Centos – Why do apache SSL certificate and key need to be in /etc/pki/tls/private/

apache-2.2centosssl-certificate

I have an Apache 2.2 web server running on CentOS 6.6. I have a certificate and key file that functions when the files are in this directory:

SSLCertificateFile "/etc/pki/tls/private/certs/mycert.crt"
SSLCertificateKeyFile "/etc/pki/tls/private/mycert.key"

but it fails when the same files are in a different directory

drwxr-xr-x. 2 root root 4096 Apr  8 16:41 ssl

SSLCertificateFile "/etc/ssl/mycert.crt"
SSLCertificateKeyFile "/etc/ssl/mycert.key"

The apache error logs contain

[error] Init: Private key not found

SELinux is disabled. What would cause behavior like this?

UPDATE

The permissions for the files are the same in both directories:

-rw-r--r--  1 root root 2253 Apr  8 16:40 mycert.crt
-rw-------  1 root root 1675 Apr  8 16:40 mycert.key

Best Answer

apache runs under apache user, not root, and you limited acces to root user only maybe? So try "chown apache /etc/ssl/mycert.key". It is very obvious, but you did not mention it, so just suggesting.

Related Solutions

Cannot start httpd service with SSL

Run the httpd binary manually with the debug-loglevel to see if you can get any more information from it.

httpd -e debug

How to combine various certificates into single .pem

The order does matter, according to RFC 4346.

Here is a quote directly taken from the RFC:

  certificate_list
    This is a sequence (chain) of X.509v3 certificates.  The sender's
    certificate must come first in the list.  Each following
    certificate must directly certify the one preceding it.  Because
    certificate validation requires that root keys be distributed
    independently, the self-signed certificate that specifies the root
    certificate authority may optionally be omitted from the chain,
    under the assumption that the remote end must already possess it
    in order to validate it in any case.

Based on this information, the server certificate should come first, followed by any intermediate certs, and finally the root trusted authority certificate (if self-signed). I could not find any information on the private key, but I think that should not matter because a private key in pem is easy to identify as it starts and ends with the text below, which has the keyword PRIVATE in it.

 -----BEGIN RSA PRIVATE KEY-----
 -----END RSA PRIVATE KEY-----

Best Answer

Related Solutions

Cannot start httpd service with SSL

How to combine various certificates into single .pem

Related Topic