1

I'm in the process of moving my website to another server, and after moving the SSL key and certs and recreating the same Apache config, I encounter the following in the error logs at the time of Apache servie restart (domain anonymized):

[Sun May 24 22:21:05.579373 2015] [ssl:emerg] [pid 9777] AH02561: Failed to configure certificate 127.0.0.1:443:0, check /etc/ssl/certs/example.com.crt
[Sun May 24 22:21:05.579407 2015] [ssl:emerg] [pid 9777] SSL Library Error: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
AH00016: Configuration Failed

It also prevents access on both :80 and :443. I've verified that the files are in the right spot and everything (SSL at least) is configured as it was on the old server. What am I missing here?

Here's a snippet from sites-available/default-ssl.conf (domain name anonymized):

SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key
SSLCertificateChainFile /etc/ssl/certs/bundle.crt

New server specs: Debian 8 (old one had Debian 7), stock Apache 2.4.10.

Some more potential clues:

# openssl x509 -noout -modulus -in /etc/ssl/certs/example.com.crt | openssl md5
unable to load certificate
(stdin)= d41d8cd98f00b204e9800998ecf8427e
# openssl x509 -noout -modulus -in /etc/ssl/private/example.com.key | openssl md5
unable to load certificate
140331629921936:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
(stdin)= d41d8cd98f00b204e9800998ecf8427e
# file /etc/ssl/private/example.com.key
/etc/ssl/private/example.com.key: PEM RSA private key
# file /etc/ssl/certs/example.com.crt
/etc/ssl/certs/example.com.crt: PEM certificate
BrokenJazzyBrick
  • 31
  • 2
  • 4
  • That's an unusual way to check the certificate. Try instead `openssl x509 -noout -text -in /etc/ssl/certs/example.com.crt | more`. – Jenny D May 25 '15 at 13:25
  • Is SELinux or AppArmor enabled on the server? If so, what are the rules for `/etc/ssl/certs`? – Jenny D May 25 '15 at 13:26
  • The certificate seems corrupt, according to the "unable to load certificate" message, despite the correct BEGIN CERTIFICATE line. The key should be checked with openssl rsa, and the error message provides a hint that the command you used expects a certificate not a key. – eel ghEEz Jun 28 '16 at 00:50

1 Answers1

1

I had the same problem when going from a RHEL 6 host to a RHEL 8 host. Something in the SSL libraries must have gotten more strict and it turns out my certificate file had "DOS" format newlines. You can see those with "vi -b your.crt" and then one way to remove them from within vi/vim with the command:

:%s/<Ctrl-V><Ctrl-M//g

Where or above are literally pressing the respective control key combo.

I'm not sure that was the problem though as the file also had a blank line just before the "END CERTIFICATE" line which I also removed as part of the work. Maybe that was the issue.

jblaine
  • 123
  • 1
  • 6