Home / server / Questions / 444400
Accepted
chris
Asked: 2012-11-02 07:20:26 +0800 CST

Error when trying to start Apache after installing SSL cert

  • 772

I am trying to install an SSL certificate, and I get the following errors:

AH02241: Init: Unable to read server certificate from file /path/my.crt
SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=X509)
AH02312: Fatal error initialising mod_ssl, exiting.

Here's the process I followed:

I generated my private key with:

openssl genrsa -out my.key 2048

I created the CSR with:

openssl req -new -key my.key -out my.csr

I provided the CSR to our IT department, and they returned a crt - it starts with

-----BEGIN CERTIFICATE-----

My ssl.conf has (my.example.com matches the Common name used during the generation of the CSR):

 <VirtualHost my.example.com:443>
   SSLEngine On
   ServerName my.example.com 
   SSLCertificateFile /path/my.crt
   SSLCertificateKeyFile /path/my.key
 </VirtualHost>

I do not have SSLCertificateChainFile or SSLCACertificate file set.

The private key starts with 

----BEGIN RSA PRIVATE KEY-----

The csr starts with 

-----BEGIN CERTIFICATE REQUEST-----

I have verified that both:

openssl rsa -noout -modulus -in my.key
openssl req -noout -modulus -in my.csr

produce the same output. I cannot figure out how to verify the crt - trying both x509 and rsa produce an error.

Should this process have worked? Can I verify that my.crt matches the key somehow?

apache-2.2

3 Answers

  1. Best Answer

    It turns out that the cert I was provided was bad.

    Running 

    openssl x509 -in my.crt -text

    should have worked, but since the cert was corrupt it produced errors:

    unable to load certificate
140513785948000:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:142:
140513785948000:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1306:
140513785948000:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509
140513785948000:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

    I guess I should have noticed that the lines in the block when viewing the bad cert weren't all the same length.

    • 8

  2. For:

    SSLCertificateFile my.crt
SSLCertificateKeyFile my.key

    You should be using the full path to those files, ie: 

    SSLCertificateFile /home/vhosts/domain.com/keys/my.crt
SSLCertificateKeyFile /home/vhosts/domain.com/keys/my.crt

    Update the correct paths and restart Apache to apply the changes. Post back with an updated error/message if the issue remains.

    -Brendan

    • 3

  3. Just for the record: I had the same kind of error report and the issue was not really in the certificate, but in the configuration.

    By mistake I defined the key as the certificate and the certificate as the key. The result was the same error message.

    The error resulted from the fact that my reference configuration presented these items in the opposite order.

    Even the example by @Brendan has this error as it references two times the certificate - both for the certificate and for the key.

    So be sure to check that you are referencing the correct files in the correct parameter.

    • 0