Being new to linux, my first linux os was F35, had a nextcloud instance running, upgraded to F37, now nextcloud unavailable. Found that httpd would not start. Http/ssl_error log showed:
[Tue Dec 20 18:36:05.764828 2022] [ssl:emerg] [pid 2821:tid 2821] AH02407: “SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/live/xxx.com/dhparam.pem” failed for xxx.com:443
[Tue Dec 20 18:36:05.764846 2022] [ssl:emerg] [pid 2821:tid 2821] SSL Library Error: error:1E08010C:DECODER routines::unsupported (No supported data to decode. Input type: PEM)
I checked that file /etc/letsencrypt/live/xxx.com/dhparam.pem does indeed exist.
After much frustration I found that removing
[ SSLOpenSSLConfCmd DHParameters “/etc/letsencrypt/live/xxx.com/dhparam.pem” ]
directive from my http conf solves the problem and httpd starts (with the directive included in http conf file, httpd syntax check still passes in F37 as was the case in F35).
Question is why did my configuration break? Was it due to openssl version 1.11 → 3.0.5 ?
Also, do I actually need DHParameter…xx… directive for a proper secure config?
Thanks
F35 I had:
~# dnf list installed | grep openssl
apr-util-openssl.x86_64 1.6.1-17.fc35 @fedora
openssl.x86_64 1:1.1.1q-1.fc35 @updates
openssl-libs.x86_64 1:1.1.1q-1.fc35 @updates
openssl-pkcs11.x86_64 0.4.11-4.fc35 @fedora
xmlsec1-openssl.x86_64 1.2.29-4.fc35 @fedora
F37 I now have:
~# dnf list installed | grep openssl
apr-util-openssl.x86_64 1.6.1-22.fc37 @fedora
openssl.x86_64 1:3.0.5-3.fc37 @fedora
openssl-libs.x86_64 1:3.0.5-3.fc37 @fedora
openssl-pkcs11.x86_64 0.4.12-2.fc37 @fedora
xmlsec1-openssl.x86_64 1.2.34-4.fc37 @updates