

    1. Nedelin, yep, we are using same SAN certificate for couple of domains.
      This is easily possible with acme php client and certbot:

      If youโ€™re getting a certificate for many domains at once, the plugin needs to know where each domainโ€™s files are served from, which could potentially be a separate directory for each domain. When requesting a certificate for multiple domains, each domain will use the most recently specified –webroot-path. So, for instance,

      certbot certonly --webroot -w /var/www/example/ -d www.example.com -d example.com -w /var/www/other -d other.example.net -d another.other.example.net
      
  11. So the difference between version 2.4.27-1.codeit and version 2.4.27-2.codeit is only:

    Nedelin Petkov says: September 7, 2017 at 12:26 pm
    . . .
    SSLCipherSuite PROFILE=SYSTEM
    SSLProxyCipherSuite PROFILE=SYSTEM
    Is this a bug?

    Alexander Gerasimov says: September 7, 2017 at 12:29 pm
    Nedelin, thank you a lot for your report.
    Yes, this is a bug. Weโ€™ll update patch set and update release.

    Alexander Gerasimov says: September 7, 2017 at 2:48 pm
    Build updated.

  12. Hi,

    Trying to bump my httpd version from 2.4.6 to 2.4.27

    I did the following:

    $ cd /etc/yum.repos.d; wget https://repo.codeit.guru/codeit.el`rpm -q –qf “%{VERSION}” $(rpm -q –whatprovides redhat-release)`.repo

    and confirmed the epel-release repo was there by doing:

    $ yum install -y epel-release

    and that said it was already installed.

    I then tried doing a:

    $ yum update httpd

    And it said there was nothing to update. I currently have Centos 7.3 and httpd 2.4.6 and was hoping to bump httpd up to 2.4.27 as I want to make use of http/2

    Do I also need to do anything else to make sure that the codeit repo is picked up by yum ?
    Should I have also done a $ yum install codeit ?

    I should also check, before I do this. What suexec_docroot do you set in your build for httpd? I’m using virtualmin and I think they have a custom requirement of setting “suexec_docroot” to “/home”

    Thanks

      1. Its at the top of the list.

        repo id repo name status
        CodeIT/x86_64 CodeIT repo. 141

        and

        $ yum update
        reports “No packages marked for update”

        I’ve had a chat with the Virtualmin guys and given the need to have a build with ‘suexec_docroot = /home’ and the fact that my current httpd install comes from their repo (I think) it might not be a good idea for me to proceed. I’m guessing that your build doesn’t doesn’t have the Virtualmin customisations..

        Thanks for responding.

        1. Jason, I’ve checked on fresh test instance with httpd 2.4.6 and yum update works fine.
          So I think you have custom build of httpd 2.4.6 or update of httpd is prohibited in yum configuration.

          Please first try with

          yum install httpd-2.4.27-2.codeit
          
  13. Ok I will, but I won’t be able to use it unfortunately anyway. It could well be as you say that the fact that I am using a Virtualmin specific 2.4.6 from a Virtualmin repo is the thing thats stopping an update from yours being recognised.

    I’m told by the Virtualmin support that I can’t use a generic 2.4.* build. Virtualmin uses SuEXEC and specifies that the suxec_docroot points to /home. I doubt yours does the same and I’m not prepared to lose Virtualmin just to have http/2.

    I’m trying to persuade Virtualmin now to to update their repo from the RH SCL repo but with their customisations. Or at least provide it as an option.

    I’m told that if I install yours it will break Virtualmin’s support for apache.

    Thanks for responding.

Leave a Reply

Your email address will not be published. Required fields are marked *