I’ve set up a CentOS 5 Apache web server for a customer where we run the web server as user different from the default user "apache" (often "nobody" is used as well). The application runs through SSL using mod_ssl, and when accessing SSL secured pages errors like these would appear in the error log:
[Wed Nov 14 11:16:49 2007] [warn] (13)Permission denied: Failed to acquire SSL session cache lock [Wed Nov 14 11:16:49 2007] [warn] (13)Permission denied: Failed to release SSL session cache lock
I checked the ssl configuration (which on CentOS 5 is at /etc/httpd/conf.d/ssl.conf) and found this section about the SSL session cache:
# Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). #SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300
From looking at this, I could see that /var/cache/mod_ssl/scache is where Apache and mod_ssl are trying to store the session cache information. A quick ls -l of the appropriate directories revealed this:
# ls -l /var/cache/mod_ssl/scache total 0 # ls -l /var/cache/mod_ssl total 1 drwxr-xr-x 2 apache root 1024 Nov 9 17:02 scache # ls -l /var/cache total 6 ... drwx------ 3 apache root 1024 Nov 9 17:02 mod_ssl ...
So from looking at the directories we can see that the "apache" user is able to read and write to those directories but no one else can (other than root, of course). Because we were running the Apache web server as a different user, I needed to change the ownership of those directories to allow the webserver to write to them, like so, using "foo" as the example username:
chown foo:root /var/cache/mod_ssl chown foo:root /var/cache/mod_ssl/scache
This didn’t seem to fix the issue, because the error messages were still repeating in the error logs. However, a quick full restart of Apache as shown below appears to have fixed the problem:
/etc/init.d/httpd restart