Troubleshooting
Problem
The QRadar® GUI fails to load due to an invalid certificate installation preventing HTTPd from starting.
To install a custom certificate in QRadar®, the /opt/qradar/bin/install-ssl-cert.sh script must be run, but as the certificate is invalid, it fails with "ERROR: Failed to restart httpd service".
Symptom
The install-ssl-cert.sh script process fails when it tries to reload the HTTPd configuration.
# /opt/qradar/bin/install-ssl-cert.sh
Path to Public Key File (SSLCertificateFile): /tmp/cert.cer
Path to Private Key File (SSLCertificateKeyFile): /tmp/key.key
You have specified the following:
SSLCertificateFile of /tmp/cert.crt
SSLCertificateKeyFile of /tmp/key.key
Re-configure Apache now (includes restart of httpd) (Y/[N])? Y
Backing up current SSL configuration ... (OK)
Installing user SSL certificate ... (OK)
Reloading httpd configuration:
- Restarting httpd service ... (FAILED)
[install-ssl-cert.sh] ERROR: Failed to restart httpd service
Restoring previous SSL configuration ... (OK)
Reloading httpd configuration:
(SKIPPED): httpd not running
[install-ssl-cert.sh] ERROR: Could not update SSL certificate - previous config restored
This failure leaves the HTTPd service in failed status and the GUI unavailable.
# systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/httpd.service.d
└─qradar.conf
Active: failed (Result: exit-code) since Fri 2020-09-25 12:25:40 EDT; 20s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 22575 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Process: 22571 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Process: 22332 ExecStartPre=/opt/qradar/systemd/bin/forensics_generate_mks_ghost.sh (code=exited, status=0/SUCCESS)
Main PID: 22571 (code=exited, status=1/FAILURE)
Sep 25 12:25:40 hostname httpd[22571]: [Fri Sep 25 12:25:40.846...
Sep 25 12:25:40 hostname httpd[22571]: [Fri Sep 25 12:25:40.847...
Sep 25 12:25:40 hostname httpd[22571]: [Fri Sep 25 12:25:40.847...
Sep 25 12:25:40 hostname httpd[22571]: [Fri Sep 25 12:25:40.847...
Sep 25 12:25:40 hostname systemd[1]: httpd.service: main proces...
Sep 25 12:25:40 hostname kill[22575]: kill: cannot find process ""
Sep 25 12:25:40 hostname systemd[1]: httpd.service: control pro...
Sep 25 12:25:40 hostname systemd[1]: Failed to start The Apache...
Sep 25 12:25:40 hostname systemd[1]: Unit httpd.service entered...
Sep 25 12:25:40 hostname systemd[1]: httpd.service failed
Cause
The installation of an invalid PEM format certificate or unsupported format such as DER triggers this failure.
Environment
QRadar® 7.3.x and later
Diagnosing The Problem
Look for the keyword "mismatch" in the /var/log/httpd/ssl_error_log.
[ssl:warn]: RSA certificate configured for localhost:443 does NOT include an ID which matches the server name
[ssl:emerg] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[ssl:emerg] : Unable to configure RSA server private key
To determine whether the right PEM format and that the private key matches the certificate, the following command can be used:
For the certificate
openssl x509 -noout -modulus -in /tmp/qradar_cert.pem | openssl md5
For the certificate's private key:
openssl rsa -noout -modulus -in /tmp/qradar_cert.key | openssl md5
Note: Change the location of the files to match your environment. In this example, the files are in /tmp. Both files must have the same stdin value.
Example of a bad certificate and private key not matching:
# openssl x509 -noout -modulus -in /tmp/qradar_cert.pem | openssl md5
unable to load certificate
140196792559504:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
(stdin)= d41d8cd98f00b204e9800998ecf8427e
# openssl rsa -noout -modulus -in /tmp/qradar_cert.key | openssl md5
(stdin)= ea657ba74790f59bd061dac5f2f1e73d
Example of a good certificate and private key matching:
# openssl x509 -noout -modulus -in /tmp/qradar_cert.pem | openssl md5
(stdin)= 6c263a1c065a95a5f3554763720278e7
# openssl rsa -noout -modulus -in /tmp/qradar_cert.key | openssl md5
(stdin)= 6c263a1c065a95a5f3554763720278e7
Resolving The Problem
- Create the certificates based on the QRadar® SSL certificates documentation.
Note:
The certificate must be an X.509 certificate and have PEM base64 encoding.
The certificate must have a .cert, .crt, .pem, or .der file extension.
- Check whether the certificate and the private key match as explained in the Diagnosing the Problem section.
For the certificate:openssl x509 -noout -modulus -in /tmp/qradar_cert.pem | openssl md5
For the certificate's private key:openssl rsa -noout -modulus -in /tmp/qradar_cert.key | openssl md5 - Install the new SSL certificate following the QRadar® documentation. The result must look like:
# /opt/qradar/bin/install-ssl-cert.sh Path to Public Key File (SSLCertificateFile): /tmp/qradar_cert.pem Path to Private Key File (SSLCertificateKeyFile): /tmp/qradar_cert.key You have specified the following: SSLCertificateFile of /tmp/qradar_cert.pem SSLCertificateKeyFile of /tmp/qradar_cert.key Re-configure Apache now (includes restart of httpd) (Y/[N])? Y Backing up current SSL configuration ... (OK) Installing user SSL certificate ... (OK) Reloading httpd configuration: - Restarting httpd service ... (OK) Restarting running services: - Stopping hostcontext ... (OK) - Restarting Tomcat ... (OK) - Starting hostcontext ... (OK) ... - Verify the GUI now loads with the new certificate.
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS004252708","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
17 June 2021
UID
ibm16362011