56

I am configuring SSL for Apache 2. My system is Ubuntu Server 10.04 LTS. I have the following settings related to SSL in my vhost configuration:

SSLEngine On
SSLCertificateKeyFile /etc/ssl/private/server.insecure.key
SSLCertificateFile    /etc/ssl/certs/portal.selfsigned.crt

(Side note: I am using .insecure for the key file because the file is not passphrase-protected, and I like to clearly see that it is an insecure key file)

So, when I restart apache I get the following message:

Syntax error on line 39 of /etc/apache2/sites-enabled/500-portal-https:
SSLCertificateKeyFile: file '/etc/ssl/private/server.insecure.key' does not exist or is empty
Error in syntax. Not restarting.

But the file is there, and is not empty (actually it contains a private key):

sudo ls -l /etc/ssl/private/server.insecure.key
-rw-r----- 1 root www-data 887 2012-08-07 15:14 /etc/ssl/private/server.insecure.key
sudo ls -ld /etc/ssl/private/
drwx--x--- 2 root www-data 4096 2012-08-07 13:02 /etc/ssl/private/

I have tried changing the ownership, using two groups www-data and ssl-cert. I am not sure which is the right one in Ubuntu: by default Ubuntu uses ssl-cert, but on the other hand the apache processes run with user www-data: it is started by user root, but changes to www-data at some point, and I am not sure when are the certificates read.

But anyway, changing the group owner has not improved the situation. My questions are:

  1. What else could I try to get this working?
  2. How can I verify that my keyfile is a valid keyfile?
  3. How can I verify that the keyfile and the certificate (/etc/ssl/certs/portal.selfsigned.crt) work together?

I think that Apache is giving a misleading error message, and I would like to pinpoint the error.

blueFast
  • 4,000
  • 13
  • 36
  • 51
  • Hello, could you mark this question as answered? –  Aug 13 '12 at 11:01
  • 3
    I should point out that I got this error message from the basic mistake of running `service apache2 restart` instead of `**sudo** service apache2 restart`... note to self: `sudo make me a sandwich fool` – icc97 Jun 10 '14 at 20:38
  • I find the following article very helpful. I could not setup the system by this thread. https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-debian-8 – Léo Léopold Hertz 준영 May 31 '16 at 15:28

7 Answers7

67

I found the error. It was because I am using a script to setup the certificates, and one of the steps I am performing is apache2ctl configtest. The error was coming from this command, and not from apache restart, which was what was misleading me. Since I was running the apache2ctl command as normal user, it had no access the the keyfiles, and thus the error message.

Facit: make sure all your apache commands are run with sudo, even the ones which are only intended for syntax verification (apache2ctl), since they alse need access to the keys.

blueFast
  • 4,000
  • 13
  • 36
  • 51
  • 1
    O yes, use `sudo`. This line solved the issue.. Since I was running the apache2ctl command as normal user, it had no access the the keyfiles – Sami Jan 11 '21 at 13:32
16

I also get the message

SSLCertificateKeyFile: file '/path/to/file' does not exist or is empty

while /path/to/file exist and have right permissions, just because of SELinux turned on and this file was unaccessable for apache user.

It looks like this:

$ sudo ls -laZ /etc/pki/tls/certs/
drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
-rw-------. root root unconfined_u:object_r:cert_t:s0  this-one-works.crt
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 this-one-is-unaccessable.crt

To fix this, I run sudo restorecon -Rv /etc/pki/tls/certs/ - it will repair SELinux property for the problem file.

AntonioK
  • 519
  • 2
  • 9
  • 22
8

I've done this and it helped me on CentOS 5.7 

server:~ # chcon -t cert_t /etc/pki/tls/private/my.key 
server:~ # ls -laZ /etc/pki/tls/private/
Radamanf
  • 181
  • 1
  • 2
1

No permission for normal users in /etc/ssl/private directory.

Please try 

sudo apache2ctl configtest
Swisstone
  • 6,357
  • 7
  • 21
  • 32
Rithin Prabhakar
  • 11
  • 1
1

I received a similar message:

SSLCertificateChainFile: file '/opt/bitnami/apache2/conf/DigiCertCA.crt\xe2\x80\x9d' does not exist or is empty

My problem was the text editor I was using placed a "right quote" ascii 148 instead of a normal double quote ascii 34; using a unix-type editor (e.g. TextWrangler) put in the right quote and fixed the problem.

dkpruett
  • 11
  • 1
0

Me too, I got this error message when I checked the httpd syntax :

SSLCertificateFile: file 'C:/wamp64/bin/apache/apache2.4.46/conf/key/certificate.crt\xe2\x80\x9c' does not exist or is empty

My problem was the "double Quote" I had pasted. So I deleted it and typed it, then it worked fine.

Moctar
  • 1
  • 1
0

Permissions are wrong, but according to your answer it wasn't the cause of the problem :

drwx--x--- 2 root www-data 4096 2012-08-07 13:02 /etc/ssl/private/

/etc/ssl/private usually belongs to group ssl-cert on debian based systems.

Just noticed the 0710 perms and wonder what it can be used for.

  • Your are probably right, it should be at least 0750. I have been trying different things, and the status I posted is probably not the most correct one. Running apache2ctl as root has for sure solved my problems. – blueFast Aug 13 '12 at 10:31
  • 1
    0710 is just fine, you need to know the file name to access it. – ypnos Sep 07 '15 at 08:49