Apache: SSLCertificateKeyFile: file does not exist or is empty

apache-2.2 ssl ssl-certificate ubuntu mod-ssl

I am configuring SSL for Apache 2. My system is Ubuntu Server 10.04 LTS. I have the following settings related to SSL in my vhost configuration:

SSLEngine On
SSLCertificateKeyFile /etc/ssl/private/server.insecure.key
SSLCertificateFile    /etc/ssl/certs/portal.selfsigned.crt

(Side note: I am using .insecure for the key file because the file is not passphrase-protected, and I like to clearly see that it is an insecure key file)

So, when I restart apache I get the following message:

Syntax error on line 39 of /etc/apache2/sites-enabled/500-portal-https:
SSLCertificateKeyFile: file '/etc/ssl/private/server.insecure.key' does not exist or is empty
Error in syntax. Not restarting.

But the file is there, and is not empty (actually it contains a private key):

sudo ls -l /etc/ssl/private/server.insecure.key
-rw-r----- 1 root www-data 887 2012-08-07 15:14 /etc/ssl/private/server.insecure.key
sudo ls -ld /etc/ssl/private/
drwx--x--- 2 root www-data 4096 2012-08-07 13:02 /etc/ssl/private/

I have tried changing the ownership, using two groups www-data and ssl-cert. I am not sure which is the right one in Ubuntu: by default Ubuntu uses ssl-cert, but on the other hand the apache processes run with user www-data: it is started by user root, but changes to www-data at some point, and I am not sure when are the certificates read.

But anyway, changing the group owner has not improved the situation. My questions are:

  1. What else could I try to get this working?
  2. How can I verify that my keyfile is a valid keyfile?
  3. How can I verify that the keyfile and the certificate (/etc/ssl/certs/portal.selfsigned.crt) work together?

I think that Apache is giving a misleading error message, and I would like to pinpoint the error.


I found the error. It was because I am using a script to setup the certificates, and one of the steps I am performing is apache2ctl configtest. The error was coming from this command, and not from apache restart, which was what was misleading me. Since I was running the apache2ctl command as normal user, it had no access the the keyfiles, and thus the error message.

Facit: make sure all your apache commands are run with sudo, even the ones which are only intended for syntax verification (apache2ctl), since they alse need access to the keys.


I also get the message

SSLCertificateKeyFile: file '/path/to/file' does not exist or is empty

while /path/to/file exist and have right permissions, just because of SELinux turned on and this file was unaccessable for apache user.

It looks like this:

$ sudo ls -laZ /etc/pki/tls/certs/
drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
-rw-------. root root unconfined_u:object_r:cert_t:s0  this-one-works.crt
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 this-one-is-unaccessable.crt

To fix this, I run sudo restorecon -Rv /etc/pki/tls/certs/ - it will repair SELinux property for the problem file.


I've done this and it helped me on CentOS 5.7 

server:~ # chcon -t cert_t /etc/pki/tls/private/my.key 
server:~ # ls -laZ /etc/pki/tls/private/

Related

Optimal value for Nginx worker_connections
Can rsync display current average speed?
Configuring Docker to not use the 172.17.0.0 range
Why is tampering with the TTL of IP dangerous?
how to access host variable of a different host with Ansible?
Bash find command verbose output
how to restrict access to directory and subdirs
How to convert 'dmesg' time format to 'real' time format
nginx proxy pass redirects ignore port
Docker COPY issue - "no such file or directory"
How to take full ownership of an IP address?
Connecting to HTTPS with netcat (nc) [closed]