Apache SSL error : Unable to read server certificate from file

Question

I am getting an Apache error while server startup. The error reads:

[error] Init: Unable to read server certificate from file /etc/pki/tls/certs/ca-bundle.trust.crt
[error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

I have done some basic sanity checks like -

1. comparing mod of private and public key. It matches perfectly

2. Also, ran dos2unix on crt file

   openssl x509 -noout -modulus -in /etc/pki/tls/certs/ca-bundle.trust.crt | openssl md5

   openssl rsa -noout -modulus -in /etc/pki/tls/private/servername00.key | openssl md5

Any suggestions? what could be the root cause?

For reference: here is my conf.d/app.conf file and server version is Apache/2.2.15 (Unix)

<Directory "/path/to/app/source/html">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

<VirtualHost *:80>
 ServerName servername.com
 # Trailing slash is important
 Redirect / https://servername.com/
</VirtualHost>
<VirtualHost *:443>
  ServerAdmin myemailaddresss@domain.com
  DocumentRoot  /path/to/app/source/html
  ServerName servername

  #SSLEngine on
  # Update the path with the location of your new cert and key
  SSLCertificateFile /etc/pki/tls/certs/ca-bundle.trust.crt
  SSLCertificateKeyFile /etc/pki/tls/private/servername.key

  ErrorLog logs/appname-80-error_log
  CustomLog logs/appname-80-access_log common

  Header always set Access-Control-Allow-Origin "*"

  # Rewrite hostname to FQN
  RewriteEngine on
  RewriteCond %{HTTP_HOST}   !^servername\.com [NC]
  RewriteCond %{HTTP_HOST}   !^$
  RewriteRule ^/(.*)         https://servername.com/$1 [L,R]

</VirtualHost>

Answer 1

The extracted certificate had "Begin Trusted Certificate" as header. It needed to be "Begin Certificate."

Please note that there are two files at /etc/pki/tls/certs/ -

1. ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
2. ca-bundle.trust.crt

I made the mistake of referring to ca-bundle.trust.crt instead of ca-bundle.crt.

Source - https://manned.org/update-ca-trust/e1b1e94d

/etc/pki/tls/certs/ca-bundle.crt Legacy filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. If compatible CA trust replacements are disabled, this is a static file and will remain unchanged. Only if compatible CA trust replacements are enabled, this file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.

/etc/pki/tls/certs/ca-bundle.trust.crt Legacy filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. If compatible CA trust replacements are disabled, this is a static file and will remain unchanged. Only if compatible CA trust replacements are enabled, this file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.

Alternatively,

sed -i 's/BEGIN TRUSTED CERTIFICATE/BEGIN CERTIFICATE/g' /etc/pki/tls/certs/ca-bundle.trust.crt
sed -i 's/END TRUSTED CERTIFICATE/END CERTIFICATE/g' /etc/pki/tls/certs/ca-bundle.trust.crt