Apache/Tomcat install on Monterey on M1 MacBookPro, and code signing

Question

Created Jan ’22

Replies 4

Boosts 0

Views 3.6k

Participants 2

Apache install is proving very problematic on latest MacBook Pro. I use Tomcat, which communicates with Apache using a very well-known module called jk_module (file name mod_jk.so)

Until Monterey, by using csrutil you could turn off SIP and simply copy mod_jk into the same folder as all the other modules, but SIP no longer allows you to do this. Now your only choice is to place it in a writeable folder. So it now sits at /usr/local/libexec/apache2/mod_jk.so all by itself, and in httpd.conf I tell LoadModule where to find it.

Problem (NOT solved): Apache won't start. And there is no log of any kind to give you a clue as to what is happening. There is nothing in system.log, and apache2/error.log hasn't even been created! After a day being mystified by this, I rediscovered apachectl -t, which I had forgotten about, which checks httpd.conf for you. And there at last I was told that I must code sign mod_jk.so, even though it is a piece of software that everybody knows and I didn't create.

Should be a piece of cake code signing a file right? Unfortunately not. After two days of trying all I ever manage to get is: "internal error in Code Signing subsystem".

In my travels into every corner of Google I found a couple of very detailed pages showing how to create your own Certificate Authority and then a Code Signing Certificate. Here is one of those links: https://www.simplified.guide/macos/apache-php-homebrew-codesign. Again all I ever got were error messages.

I then thought, well I'm an Apple paid-up developer, surely I should be using the Developer certificate which I use to sign my apps instead of creating an authority and a certificate ad hoc.

So I ran the following command to sign my file: codesign -d --verbose -s "Apple Development: A. Malcolm Warren (FV8Y5HRUQ8)" --force --keychain ~/Library/Keychains/login.keychain-db /usr/local/libexec/apache2/mod_jk.so

The answer is always: "internal error in Code Signing subsystem"

I have installed two intermediate "Apple Worldwide Developer Relations Certification Authority" certificates in my keychain - one of which expires in 2023, and the other in 2030, which I read about somewhere here in developer.apple.com.

Where do I go from here? How can I get this file code signed?

Boost

Answer 1

mikeyh OP

Jan ’22

Try signing in a different location like ~/Downloads/ then copy back to /usr/local/libexec/apache2/

codesign --verbose --sign "Apple Development: A. Malcolm Warren (FV8Y5HRUQ8)" ~/Downloads/mod_jk.so

Then update your apache config to include an authority on LoadModule:

LoadModule /usr/local/libexec/apache2/mod_jk.so "Apple Development: A. Malcolm Warren (FV8Y5HRUQ8)"

sudo apachectl configtest should then show something like:

AH06662: Allowing module loading process to continue for module at /usr/local/libexec/apache2/mod_jk.so because module signature matches authority "Apple Development: A. Malcolm Warren (FV8Y5HRUQ8)" specified in LoadModule directive

1

Answer 2

mwarren2 OP

Jan ’22

Accepted Answer

Placing the module in the Documents folder in my home folder for signing has solved this problem! And apachectl is happy if I run the config test (after placing the signed module back in its place).

Apache still doesn't start, but that's another problem, this one has been solved. Thank you so much for your help

0

Answer 3

mwarren2 OP

Jan ’22

I have since installed Apache successfully, so for anybody else who's having problems with Apache: although this post shows how to properly sign a file with a developer certificate, in actual fact it's pointless for Apache.

The secret of installing Apache on M1 is to start from scratch with a new installation using either MacPorts or Brew. Because installations that have been done on your previous macs and copied onto your new M1 will only give you big problems, because the installation will be on a part of your file system that has been protected by SIP, which is impossible to work with. Whereas Apache installs from MacPorts or Brew are installed on read/write parts of your file system and are freely configurable. You will still find a few problems on the way but they are definitely surmountable, and signing mod_jk.so will not be necessary

0

Answer 4

mwarren2 OP

Jan ’22

If anyone is interested I have detailed everything I did to get Apache installed in a stackoverflow post: https://stackoverflow.com/questions/70283661/how-do-i-compile-tomcat-mod-jk-on-a-macbook-pro-m1-chip/70852729#70852729

0