Symptoms
After deployment of fresh webserver based on NG technology it was found that websites are not served from this node. Default content is always shown when existing website is opened. Also, no SSL certificate is served on default SSL host:
# openssl s_client -connect 127.0.0.1:443
CONNECTED(00000003)
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
All services are working correctly, apache shows default page content, redis retrieves data from the master server, SSL certificates are shown there. No configuration file changes are introduced, all packages are installed and are passing RPM validation.
However, strace
utility shows that apache could not access redis socket to start data exchange:
connect(19, {sa_family=AF_LOCAL, sun_path="/var/lib/redis/redis.sock"}, 110) = -1 EACCES (Permission denied) <0.000113>
Cause
Apache user was not included in group 'redis' which effectively blocked any communication with redis socket.
Cause of this appeared during deployment: 'redis' user already existed in LDAP, so redis package did not add the user. Since it is not possible to attach user to LDAP group locally, 'apache' was left without required permissions.
Resolution
Add user 'apache' into group 'redis'.
In case of existence of 'redis' user and group in LDAP, it is required to temporarily exclude sss
(LDAP client sssd daemon) from search path in file /etc/nsswitch.conf
:
passwd: files ng
shadow: files ng
group: files
Then add redis group and user locally and add this group as 'additional' for 'apache':
# groupadd -r redis
# useradd -r -g redis -d /var/lib/redis -s /sbin/nologin -c 'Redis Server' redis
# usermod apache -G pemsrv,redis
Fix permissions:
# chown -R redis:redis /var/log/redis/
# chown -R redis:redis /var/lib/redis
Restart redis server and reload Apache service:
# service redis restart
# service httpd reload
You may restore nsswitch.conf
content afterwards.