“Server should be SSL-aware but has no certificate configured”

apache-2.4mod-ssl

Ubuntu 14.04 Apache 2.4.7 w/mod_ssl

I'm trying to install a (single) domain certificate. For some reason, apache does not accept it and refuses to start if the related website is enabled. Despite heavy googling, I can't make sense of the error messages. Why does it says that there are no certificate configured? It's set in the virtualhost, and it points to the crt file in the right location.

Error_log

[Tue May 19 18:11:08.123857 2015] [ssl:emerg] [pid 10040:tid 140146576725888] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue May 19 18:11:08.123894 2015] [ssl:emerg] [pid 10040:tid 140146576725888] AH02312: Fatal error initialising mod_ssl, exiting.

What I have tried:

doublechecked virtualhost syntax and path to certificate and key
doublechecked certificate are chmoded 644 and key is chmoded 600
doublechecked certificate is valid. Redownloaded from my provider. Opened it in editor

Here is the virtualhost

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerName www.domain.tld
        RedirectMatch (.*) https://domain.tld$1
    </VirtualHost>

    <VirtualHost _default_:443>
        ServerAdmin admin@localhost
        ServerName domain.tld
        DocumentRoot /home/user/www/domain.tld/public

        # SSL CERTIFICATES

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/domain.tld.crt
        SSLCertificateKeyFile /etc/ssl/private/domain.tld.key
        SSLCertificateChainFile /etc/ssl/certs/GandiStandardSSLCA2.pem
        SSLVerifyClient None
        # SSLProtocol all -SSLv2 -SSLv3

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown


        <Directory /home/user/www/domain.tld/public>
            Require all granted
        </Directory>

        LogLevel error
        ErrorLog ${APACHE_LOG_DIR}/user-eu-error.log
        CustomLog ${APACHE_LOG_DIR}/user-eu-access.log combined

        ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/home/user/www/domain.tld/public/$1

        ErrorDocument 404 /missing.php

        # Mod_status
        <location /server-status> 
            SetHandler server-status 
            Order Allow,Deny
            Allow from all
        </location>
    </VirtualHost>
</IfModule>

Any suggestion as to what could be wrong?

Best Answer

I think eltrai is on the right path but I would remove the first <VirtualHost> block and use ServerAlias in the second

<VirtualHost _default_:443>
    ServerAdmin admin@localhost
    ServerName domain.tld
    ServerAlias www.domain.tld

You can add your RedirectMatch later in that same block to redirect from www to non.

Related Solutions

Has SHA256 but why is it not used

A fingerprint (sometimes thumbprint) is not something that is in the certificate, instead it's a hash calculated after the fact and shown to facilitate easier manual comparison of certificates.

It's important not to confuse this with the certificate's signature, which is an actual value in the certificate.

From the question it sounds like the signature of this certificate is indeed based on SHA-1.

Authenticate with Client SSL Certificate OR basic auth

The question is three months old so my answer may not be needed by the OP but it may help anyone wanting this configuration.

The question is tagged apache-2.4 but the configuration looks like one which is appropriate for 2.2. This isn't entirely surprising as many examples in the Apache 2.4 documentation seem themselves not to be appropriate to 2.4.

I had such a configuration working in 2.2 (except for the "Allow from " which didn't work) and had to rewrite it for 2.4. I found that it needed some elements which weren't immediately apparent in the documentation.

I offer no warranty for this; it's based on my configuration file with no testing. +StrictRequire may not be needed in SSLOptions - I haven't tried without it, but it does work this way.

For that matter, the SSLOptions line may not be required at all - the +FakeBasicAuth option probably isn't being used. In the configuration I have here, as soon as Company_O is found in the certificate, access will be granted. As I understand it, +FakeBasicAuth is used with Require valid-user (alone) and access is granted if the DN from the certificate is found in the user list defined in AuthUserFile, along with an appropriate password. My system doesn't work that way, and I suspect that the OP didn't want to do that either.

<Directory /opt/app/system/html>
    RedirectMatch permanent ^/$ /exec/login.pl
    Options -Indexes +FollowSymLinks

    # Anything which matches a Require rule will let us in

    # Make server ask for client certificate, but not insist on it
    SSLVerifyClient optional
    SSLVerifyDepth  2
    SSLOptions      +FakeBasicAuth +StrictRequire

    # Client with appropriate client certificate is OK
    <RequireAll>
        Require ssl-verify-client
        # Correction: eq is integer comparison, string comparison requires ==
        # Require expr %{SSL_CLIENT_I_DN_O} eq "Company_O"
        Require expr %{SSL_CLIENT_I_DN_O} == "Company_O"
    </RequireAll>

    # Set up basic (username/password) authentication
    AuthType Basic
    AuthName "Zugriffsschutz"
    AuthBasicProvider file
    AuthUserFile /etc/apache2/htaccess/iapp.passwd

    # User which is acceptable to basic authentication is OK
    Require valid-user

    # Access from these addresses is OK
    Require ip 10.20.0.0/255.255.0.0
    Require ip 10.144.100
</Directory>

I do have

<Directory />
    ...
    Require all denied
    ...
</Directory>

in a different configuration file - it could be that that is an important part of the recipe.

What took me a while to get this working was that it seemed that the Require expr %{SSL_CLIENT bit would work on its own but eventually I realised that Require ssl-verify-client was also required (see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#authzproviders)

Best Answer

Related Solutions

Has SHA256 but why is it not used

Authenticate with Client SSL Certificate OR basic auth

Related Topic