# Apache2 doesn't see my SSL certificate[SOLVED]

## Havin_it

Hi all,

I recently upgraded Apache to 2.2.12, and something's gone terribly wrong it seems.  After a reboot, I noticed apache2 had not started, and on restarting it I got no error message, the initscript exited "OK", but httpd was not running.  I then found the following in the logfile /var/log/apache2/error_log

```
[Fri Jul 31 17:04:44 2009] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]
```

Now, this seems to be a common problem but none of the google results I've found (for other distros/*nixen) have borne fruit.  I created a self-signed certificate in the usual way (gentestcrt.sh) and have been using this for some time. It may have expired by now, but I've now just replaced it with a new cert generated from scratch, and the results are still the same.

I also tried corrupting the server.crt file but the result was still the same, so it appears the file isn't being found at all. Despite the error-message, I have the following in /etc/apache2/vhosts.d/00_default_ssl_vhost.conf

```
SSLCertificateFile /etc/apache2/ssl/server.crt
```

My httpd.conf hasn't changed, so this config file should still be being included by it. What's gone wrong?

Thanks in advance =)Last edited by Havin_it on Wed Aug 05, 2009 9:52 am; edited 1 time in total

----------

## boerKrelis

From which version did you upgrade? 2.0.x ?

----------

## Havin_it

No, I upgrade regularly so it would have been the last 2.2.x version.

----------

## boerKrelis

Could it be that some ssl-enabled vhost (maybe another .conf) is being loaded before your 00_default_ssl_vhost.conf, thereby missing your certfile directive?

Does 

```
LogLevel debug
```

 provide you with more specific information?

----------

## Havin_it

The higher LogLevel doesn't seem to give me much more to chew on. Here it is in full:

```
[Mon Aug 03 01:59:04 2009] [info] Init: Seeding PRNG with 136 bytes of entropy

[Mon Aug 03 01:59:04 2009] [info] Loading certificate & private key of SSL-aware server

[Mon Aug 03 01:59:04 2009] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]
```

----------

## cach0rr0

as root

```

emerge sudo //if you havent done so already - remember to configure it with visudo

emerge strace

sudo -u apache /usr/bin/strace /usr/bin/apache2 -k start -DSSL

```

sift through the strace output. it should at the very least stat() your certificate.

----------

## Havin_it

Thanks, will give that a try. Is there anything particular I need to put in sudoers?

----------

## Havin_it

OK, I ran the command as suggested - there are a number of errors about being unable to open log files, I expect this is because I need to add something to sudoers?

In the output I get these are the only references to the cert and key files:

```
stat64("/etc/apache2/ssl/server.crt", {st_mode=S_IFREG|0400, st_size=1038, ...}) = 0                

stat64("/etc/apache2/ssl/server.key", {st_mode=S_IFREG|0400, st_size=891, ...}) = 0
```

----------

## cach0rr0

possible to dump the full strace output into pastebin or similar so we can have a look?

----------

## Havin_it

Will do. Will have to sanitise a few lines first, though...

----------

## Havin_it

OK, pasted here:

http://pastebin.com/m662edc8e

The command issued was like this:

```
/usr/bin/strace /usr/sbin/apache2 -k start -D DEFAULT_VHOST -D SSL -D SSL_DEFAULT_VHOST -D INFO -D LANGUAGE -D SUEXEC -D PHP5 -D DEPENDS -D TRANSFORM -D NAGIOS &> /home/robin/apache-strace.txt
```

The only <SNIP> items are paths to vhost directories and logfile names that mention hostnames I've opted to keep secret. "brazil" is the server's local hostname - it doesn't have a FQDN configured. Hope this is OK.

----------

## cach0rr0

sorry to waste your time, that strace proved fruitless =/

I'm wondering something - something you said turned on a light bulb in my brain; might it be possible to define an FQDN in /etc/hosts and regen the cert with a Common Name matching the FQDN? 

Doesn't have to be a resolvable fqdn, but one that allows the cert common name to match the hostname.

----------

## Havin_it

Well... If it's only for test purposes fair enough, but if this proves to be the basis of a solution it might prove a new problem, because I have a number of vhosts identified both by subdomains of my dyndns.org hostname and by one-part local hostnames. I made the certificate with a commonName that matches the FQDN, so none of the subdomains match it. I haven't a clue about how to provide multiple certificates as I've only ever used the apache script for that purpose, but this has never been a problem because the Internet-facing vhosts are only for my use (so certificate errors in the browser are not a concern).

Anyway I'll give it a whirl and see what happens. Is there a CLI tool for reading a certificate's details?

----------

## haven

I had the same issue after upgrading from www-servers/apache-2.2.11-r2 to www-servers/apache-2.2.12. 

I downgraded to ww-servers/apache-2.2.11-r3 and that fixed the issue. Not had time to look further but I was also getting the error:

 *Quote:*   

> [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]

 

If it helps anyone looking into this, all my SSL declerations are in my vhosts.d directory and are called after all the module configs.

Regards

----------

## Havin_it

I got it sorted!

First I took chach0rr0's suggestion and made sure that my certificate matched one of the FQDNs defined in the hosts file.  I also took the steps of commenting-out the other vhost I have, and the ServerAlias lines in the main vhost, in 00_default_ssl_vhost.conf to eliminate confusion.  This worked.

I then re-enabled the various ServerAlias lines in the main vhost definition. It still worked.

I then uncommented the second vhost definition. It stopped working.

What occurred to me was that the second vhost definition was copied from 00_default_vhost.conf and as such didn't contain any of the SSL-specific directives. This never posed a problem before, though on reflection I can't say whether I've ever accessed that other vhost from the WAN using SSL :/

So, I simply copied all the SSL directives from the main vhost to the other. Again, it works!

Well, make of that what you will. Seems obvious in hindsight, but I'm very grateful to you for steering me in the right direction to prod at the right things to solve it. Ta! =)

----------

