8

I'm trying to setup SSL on fedora with apache.

In my vhost...

SSLCertificateFile /your/path/to/crt.crt
SSLCertificateKeyFile /your/path/to/key.key
SSLCertificateChainFile /your/path/to/DigiCertCA.crt

I had it working fine with a self signed key, but can't get it to work with the DigiCertCA crt.

When I run

service httpd restart

It fails to start. This is what I get in the logs...

[Sat Jan 29 07:57:13 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suex$
[Sat Jan 29 07:57:13 2011] [error] Failed to configure CA certificate chain!

Any assistance would be really appreciated!

BenMorel
  • 4,507
  • 10
  • 57
  • 85
kron
  • 735
  • 2
  • 6
  • 8

5 Answers5

8

Make sure there's no missing certificates in the chain, in the SSLCertificateChainFile file there should be all the certificates in order from the CA first and then down to any intermediate certificate that was used to sign your CRT, otherwise you'll get the error.

If you don't have any intermediate certificates (looking at the Digicert page it looks like there's none http://www.digicert.com/ssl-certificate-installation-apache-ensim.htm) you should use SSLCACertificateFile instead

lynxman
  • 9,397
  • 3
  • 25
  • 28
  • I don't know who downvoted you, this is entirely valid - the instructions even tell you to use SSLCACertificateFile. –  Jan 29 '11 at 15:29
  • Thanks. turns out it was just there was an 'X' at the bottom of one of the crt files (that I had accidentally put in the file when pressing ctrl+x to close the file. Answer accepted for just checking the chain properly. – kron Jan 29 '11 at 15:56
  • If you think you copied and pasted correctly double check for white space. For example copying from the Verisign/Symantec the help page https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1409 results in two extra spaces on each line. – Daniel Sokolowski Dec 15 '12 at 05:45
  • "CA first" sounds vague. The Apache documentation says that the chain "starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate" https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile A script in the comment shows all certificates of the chain, https://kdecherf.com/blog/2015/04/10/show-the-certificate-chain-of-a-local-x509-file/#comment-2707447770 – eel ghEEz Jun 28 '16 at 01:20
8

An update to an old thread...

I just had this happened when I created a CA chain file by cat-ing the intermediate & root .crt files together into a new .ca-bundle file; the issue was that the first of the cert files didn't end with a newline, so its "END" line and the next one's BEGIN line were joined together, like

-----END CERTIFICATE----------BEGIN CERTIFICATE----- 

I just edited the file and put the newline in, giving:

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

And then it worked.

Diamond
  • 9,001
  • 3
  • 24
  • 38
Paul
  • 81
  • 1
  • 1
  • Good catch and useful caveat. You could use the editor to put the text fragments into "code blocks". – Dan Garthwaite Mar 17 '16 at 14:03
  • Oh my god, this was what my problem was and I wasn't even using a bundle, just had to put a space before end cert. Same cert worked on a Windows box but not linux. Thanks – Ben Brocka May 09 '19 at 18:15
  • Copy and pasted from windows into linux vi - and ended up with this problem in the chain cert - great addition to the answers! – Hugh Wood Feb 12 '20 at 22:08
4

The fix above may be useful, but for me the fix was this:

http://blog.oneiroi.co.uk/openssl/x.509/pcks7/openssl-unable-to-load-certificate-wrong-asn1-encoding-routines-asn1-check-tlen-tag-tasn-dec-dot-c-1319/

In case the link goes:

The format in this case is p7b (PCKS #7); to use the certificate witih apache you’re going to have to convert this.

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Within the resulting .cer file you will file you x.509 certificate bundled with relevant CA certificates, break these out into your relevant .crt and ca.crt files and load as normal into apache.

Nissan Fan
  • 350
  • 2
  • 13
2

Well this was originally a comment to @lynxman but it was too long.

I just had this issue using Let's Encrypt cert with Arch Linux. Upon booting after the first restart in a couple months the httpd service failed with this error:

 AH01903: Failed to configure CA certificate chain!

First I tried renewing the certificate since it's easy and free. My SSLCertificateChainFile then had one cert listed instead of two (?). So I commented that line out:

#SSLCertificateChainFile "/etc/letsencrypt/live/mywebsite.com/chain.pem"

Voila! It started up fine. ¯_(ツ)_/¯

EEAA
  • 109,363
  • 18
  • 175
  • 245
Nick
  • 121
  • 6
0

i had similar issue when i copied digicert intermediate certificate while saving the cert i mistakenly entered some characters in the cert file and i couldn't restart apache but when i removed the characters and restarted the server it worked.