Apache fails to start, ssl issue

Question

For some reason Apache does not start. I tried rebooting the server but to no avail. It's about 2am and my brain is fried. Here is the apache log. I did not touch any configs, certs, or keys to cause this so I don't know what happened. There is the first line here but this is bogus but the key is in the exact place that I specified the virtualhosts file to look at.

[Wed Mar 04 00:13:51.898515 2015] [ssl:error] [pid 4307] AH02203: Init: Private key not     found
[Wed Mar 04 00:13:51.899365 2015] [ssl:error] [pid 4307] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Mar 04 00:13:51.899381 2015] [ssl:error] [pid 4307] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Wed Mar 04 00:13:51.899391 2015] [ssl:error] [pid 4307] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Mar 04 00:13:51.899402 2015] [ssl:error] [pid 4307] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Wed Mar 04 00:13:51.899413 2015] [ssl:error] [pid 4307] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Wed Mar 04 00:13:51.899422 2015] [ssl:error] [pid 4307] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Mar 04 00:13:51.899432 2015] [ssl:error] [pid 4307] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)

Virtual hosts:

# Optionally load the headers module:
#LoadModule headers_module modules/mod_headers.so

LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
SSLCertificateFile /etc/ssl/certs/foobar.org.ssl.crt
SSLCertificateKeyFile /etc/ssl/private/foobar.org.ssl.key
SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/ca.pem
SSLCompression Off
SSLHonorCipherOrder On
SSLSessionCache shmcb:/etc/apache2/logs/ssl_gcache_data(512000)
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLSessionCacheTimeout  300

<VirtualHost *:443>
ServerAdmin foobar@foobar.net
ServerName foobar.org
#  ServerAlias foobar.org
DirectoryIndex index.html index.php
DocumentRoot /var/www/foobar.org/public_html/
LogLevel warn
ErrorDocument 404 /404.php
#  ErrorDocument 500 /500.html
ErrorLog /var/www/foobar.org/log/error.log
CustomLog /var/www/foobar.org/log/access.log combined
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"
</VirtualHost>

ls command output:

-rw-rw-r-- 1 brandon brandon  1767 Mar  4 00:02 foobar.org.ssl.key
-rw-r----- 1 root    ssl-cert 1704 Apr 20  2013 ssl-cert-snakeoil.key

You should just g to sleep. I'm sure this will take just a couple of minutes to solve when your head is clearer. — user9517, Mar 04 '15 at 06:50
I don't understand what the error is. I don't understand what the heck apache is bellyaching about. — brandon, Mar 04 '15 at 07:00
Decades of experience tells me that when it's 2 am and your brain is fried sleep is the only solution. — user9517, Mar 04 '15 at 07:03
@brandon can you post the virtualHosts config and the output of ls -l /path/to/private.key please — Martin, Mar 04 '15 at 07:07
Sound like something is really wrong with the private key, whatever is in that file is not recognized as a private key — Dan, Mar 04 '15 at 07:21
It probably shouldn't be owned my you either - now honestly stop wasting your and our time and go to bed. — user9517, Mar 04 '15 at 07:32

score 4 · Answer 1 · answered Mar 04 '15 at 07:40

There are a few critical issues here. The errors that Apache is spitting out are telling you that the private key is failing to be parsed as valid ASN.1. This would suggest that you have extraneous data somewhere in the key such as a space. Secondly, your permissions are much too lax. The private key should be owned by root, and have the permissions similar to 640 or -rw-r----.

score -1 · Answer 2 · edited Feb 27 '18 at 08:26

-1

You probably changed your encoding your key file while transfering

rm /etc/pki/tls/certs/your_server.key 
cp /your_server.key /etc/pki/tls/certs/

service httpd start

edited Feb 27 '18 at 08:26

Jenny D

27,358
21
74
110

answered Feb 27 '18 at 00:31

mfkocak

1

score -1 · Answer 3 · answered Feb 27 '18 at 10:26

-1

you have to give the 600 permission to your ssl key file via command chmod 600 ssl.key. sometime it happened due to security policy. After changes the permission and start the Apache service then it will work.

answered Feb 27 '18 at 10:26

Onlive Server

1

Apache fails to start, ssl issue

3 Answers3