SSL Configuration Issues – How to Fix SSL Certificate Configuration Problems on Ubuntu 20.04


I have a self-hosted lubuntu server on my LAN which has some services useful for my net (a wordpress in /var/www/html, an owncloud, and a flask app). The problem is that some days ago I installed a self signed ssl certificate which worked perfectly but now I have the following error:

[Tue Nov 24 10:52:43.773996 2020] [mpm_prefork:notice] [pid 3684] AH00169: caught SIGTERM, shutting down
[Tue Nov 24 10:52:44.050510 2020] [ssl:warn] [pid 3787] AH01906: server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 24 10:52:44.051147 2020] [ssl:error] [pid 3787] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject:,,OU=G5fighter IT,O=G5fighter Inc,L=Madrid,ST=Madrid,C=ES / issuer:,,OU=G5fighter IT,O=G5fighter Inc,L=Madrid,ST=Madrid,C=ES / serial: 54E9B9F567EDAB3274DD84A4A9ADE65D9A040B9F / notbefore: Nov 23 17:47:08 2020 GMT / notafter: Nov 23 17:47:08 2021 GMT]
[Tue Nov 24 10:52:44.051183 2020] [ssl:error] [pid 3787] AH02604: Unable to configure certificate for stapling
[Tue Nov 24 10:52:44.156461 2020] [ssl:warn] [pid 3798] AH01906: server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 24 10:52:44.157050 2020] [ssl:error] [pid 3798] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject:,,OU=G5fighter IT,O=G5fighter Inc,L=Madrid,ST=Madrid,C=ES / issuer:,,OU=G5fighter IT,O=G5fighter Inc,L=Madrid,ST=Madrid,C=ES / serial: 54E9B9F567EDAB3274DD84A4A9ADE65D9A040B9F / notbefore: Nov 23 17:47:08 2020 GMT / notafter: Nov 23 17:47:08 2021 GMT]
[Tue Nov 24 10:52:44.157086 2020] [ssl:error] [pid 3798] AH02604: Unable to configure certificate for stapling
[Tue Nov 24 10:52:44.191002 2020] [mpm_prefork:notice] [pid 3798] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1g mod_wsgi/4.6.8 Python/2.7 configured -- resuming normal operations
[Tue Nov 24 10:52:44.191095 2020] [core:notice] [pid 3798] AH00094: Command line: '/usr/sbin/apache2'

These are my config files:


<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        Redirect /

        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        <Directory /var/www/html/>
            AllowOverride All
            Require all granted


<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                DocumentRoot /var/www/html
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
                SSLEngine on
                SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
                SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
           <Directory /var/www>
                AllowOverride All
                Require all granted


I can acces to my server without problem directly with my IP but not with the domain. Any ideas? Thanks in advance.

After adding to my default-ssl.conf the following line:

SSLUseStapling off

It solves that error:

[Tue Nov 24 17:06:00.072579 2020] [mpm_prefork:notice] [pid 8938] AH00169: caught SIGTERM, shutting down
[Tue Nov 24 17:06:00.334836 2020] [ssl:warn] [pid 9005] AH01906: server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 24 17:06:00.461929 2020] [ssl:warn] [pid 9019] AH01906: server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 24 17:06:00.507795 2020] [mpm_prefork:notice] [pid 9019] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1g mod_wsgi/4.6.8 Python/2.7 configured -- resuming normal operations
[Tue Nov 24 17:06:00.516896 2020] [core:notice] [pid 9019] AH00094: Command line: '/usr/sbin/apache2'

Best Answer

Looks like you have OCSP stapling enabled.

Check the rest of your apache config for the SSLUseStapling directive and disable it if it is enabled.