Server Fault Asked by blueFast on November 19, 2020
I am configuring SSL for Apache 2. My system is Ubuntu Server 10.04 LTS. I have the following settings related to SSL in my vhost configuration:
SSLEngine On
SSLCertificateKeyFile /etc/ssl/private/server.insecure.key
SSLCertificateFile /etc/ssl/certs/portal.selfsigned.crt
(Side note: I am using .insecure for the key file because the file is not passphrase-protected, and I like to clearly see that it is an insecure key file)
So, when I restart apache I get the following message:
Syntax error on line 39 of /etc/apache2/sites-enabled/500-portal-https:
SSLCertificateKeyFile: file '/etc/ssl/private/server.insecure.key' does not exist or is empty
Error in syntax. Not restarting.
But the file is there, and is not empty (actually it contains a private key):
sudo ls -l /etc/ssl/private/server.insecure.key
-rw-r----- 1 root www-data 887 2012-08-07 15:14 /etc/ssl/private/server.insecure.key
sudo ls -ld /etc/ssl/private/
drwx--x--- 2 root www-data 4096 2012-08-07 13:02 /etc/ssl/private/
I have tried changing the ownership, using two groups www-data and ssl-cert. I am not sure which is the right one in Ubuntu: by default Ubuntu uses ssl-cert, but on the other hand the apache processes run with user www-data: it is started by user root, but changes to www-data at some point, and I am not sure when are the certificates read.
But anyway, changing the group owner has not improved the situation. My questions are:
/etc/ssl/certs/portal.selfsigned.crt) work together?I think that Apache is giving a misleading error message, and I would like to pinpoint the error.
I found the error. It was because I am using a script to setup the certificates, and one of the steps I am performing is apache2ctl configtest. The error was coming from this command, and not from apache restart, which was what was misleading me. Since I was running the apache2ctl command as normal user, it had no access the the keyfiles, and thus the error message.
Facit: make sure all your apache commands are run with sudo, even the ones which are only intended for syntax verification (apache2ctl), since they alse need access to the keys.
Correct answer by blueFast on November 19, 2020
Me too, I got this error message when I checked the httpd syntax :
SSLCertificateFile: file 'C:/wamp64/bin/apache/apache2.4.46/conf/key/certificate.crtxe2x80x9c' does not exist or is empty
My problem was the "double Quote" I had pasted. So I deleted it and typed it, then it worked fine.
Answered by Moctar on November 19, 2020
No permission for normal users in /etc/ssl/private directory.
Please try
sudo apache2ctl configtest
Answered by Rithin Prabhakar on November 19, 2020
I received a similar message:
SSLCertificateChainFile: file '/opt/bitnami/apache2/conf/DigiCertCA.crtxe2x80x9d' does not exist or is empty
My problem was the text editor I was using placed a "right quote" ascii 148 instead of a normal double quote ascii 34; using a unix-type editor (e.g. TextWrangler) put in the right quote and fixed the problem.
Answered by dkpruett on November 19, 2020
I also get the message
SSLCertificateKeyFile: file '/path/to/file' does not exist or is empty
while /path/to/file exist and have right permissions, just because of SELinux turned on and this file was unaccessable for apache user.
It looks like this:
$ sudo ls -laZ /etc/pki/tls/certs/
drwxr-xr-x. root root system_u:object_r:cert_t:s0 .
drwxr-xr-x. root root system_u:object_r:cert_t:s0 ..
-rw-------. root root unconfined_u:object_r:cert_t:s0 this-one-works.crt
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 this-one-is-unaccessable.crt
To fix this, I run sudo restorecon -Rv /etc/pki/tls/certs/ - it will repair SELinux property for the problem file.
Answered by AntonioK on November 19, 2020
I've done this and it helped me on CentOS 5.7
server:~ # chcon -t cert_t /etc/pki/tls/private/my.key
server:~ # ls -laZ /etc/pki/tls/private/
Answered by Radamanf on November 19, 2020
Permissions are wrong, but according to your answer it wasn't the cause of the problem :
drwx--x--- 2 root www-data 4096 2012-08-07 13:02 /etc/ssl/private/
/etc/ssl/private usually belongs to group ssl-cert on debian based systems.
Just noticed the 0710 perms and wonder what it can be used for.
Answered by user130370 on November 19, 2020
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP