IBM Support

QRadar: HTTPD service failed due to error "Multiple RSA server certificates not allowed"

Troubleshooting


Problem

HTTPD service is in a failed state and UI is inaccessible because there are more than one certificates are present in the /etc/httpd/conf/certs directory.

Cause

There is more than one certificate present in the /etc/httpd/conf/certs directory.

Diagnosing The Problem

If HTTPD service is in a failed state, then you can try to search for these logs:

less /var/log/qradar.log | grep -i “Multiple RSA server certificates not allowed”
[Mon Mar 21 16:12:47.461152 2022] [ssl:emerg] [pid 18470] <HOSTNAME>: Init: Multiple RSA server certificates not allowed
[Mon Mar 21 16:12:47.461169 2022] [ssl:emerg] [pid 18470] <HOSTNAME>: Fatal error initialising mod_ssl, exiting.

If you get output for the command, then you can follow these Resolving The Problem steps.

Resolving The Problem

  1. Verify whether there is only 1 .crt file present in /etc/httpd/conf/certs directory:
    ls -la /etc/httpd/conf/certs/
  2. If the directory includes more than one .crt files in certificates directory, rename or move the unused certificate files. Select one of the following:
    mv /etc/httpd/conf/certs/<any_name>.crt /etc/httpd/conf/certs/<any_name>.crt_back
    OR
    mkdir /root/backup.certs/
    mv /etc/httpd/conf/certs/<any_name>.crt /root/backup.certs/
  3. To restart the Tomcat service, type: 
    systemctl restart tomcat
    Note: Restarting Tomcat on the QRadar Console logs out users, halts event exports in progress, and can cause scheduled reports to not start until the service is running. Administrators with change control might need a maintenance window before you restart Tomcat.
  4. Check for the HTTPD and Tomcat service status, both services should be in an active state: 
    systemctl status tomcat
    systemctl status httpd
    image-20220628120042-4image-20220628120020-3
  5. Test Tomcat connection status, it should show status as Connected to tomcat: 
    /opt/qradar/bin/test_tomcat_connection.sh
    image-20220628120344-5Note: Tomcat takes some time to start. After the command shows the status as connected, you can connect to the QRadar GUI and verify whether other functions are working as expected. And this procedure does not apply to QRadar on Cloud
Results
After the connection test completes successfully, you can log back in to QRadar. Administrators might need to manually run reports that were scheduled to start during the Tomcat outage. If users had an event export running, they can run the search again and export the results from the user interface. Contact Support for a possible workaround if still having an issue or UI is still inaccessible: https://www.ibm.com/mysupport

Related Information

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
21 July 2022

UID

ibm16590417