# Apache2 and "Invalid command 'SSLEngine'" after update

## phreenet

I recently updated Apache2 to 2.2.6 using emerge -uav apache.  I haven't had a problem updating Apache ever so I'm pretty stumped.  The problem occurs when I try to connect to any of my VirtualHost domains using SSL/443 and I get an "Unable to connect error".  So I did a little investigating over the past day and I see a lot of people with my symptoms but their solutions never seem to fix my problem.  So I will throw this out to the Gentoo community and see if any one out there has had this issue solved for them in the past.

Important Apache Settings:

```

Taken from: "/etc/conf.d/apache2"

APACHE2_OPTS="-D SSL -D DEFAULT_VHOST -D PHP5 -D INFO -D LANGUAGE -D SSL_DEFAULT_VHOST -D SUEXEC"

```

```

Taken from: "/etc/apache2/httpd.conf"

...

<IfDefine SSL>

LoadModule ssl_module modules/mod_ssl.so

</IfDefine>

...

User apache

Group apache

ServerAdmin webmaster@example.com

UseCanonicalName Off

DirectoryIndex index.php default.php index.html index.htm 

AccessFileName .htaccess

TypesConfig /etc/mime.types

DefaultType text/plain

HostnameLookups Off

Timeout 300

KeepAlive On

MaxKeepAliveRequests 100

KeepAliveTimeout 15

Listen 80 443

Include /etc/apache2/modules.d/*.conf

Include /etc/apache2/vhosts.d/*.conf

```

Typical setting for one of my domains running SSL.  Domains that run SSL do have their own IP address binded to eth0 on the server and don't use name based virtual hosting.

```

Taken from: "/etc/apache2/vhost.d/vhost.conf"

...

<VirtualHost 207.44.xxx.xxx:80>

        ServerName www.example.com

        ServerAdmin webmaster@example.com

        DocumentRoot "/var/www/example.com/htdocs"

        ErrorLog /var/log/apache2/example.com_error

        TransferLog /var/log/apache2/example.com_access

</VirtualHost>

<VirtualHost 207.44.xxx.xxx:443>

        ServerName www.example.com

        ServerAdmin webmaster@example.com

        DocumentRoot "/var/www/example.com/htdocs"

        ErrorLog /var/log/apache2/example.com_error

        TransferLog /var/log/apache2/example.com_access

        SSLEngine on

        SSLCertificateFile /etc/apache2/ssl/photoxpureair.com.cert

        SSLCertificateKeyFile /etc/apache2/ssl/photoxpureair.com.key

</VirtualHost>

...

```

Ok, those are the basic settings and it should work as is with a basic LAMP server.  So whenever I try to connect to https://www.example.com I get a cannot connect error.  So here are some debugging outputs that have lead me in a circle. 

```

web1 ~ # apache2ctl configtest

 * Checking Apache Configuration ...                                                         [ ok ]

#This lead me to most of my searching of problems.

web1 ~ # apache2 -M

Syntax error on line 59 of /etc/apache2/vhosts.d/vhost.conf:

Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration

#So we know mod_ssl.so was at least built when Apache was.

web1 ~ # locate mod_ssl

/root/41_mod_ssl.default-vhost.conf

/usr/include/apache2/mod_ssl.h

/usr/lib/apache2/modules/mod_ssl.so

/etc/apache2/modules.d/40_mod_ssl.conf

#But apache doesn't bind to 443 because it isn't loading mod_ssl.so or OpenSSL yet I have listen 443 in the config files and mod_ssl was built.

web1 ~ # netstat -ntlp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 0.0.0.0:993                          0.0.0.0:*               LISTEN      3713/couriertcpd

tcp        0      0 0.0.0.0:995                          0.0.0.0:*               LISTEN      3833/couriertcpd

tcp        0      0 127.0.0.1:3306                     0.0.0.0:*               LISTEN      3393/mysqld

tcp        0      0 0.0.0.0:110                          0.0.0.0:*               LISTEN      3773/couriertcpd

tcp        0      0 0.0.0.0:143                          0.0.0.0:*               LISTEN      3653/couriertcpd

tcp        0      0 0.0.0.0:80                            0.0.0.0:*               LISTEN      23318/apache2

tcp        0      0 0.0.0.0:21                            0.0.0.0:*               LISTEN      4151/vsftpd

tcp        0      0 207.44.184.48:22                 0.0.0.0:*               LISTEN      3471/sshd

tcp        0      0 0.0.0.0:25                            0.0.0.0:*               LISTEN      4039/master

```

Ok to end this long thread I will show my USE command and some emerge outputs.

```

web1 ~ # emerge -pv apache openssl

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R   ] dev-libs/openssl-0.9.8g  USE="zlib -bindist -emacs -gmp -kerberos -sse2 -test" 0 kB

[ebuild   R   ] www-servers/apache-2.2.6  USE="ssl -debug -doc -ldap -mpm-event -mpm-itk -mpm-peruser -mpm-prefork -mpm-worker -no-suexec (-selinux) -static-modules -threads" 0 kB

Total: 2 packages (2 reinstalls), Size of downloads: 0 kB

```

So if anyone has had experience in dealing with these sorts of problems with Apache2 and SSL let me know, I seem to be going in circles when I search for help and no solutions seem to fix my particular problem.

----------

## Corvinian

Hello phreenet,

the ssl-module is not loaded and therefore not bound to port 443.

tHere was a Bugzilla-entry requiring changing the order of the directives, if I recall correctly, it was

```
'-D [other directives] -D DEFAULT_VHOST -D SSL -D SSL_DEFAULT_VHOST'
```

Is your webserver working when SSL is disabled; and also when you specify SSL-option via command-line?

```
apache2 -t -D SSL
```

 if this works, it's definitely the load-order!

- maybe this is of help:

https://forums.gentoo.org/viewtopic-t-382793-highlight-invalid+sslengine+perhaps+misspelled+defined+module.html

https://forums.gentoo.org/viewtopic-t-449732-highlight-invalid+sslengine+perhaps+misspelled+defined+module.html

https://forums.gentoo.org/viewtopic-t-467269-highlight-invalid+sslengine+perhaps+misspelled+defined+module.html

There are other threads with solutions, search the forum with 'invalid sslengine' ...

- Here the '-D SSL' is required to go in the end to make it work:

https://forums.gentoo.org/viewtopic-t-40995-highlight-invalid+sslengine.html

HTH

Corvinian

----------

