|
It is possible to find the error logs to match when dealing with the case and the workarounds to fix it:
Error logs are debugged via CLI :
1) tf output.processManager.
yams.CampusManager INFO :: 2022-05-10 12:34:30:425 :: #1 :: httpd is not running!
yams.CampusManager INFO :: 2022-05-10 12:34:30:426 :: #1 :: ******* System Check Failed! *******
yams.CampusManager INFO :: 2022-05-10 12:34:30:627 :: #1 :: Loaders are running
yams.CampusManager INFO :: 2022-05-10 12:34:30:627 :: #1 :: Processes are running
yams.CampusManager INFO :: 2022-05-10 12:34:30:829 :: #1 :: masterLoaderPID = 4340 nessusLoaderPID = 4646
yams.CampusManager INFO :: 2022-05-10 12:34:30:829 :: #1 :: sendToNetwork verb Start Processes standbyenabled false inControl true controlServer true
yams.CampusManager INFO :: 2022-05-10 12:34:30:829 :: #1 :: sendToNetwork() servers = [, , , ]
2) service httpd status -l.
> service httpd status -l
Redirecting to /bin/systemctl status -l httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2022-05-10 12:31:27 CEST; 2min 12s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 7981 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 7981 (code=exited, status=1/FAILURE)
May 10 12:31:27 forti.lab httpd[7981]: [Tue May 10 12:31:27.732954 2022] [core:warn] [pid 7981] AH00111: Config variable ${HTTPD_HOSTNAME} is not defined
May 10 12:31:27 forti.lab httpd[7981]: [Tue May 10 12:31:27.733005 2022] [so:warn] [pid 7981] AH01574: module ssl_module is already loaded, skipping
May 10 12:31:27 forti.lab httpd[7981]: [Tue May 10 12:31:27.733073 2022] [core:warn] [pid 7981] AH00111: Config variable ${TLS_PROTOCOLS} is not defined
May 10 12:31:27 forti.lab httpd[7981]: [Tue May 10 12:31:27.733087 2022] [core:warn] [pid 7981] AH00111: Config variable ${TLS_CIPHERS} is not defined
May 10 12:31:27 forti.lab httpd[7981]: AH00526: Syntax error on line 25 of macro 'yams_https' (defined on line 56 of "/etc/httpd/conf.d/00_mod_macro.conf") used on line 7 of "macro 'yams_vhost' (defined on line 19 of "/etc/httpd/conf.d/00_mod_macro.conf") used on line 2 of "macro 'vhost' (defined on line 13 of "/etc/httpd/conf.d/00_mod_macro.conf") used on line 2 of "/etc/httpd/conf.d/authentication.conf""":
May 10 12:31:27 forti.lab httpd[7981]: SSLCertificateFile: file '/bsc/siteConfiguration/apache_ssl/server.crt' does not exist or is empty
May 10 12:31:27 forti.lab systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
May 10 12:31:27 forti.lab systemd[1]: Failed to start The Apache HTTP Server.
May 10 12:31:27 forti.lab systemd[1]: Unit httpd.service entered failed state.
May 10 12:31:27 forti.lab systemd[1]: httpd.service failed.
Interesting log line :SSLCertificateFile: file '/bsc/siteConfiguration/apache_ssl/server.crt' does not exist or is empty
This directory /bsc/siteConfiguration/apache_ssl/ is the directory where the certificate files are stored and used to secure the Captive Portal.
When the certificate files are not there, or they are not complete, this will cause the httpd to not start correctly.
Solutions to this issue:
1) If the GUI is available, disable SSL mode:
For versions 9.1.x and 9.2.x.
Go to Portal -> Portal SSL on the Secondary:
- Select Portal -> Portal SSL.
- In the SSL panel select 'Disabled' from the drop-down menu in the SSL Mode field.
- Select 'Save' and wait until it is saved.
For version 8.8.x.
Go to System -> Settings:
- Expand the Security folder.
- Select Portal SSL from the tree.
- Select Disabled from the drop-down menu in the SSL Mode field.
- Select 'Save Settings'.
2) If GUI is not available, fix should be performed via CLI and is different from the GUI workaround.
Generate New Self-Signed Certificate using the steps described in page 36 of the FortiNAC certificate SSL installation guide:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d51ef05b-08a9-11eb-96b9-005056...
If following the steps from step before will not fix the issue, and there is keystore related error while trying to perform those steps, then it is possible to check the keystore directory.
If there is a recent backup of the keystore, it is possible to delete the original keystore and rename the backup keystore as the original one.
This step should be considered as optional additional step to a) and not a separate method.
With this method, it is possible to see that the directory /bsc/siteConfiguration/apache_ssl/ is populated with the needed certificate files so no errors are faced when httpd will try to start.
3) If all other steps ar folloed and the selfsigned.crt and selfsigned.key files still do not populate to /bsc/siteConfiguration/apache_ssl/, follow these steps:
- Run the following to export the certificate:
keytool -export -alias server -keystore /bsc/campusMgr/.keystore -storepass ^8Bradford%23 -rfc -file selfsigned.crt
- Move it to the directory:
mv selfsigned.crt /bsc/siteConfiguration/apache_ssl/selfsigned.crt
- Run the following to export the keystore to PKCS12 format:
keytool -importkeystore -srckeystore /bsc/campusMgr/.keystore -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias server -deststorepass fortinet -destkeypass fortinet
- Run the following to extract the key:
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out selfsigned.key
(password is fortinet - set in the previous command).
- Convert the key to RSA.:
openssl rsa -in selfsigned.key -out selfsigned.key
- Move the key to the appropriate folder:
mv selfsigned.key /bsc/siteConfiguration/apache_ssl/selfsigned.key
- Restart HTTPD and tomcat-admin:
service httpd restart
service tomcat-admin restart
Related documents:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d51ef05b-08a9-11eb-96b9-005056...
https://docs.fortinet.com/document/fortinac/8.8.0/administration-guide/333502/portal-ssl
|
