I am configuring SSL for Apache 2. My system is Ubuntu Server 10.04 LTS. I have the following settings related to SSL in my vhost configuration:
SSLEngine On
SSLCertificateKeyFile /etc/ssl/private/server.insecure.key
SSLCertificateFile /etc/ssl/certs/portal.selfsigned.crt
(Side note: I am using .insecure for the key file because the file is not passphrase-protected, and I like to clearly see that it is an insecure key file)
So, when I restart apache I get the following message:
Syntax error on line 39 of /etc/apache2/sites-enabled/500-portal-https:
SSLCertificateKeyFile: file '/etc/ssl/private/server.insecure.key' does not exist or is empty
Error in syntax. Not restarting.
But the file is there, and is not empty (actually it contains a private key):
sudo ls -l /etc/ssl/private/server.insecure.key
-rw-r----- 1 root www-data 887 2012-08-07 15:14 /etc/ssl/private/server.insecure.key
sudo ls -ld /etc/ssl/private/
drwx--x--- 2 root www-data 4096 2012-08-07 13:02 /etc/ssl/private/
I have tried changing the ownership, using two groups www-data and ssl-cert. I am not sure which is the right one in Ubuntu: by default Ubuntu uses ssl-cert, but on the other hand the apache processes run with user www-data: it is started by user root, but changes to www-data at some point, and I am not sure when are the certificates read.
But anyway, changing the group owner has not improved the situation. My questions are:
- What else could I try to get this working?
- How can I verify that my keyfile is a valid keyfile?
- How can I verify that the keyfile and the certificate (
/etc/ssl/certs/portal.selfsigned.crt) work together?
I think that Apache is giving a misleading error message, and I would like to pinpoint the error.
I found the error. It was because I am using a script to setup the certificates, and one of the steps I am performing is
apache2ctl configtest. The error was coming from this command, and not from apache restart, which was what was misleading me. Since I was running the apache2ctl command as normal user, it had no access the the keyfiles, and thus the error message.Facit: make sure all your apache commands are run with sudo, even the ones which are only intended for syntax verification (
apache2ctl), since they alse need access to the keys.I also get the message
while
/path/to/fileexist and have right permissions, just because of SELinux turned on and this file was unaccessable for apache user.It looks like this:
To fix this, I run
sudo restorecon -Rv /etc/pki/tls/certs/- it will repair SELinux property for the problem file.I've done this and it helped me on CentOS 5.7
I received a similar message:
SSLCertificateChainFile: file '/opt/bitnami/apache2/conf/DigiCertCA.crt\xe2\x80\x9d' does not exist or is emptyMy problem was the text editor I was using placed a "right quote" ascii 148 instead of a normal double quote ascii 34; using a unix-type editor (e.g. TextWrangler) put in the right quote and fixed the problem.
No permission for normal users in
/etc/ssl/privatedirectory.Please try
Permissions are wrong, but according to your answer it wasn't the cause of the problem :
drwx--x--- 2 root www-data 4096 2012-08-07 13:02 /etc/ssl/private//etc/ssl/private usually belongs to group ssl-cert on debian based systems.
Just noticed the 0710 perms and wonder what it can be used for.
Me too, I got this error message when I checked the httpd syntax :
SSLCertificateFile: file 'C:/wamp64/bin/apache/apache2.4.46/conf/key/certificate.crt\xe2\x80\x9c' does not exist or is empty
My problem was the "double Quote" I had pasted. So I deleted it and typed it, then it worked fine.