Apache: SSLCertificateKeyFile: file does not exist or is empty

I am configuring SSL for Apache 2. My system is Ubuntu Server 10.04 LTS. I have the following settings related to SSL in my vhost configuration:

SSLEngine On
SSLCertificateKeyFile /etc/ssl/private/server.insecure.key
SSLCertificateFile    /etc/ssl/certs/portal.selfsigned.crt

(Side note: I am using .insecure for the key file because the file is not passphrase-protected, and I like to clearly see that it is an insecure key file)

So, when I restart apache I get the following message:

Syntax error on line 39 of /etc/apache2/sites-enabled/500-portal-https:
SSLCertificateKeyFile: file '/etc/ssl/private/server.insecure.key' does not exist or is empty
Error in syntax. Not restarting.

But the file is there, and is not empty (actually it contains a private key):

sudo ls -l /etc/ssl/private/server.insecure.key
-rw-r----- 1 root www-data 887 2012-08-07 15:14 /etc/ssl/private/server.insecure.key
sudo ls -ld /etc/ssl/private/
drwx--x--- 2 root www-data 4096 2012-08-07 13:02 /etc/ssl/private/

I have tried changing the ownership, using two groups www-data and ssl-cert. I am not sure which is the right one in Ubuntu: by default Ubuntu uses ssl-cert, but on the other hand the apache processes run with user www-data: it is started by user root, but changes to www-data at some point, and I am not sure when are the certificates read.

But anyway, changing the group owner has not improved the situation. My questions are:

  1. What else could I try to get this working?
  2. How can I verify that my keyfile is a valid keyfile?
  3. How can I verify that the keyfile and the certificate (/etc/ssl/certs/portal.selfsigned.crt) work together?

I think that Apache is giving a misleading error message, and I would like to pinpoint the error.


I found the error. It was because I am using a script to setup the certificates, and one of the steps I am performing is apache2ctl configtest. The error was coming from this command, and not from apache restart, which was what was misleading me. Since I was running the apache2ctl command as normal user, it had no access the the keyfiles, and thus the error message.

Facit: make sure all your apache commands are run with sudo, even the ones which are only intended for syntax verification (apache2ctl), since they alse need access to the keys.


I also get the message

SSLCertificateKeyFile: file '/path/to/file' does not exist or is empty

while /path/to/file exist and have right permissions, just because of SELinux turned on and this file was unaccessable for apache user.

It looks like this:

$ sudo ls -laZ /etc/pki/tls/certs/
drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
-rw-------. root root unconfined_u:object_r:cert_t:s0  this-one-works.crt
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 this-one-is-unaccessable.crt

To fix this, I run sudo restorecon -Rv /etc/pki/tls/certs/ - it will repair SELinux property for the problem file.


I've done this and it helped me on CentOS 5.7

server:~ # chcon -t cert_t /etc/pki/tls/private/my.key 
server:~ # ls -laZ /etc/pki/tls/private/