Debian – SSL Configuration failed in Apache after moving keys/certs to another machine

apache-2.4debianmod-sslsslssl-certificate

I'm in the process of moving my website to another server, and after moving the SSL key and certs and recreating the same Apache config, I encounter the following in the error logs at the time of Apache servie restart (domain anonymized):

[Sun May 24 22:21:05.579373 2015] [ssl:emerg] [pid 9777] AH02561: Failed to configure certificate 127.0.0.1:443:0, check /etc/ssl/certs/example.com.crt
[Sun May 24 22:21:05.579407 2015] [ssl:emerg] [pid 9777] SSL Library Error: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
AH00016: Configuration Failed

It also prevents access on both :80 and :443. I've verified that the files are in the right spot and everything (SSL at least) is configured as it was on the old server. What am I missing here?

Here's a snippet from sites-available/default-ssl.conf (domain name anonymized):

SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key
SSLCertificateChainFile /etc/ssl/certs/bundle.crt

New server specs: Debian 8 (old one had Debian 7), stock Apache 2.4.10.

Some more potential clues:

# openssl x509 -noout -modulus -in /etc/ssl/certs/example.com.crt | openssl md5
unable to load certificate
(stdin)= d41d8cd98f00b204e9800998ecf8427e
# openssl x509 -noout -modulus -in /etc/ssl/private/example.com.key | openssl md5
unable to load certificate
140331629921936:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
(stdin)= d41d8cd98f00b204e9800998ecf8427e
# file /etc/ssl/private/example.com.key
/etc/ssl/private/example.com.key: PEM RSA private key
# file /etc/ssl/certs/example.com.crt
/etc/ssl/certs/example.com.crt: PEM certificate

Best Answer

I had the same problem when going from a RHEL 6 host to a RHEL 8 host. Something in the SSL libraries must have gotten more strict and it turns out my certificate file had "DOS" format newlines. You can see those with "vi -b your.crt" and then one way to remove them from within vi/vim with the command:

:%s/<Ctrl-V><Ctrl-M//g

Where or above are literally pressing the respective control key combo.

I'm not sure that was the problem though as the file also had a blank line just before the "END CERTIFICATE" line which I also removed as part of the work. Maybe that was the issue.

Related Solutions

SSL Error – Unable to Read Server Certificate from File

Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi in "show me the binary" mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt.

If each line ends with a control-M, like this

you've got a file in Windows line-terminated format, and apache doesn't love those.

Your options include moving the file over again, taking more care; or using the dos2unix command to strip those out; you can also remove them inside vi, if you're careful.

Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don't cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.

Ssl – In Stud, which Private RSA Key should be concatenated in the x509 SSL certificate pem file to avoid “self-signed” browser warning

SSL X509 certificate file is a file containing a certificate in the format specified by the ITU in their X series of specifications - specifically x.509. There is no private-key information there as it is a certificate format so things like names, public keys, signatures, validity dates and other goodies go in there - but not private-keys.

PEM is a set of specifications for Privacy Enhanced Mail - it offers for the most part packaging standards that are build off of the PKCS specs (PKCS specs were developed by RSA and RSA labs themselves for public use to enable interoperability between various implementations - this was done again by the IETF and by the community in other arenas). You can use openssl to convert formats around - see here http://www.openssl.org/docs/apps/openssl.html . Concatenation won't help you any.

If the certificate is self-signed then it's kind of odd that a CA gave it to you - that makes me think that you are telling about feeding the Gandi CA certificate to openssl which is telling you that cert is self signed (ergo it is a root or end entity certificate but certainly not an intermediate aka chain certificate).

To address some of your points: 1 Self signed certs will always generate warnings in good clients because they lack trust until the user decides they are trustworthy (or for most users.. until Microsoft , Mozilla Foundation, Google, or Opera) decides the user should trust that CA). If your clients (browsers or whatever) have the CA stored and marked as trusted then this warning won't pop-up. 2 Possibly 3 Looks like you used the right key and CSR with Gandi 4 Looks to me like you need to load the domain key and cert and possibly CA into OpenSSL either via OS level trust configuration or via Stud configuration.

Best Answer

Related Solutions

SSL Error – Unable to Read Server Certificate from File

Ssl – In Stud, which Private RSA Key should be concatenated in the x509 SSL certificate pem file to avoid “self-signed” browser warning

Related Topic