Apache - Permission denied: Failed to acquire SSL session cache lock

Posted in Apache -

I've set up a CentOS 5 Apache web server for a customer where we run the web server as user different from the default user "apache" (often "nobody" is used as well). The application runs through SSL using mod_ssl, and when accessing SSL secured pages errors like these would appear in the error log:

[Wed Nov 14 11:16:49 2007] [warn] (13)Permission denied: Failed to acquire SSL session cache lock
[Wed Nov 14 11:16:49 2007] [warn] (13)Permission denied: Failed to release SSL session cache lock

I checked the ssl configuration (which on CentOS 5 is at /etc/httpd/conf.d/ssl.conf) and found this section about the SSL session cache:

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism
#   to use and second the expiring timeout (in seconds).
#SSLSessionCache        dc:UNIX:/var/cache/mod_ssl/distcache
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300

From looking at this, I could see that /var/cache/mod_ssl/scache is where Apache and mod_ssl are trying to store the session cache information. A quick ls -l of the appropriate directories revealed this:

# ls -l /var/cache/mod_ssl/scache
total 0

# ls -l /var/cache/mod_ssl
total 1
drwxr-xr-x 2 apache root 1024 Nov  9 17:02 scache

# ls -l /var/cache
total 6
...
drwx------  3 apache root   1024 Nov  9 17:02 mod_ssl
...

So from looking at the directories we can see that the "apache" user is able to read and write to those directories but no one else can (other than root, of course). Because we were running the Apache web server as a different user, I needed to change the ownership of those directories to allow the webserver to write to them, like so, using "foo" as the example username:

chown foo:root /var/cache/mod_ssl
chown foo:root /var/cache/mod_ssl/scache

This didn't seem to fix the issue, because the error messages were still repeating in the error logs. However, a quick full restart of Apache as shown below appears to have fixed the problem:

/etc/init.d/httpd restart



Comments