AH02572: Failed to configure at least one certificate and key

Hi, I'm using acme.sh to create a certificate for an apache server on fedora35 and have received an odd error message after replacing the current cert created with certbot with this one.

AH02572: Failed to configure at least one certificate and key for arcade.example.com:443
SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned

This is a drop-in replacement for a cert that was created by certbot and working just fine with this same apache config.

The command I have run is the following. It's using the dns_cf plugin. I've excluded the CF_Account_ID and CF_Email variables, but it did result in a valid cert. I've also verified it with openssl to be sure it contains the same name as I am installing.

./acme.sh --log --issue --dns dns_cf -d arcade.example.com

Here is my apache config. Outside the virtual host I have the following:

# modern configuration, tweak to your needs
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AE
S128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

Inside the virtual host I have the following:

  SSLEngine on
  SSLCertificateKeyFile /etc/letsencrypt/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/fullchain.pem

The fullchain.pem is the fullchain.cer file generated by acme.sh and privkey.pem is arcade.example.com.key.

I'm not sure what more info I can provide to troubleshoot this. I've done quite a bit of experimenting and reading, but haven't really found any tips on how to fix it.

hmm...
I'd compare the files to ensure they are good copies and also the access set on them.

If you are using acme.sh and Apache, why are you storing the certs in /etc/letsencrypt ?
[can't Apache just use the default acme.sh cert location?]

3 Likes

The certs are normally created on an internal host then scp'd to all remote hosts.

Many are used just for postfix, so there's not always a virtual host or web domain associated with the hostname to be able to always use web auth, so I'm instead using dns only.

In this example, I created a cert specifically for this host to not only attempt to show it wasn't a problem with the cert, but also to make it easier to explain here.

The files are owned by root, group apache. The path is just historical convention for me, since it used to be generated using certbot.

2 Likes

Those are not the correct lines to setup HTTPS. The correct settings depend on your Apache version. Regardless of version, KeyFile with ChainFile is not an accurate combination.

See this post

3 Likes

Ugh, that was it, thanks. This host was somehow different than all the rest and overlooked it.

It should be:

SSLEngine on
SSLCertificateKeyFile /etc/letsencrypt/privkey.pem
SSLCertificateFile /etc/letsencrypt/fullchain.pem

3 Likes