Apache SSL – Fix ‘Server Should Be SSL-Aware but Has No Certificate Configured’ Error

apache-2.2snisslvirtualhost

After recently upgrading Apache2 to version 2.2.31 I found a strange behaviour in SSL VirtualHost setup.

A few of the website I'm hosting were showing the certificate for the default host even if the client was Server Name Identification aware, and this happened only with a few of them. This shows as the common Firefox's/Chrome's passport-warning about you being possibly scammed if you're browsing your home banking, but that simply was not the case.

To be clear, if server host.hostingdomain.org has its own SSL, attempting to access https://www.hostedsite.org reports certificate for host.hostingdomain.org, but a few https://www.hostedsite.me reported the correct certificate.

All sites are hosted on the same IP address, on port 443. The truth is that VirtualHosting works on the HTTP side and redirects SNI-aware clients to SSL automatically, so it's backward compatible with SNI-unaware clients.

Examining error logs for the offending VirtualHosts shown the following text

[Tue Dec 25 16:02:45 2012] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/path/to/www.site.org.conf:20)

and in fact the vhost was correctly configured with SSLCertificateFile.

The question is obvious: how to fix that?

Best Answer

It happens that it could be a bug in the most recent version of Apache.

Solution 1: downgrade to the latest stable

Solution 2: edit `listen.conf`

Replace Listen *:443 (or Listen 443 according to your setup) with Listen *:443 http

Credit

Related Solutions

SSL Error – Unable to Read Server Certificate from File

Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi in "show me the binary" mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt.

If each line ends with a control-M, like this

you've got a file in Windows line-terminated format, and apache doesn't love those.

Your options include moving the file over again, taking more care; or using the dos2unix command to strip those out; you can also remove them inside vi, if you're careful.

Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don't cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.

SSL Library Error: -8181 Certificate has expired

Seems that a certificate was created when mod_nss was installed.

This certificate has expired, preventing the restarting of httpd (Apache).

Do you really use mod_nss ?

If you aren't using mod_nss then your best bet is to simply uninstall the package.

However you have some alternatives :

Remove nss.conf from /etc/httpd/conf.d (this will cause mod_nss to not be loaded).
Uninstall/re-install your nss rpm modules. On re-installation a new certificate will be generated and your problem will go away for a few more years :
```
rpm -e mod_nss
rm /etc/httpd/alias/*
yum install mod_nss
service httpd restart
```