Aria Operations Displays "Failed to start the Apache HTTP Server." On the Console Screen During Boot

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

During the upgrade of Aria Operations to version 8.14 or higher, the appliance VM is rebooted but neither the Admin UI or Product UI become available again after the reboot. During the boot process of the appliance, a message is seen stating "[FAILED] Failed to start the Apache HTTP Server."

Environment

Aria Operations 8.10 upgrading to 8.14

Cause

The "[FAILED] Failed to start the Apache HTTP Server." error during appliance boot can be caused by the presence of the SSLFIPS on directive within the httpd.conf configuration file for the Apache HTTP Server in VMware Aria Operations 8.14 and higher. To verify if the issue is present, use the following steps.

Log in to the primary node as root via SSH or Console

Run the command:

grep "SSLFIPS on" /etc/httpd/conf/httpd.conf

If the command returns SSLFIPS on, continue to the steps in the Resolution section below.
In case of no results, repeat steps 1 and 2 on all analytic nodes (primary replica or data) in the Aria Operations cluster.
When no results on all nodes, the issue could be a bug which is resolved in 8.14.1 where the upgrade hangs and produces the same error. Refer: Aria Operations 8.14.1 fix list (324354)

Resolution

To successfully upgrade the Aria Operations cluster to version 8.14 or higher, the SSLFIPS on directive must be removed from the httpd.conf configuration file for the Apache HTTP Server prior to the upgrade attempt using the steps below:

Revert all nodes in the Aria Operations cluster to the snapshot that was taken prior to the upgrade attempt.

Note: If the pre-upgrade snapshots are no longer available, restore all nodes in the Aria Operations cluster including cloud proxies from an existing backup that was taken before the upgrade was attempted.
Power on all the Aria Operations appliances using the sequence from the Bringing Nodes Online section for the cluster type as detailed in Shutdown and Startup sequence for Aria Operations cluster (341964)
Log in to the primary node as root via SSH or Console
Remove the SSLFIPS on directive from the httpd.conf configuration file using the command:
```
sed -i 's/SSLFIPS on//' /etc/httpd/conf/httpd.conf
```
Restart the Apache HTTP Server with the command:
```
systemctl restart httpd
```
Repeat steps 3 through 5 on all analytic nodes (primary replica and data) in the Aria Operations cluster.
Use the steps from Install a Software Update to complete the upgrade of the Aria Operations cluster to version 8.14 or higher.

Note: To enable FIPS 140-2 mode in Aria Operations, use the steps from Activating FIPS 140-2

If issue doesn't get resolved by above mentioned steps, then follow below:

Go to /usr/lib/vmware-vcopssuite/utilities/conf directory in primary node.
Open the file using cat vcops-apache.conf command and check if TLS version entry is correct or not.

Sample content below:

   SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM- SHA256:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
   # Enable all available TLS flavours, disable SSLv2, SSLv3, and TLSv1
   # Until openssl and httpd are upgraded, TLSv1.1 and TLSv1.2 cannot be added here.  This subtractive method will allow the newer TLS protocols when available.

      SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
   SSLHonorCipherOrder on
   TraceEnable off

   ExpiresActive On

Refer: Verify the Correct Use of Protocols in Apache HTTPD

3. Restart Apache service using systemctl restart httpd command.

4. Repeat above steps on all nodes.

Note: If all the above steps don't resolve the issue, please upgrade to 8.14.1, following the usual upgrade process.