Home / server / Questions / 228485
Accepted
kron
Asked: 2011-01-30 05:03:06 +0800 CST

Failed to configure CA certificate chain

  • 772

I'm trying to setup SSL on fedora with apache.

In my vhost...

SSLCertificateFile /your/path/to/crt.crt
SSLCertificateKeyFile /your/path/to/key.key
SSLCertificateChainFile /your/path/to/DigiCertCA.crt

I had it working fine with a self signed key, but can't get it to work with the DigiCertCA crt.

When I run

service httpd restart

It fails to start. This is what I get in the logs...

[Sat Jan 29 07:57:13 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suex$
[Sat Jan 29 07:57:13 2011] [error] Failed to configure CA certificate chain!

Any assistance would be really appreciated!

linux apache-2.2 ssl fedora ssl-certificate

5 Answers

  1. Best Answer

    Make sure there's no missing certificates in the chain, in the SSLCertificateChainFile file there should be all the certificates in order from the CA first and then down to any intermediate certificate that was used to sign your CRT, otherwise you'll get the error.

    If you don't have any intermediate certificates (looking at the Digicert page it looks like there's none http://www.digicert.com/ssl-certificate-installation-apache-ensim.htm) you should use SSLCACertificateFile instead

    • 8

  2. An update to an old thread...

    I just had this happened when I created a CA chain file by cat-ing the intermediate & root .crt files together into a new .ca-bundle file; the issue was that the first of the cert files didn't end with a newline, so its "END" line and the next one's BEGIN line were joined together, like

    -----END CERTIFICATE----------BEGIN CERTIFICATE-----

    I just edited the file and put the newline in, giving:

    -----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

    And then it worked.

    • 8

  3. The fix above may be useful, but for me the fix was this:

    http://blog.oneiroi.co.uk/openssl/x.509/pcks7/openssl-unable-to-load-certificate-wrong-asn1-encoding-routines-asn1-check-tlen-tag-tasn-dec-dot-c-1319/

    In case the link goes:

    The format in this case is p7b (PCKS #7); to use the certificate witih apache you’re going to have to convert this.

    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

    Within the resulting .cer file you will file you x.509 certificate bundled with relevant CA certificates, break these out into your relevant .crt and ca.crt files and load as normal into apache.

    • 4

  4. Well this was originally a comment to @lynxman but it was too long.

    I just had this issue using Let's Encrypt cert with Arch Linux. Upon booting after the first restart in a couple months the httpd service failed with this error:

     AH01903: Failed to configure CA certificate chain!

    First I tried renewing the certificate since it's easy and free. My SSLCertificateChainFile then had one cert listed instead of two (?). So I commented that line out:

    #SSLCertificateChainFile "/etc/letsencrypt/live/mywebsite.com/chain.pem"

    Voila! It started up fine. ¯_(ツ)_/¯

    • 2

  5. i had similar issue when i copied digicert intermediate certificate while saving the cert i mistakenly entered some characters in the cert file and i couldn't restart apache but when i removed the characters and restarted the server it worked.

    • 0