Symptoms

After deployment of fresh webserver based on NG technology it was found that websites are not served from this node. Default content is always shown when existing website is opened. Also, no SSL certificate is served on default SSL host:

# openssl s_client -connect 127.0.0.1:443
CONNECTED(00000003)
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

All services are working correctly, apache shows default page content, redis retrieves data from the master server, SSL certificates are shown there. No configuration file changes are introduced, all packages are installed and are passing RPM validation.

However, strace utility shows that apache could not access redis socket to start data exchange:

connect(19, {sa_family=AF_LOCAL, sun_path="/var/lib/redis/redis.sock"}, 110) = -1 EACCES (Permission denied) <0.000113>

Cause

Apache user was not included in group 'redis' which effectively blocked any communication with redis socket.

Cause of this appeared during deployment: 'redis' user already existed in LDAP, so redis package did not add the user. Since it is not possible to attach user to LDAP group locally, 'apache' was left without required permissions.

Resolution

Add user 'apache' into group 'redis'.

In case of existence of 'redis' user and group in LDAP, it is required to temporarily exclude sss (LDAP client sssd daemon) from search path in file /etc/nsswitch.conf:

passwd:     files ng
shadow:     files ng
group:      files

Then add redis group and user locally and add this group as 'additional' for 'apache':

# groupadd -r redis
# useradd -r -g redis -d /var/lib/redis -s /sbin/nologin -c 'Redis Server' redis
# usermod apache -G pemsrv,redis

Fix permissions:

# chown -R redis:redis /var/log/redis/
# chown -R redis:redis /var/lib/redis

Restart redis server and reload Apache service:

# service redis restart
# service httpd reload

You may restore nsswitch.conf content afterwards.

Internal content