Let’s Encrypt SSL Certificate File Not Found Error – Troubleshooting

apache-2.4lets-encryptsslssl-certificate

I'm running SSL Certificates from Let's Encrypt. I've got them installed on my Ubuntu machine running Apache. The setup works fine and I can launch the website, see the green padlock and even got an A+ on SSL Labs.

The problem is that when I do apachectl configtest the server would return a file not found error:

SSLCertificateFile: file '/etc/letsencrypt/live/www.example.com/fullchain.pem' not exist or is empty.

But sudo service apache2 restart works just fine.

I got this question running at Let's Encrypt Community but the issue hasn't been resolved yet.

sudo cat /etc/letsencrypt/live/www.example.com/fullchain.pem works, returns valid certificate details.

sudo x509 -text -noout -in /etc/letsencrypt/live/www.example.com/fullchain.pem

does not work and returns the error below:

Error opening Certificate /etc/letsencrypt/live/www.example.com/fullchain.pem
139774254929568:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/letsencrypt/live/www.example.com/fullchain.pem.','r')
139774254929568:error:2007402:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
ubable to load certificate

Any ideas on why I'm getting errors on apachectl configtest and openssl?

Thanks guys!

Best Answer

In my case the files and permissions where not the issue. I was trying to restart the server with apachectl restart or test the config (apachectl -t or apachectl configtest). The user running the command (me) simply didn't have the proper permissions to access the certificates. I just had to prefix the commands with sudo to run them as root! No more errors, the config test returns "Syntax OK" and I can restart the server. (OK I'm a bit embarrassed it took me so long to figure that one out...)

Related Solutions

Let’s Encrypt – How to Use Let’s Encrypt as a Free SSL Certificate Provider

I have written a pair of how-tos for running Let's Encrypt SSL certs on CentOS: initial setup & cronning it.

And my per-domain (I use the file naming convention of z-<[sub-]domain-tld>.conf) Apache config files look like this:

<VirtualHost *:80>
ServerName domain.tld
Redirect permanent / https://domain.tld/
</VirtualHost>

<VirtualHost *:443>
    SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/fullchain.pem
    DocumentRoot /var/www/domain
    ServerName domain.tld
    ErrorLog logs/domain-error_log
    CustomLog logs/domain-access_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    ServerAdmin user@domain.tld

    SSLEngine on

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

    <Directory "/var/www/domain">
         Options All +Indexes +FollowSymLinks
         AllowOverride All
         Order allow,deny
         Allow from all
    </Directory>

</VirtualHost>

And my ssl.conf looks like this:

#SSL options for all sites
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
Mutex sysvsem default
SSLRandomSeed startup file:/dev/urandom  1024
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLCompression          off
SSLHonorCipherOrder     on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Using Let's Encrypt to get SSL certs (and get your site up to an "A" rating from SSL Labs) is pretty straight-forward - once you get past some of the arcana of the Apache configs and LE command-line arguments.

Ssl – Let’s Encrypt for hostname and related domain(s) is working, SSL not working for other domains on Directadmin server

UPDATE: Let's Encrypt has been issuing wildcard certificates since January 2018.

Does Let’s Encrypt issue wildcard certificates?

Yes. Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge. See this post for more technical information.

Let's Encrypt ~~doesn't offer wildcard certificates, but it~~ offers multi-domain certificates.

What services does Let’s Encrypt offer?

Let’s Encrypt offers Domain Validation (DV) certificates. We do not offer Organization Validation (OV), Extended Validation (EV), ~~or wildcard certificates,~~ primarily because we cannot automate issuance for those types of certificates.

Can I get a certificate for multiple domain names (SAN certificates or UCC certificates)?

Yes, the same certificate can contain several different names using the Subject Alternative Name (SAN) mechanism.

With SAN you have one certificate that covers all your domains. As TLS connection is established before the browser sends the Host: header, your HTTPD doesn't know which certificate to use for the handshake and matches the first one available that matches the IP address. Therefore there was a long era you actually needed one IP address for every single certificate. SAN was the only way to have several HTTPS sites on same IP and the certificate needed to be reissued whenever a new alias was added.

That was until Server Name Indication SNI, an extension of TLS which allows the client to include the requested hostname in the first message of its SSL handshake. SNI has been there since OpenSSL 0.9.8f from Oct 2007. It has been supported by all major browsers for years. You can easily configure it on Apache, it has been supported by Nginx since 0.5.23 and was introduced in IIS 8.0.

As you already have multiple certificates rather than SAN, you should use SNI. Allowing SNI is possible on DirectAdmin. Unfortunately Serverfault won't give support for web hosting control panels.

Best Answer

Related Solutions

Let’s Encrypt – How to Use Let’s Encrypt as a Free SSL Certificate Provider

Ssl – Let’s Encrypt for hostname and related domain(s) is working, SSL not working for other domains on Directadmin server

Related Topic