Apache server broken after certificate revoked

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output: Client with the currently selected authenticator does not support any combinatio n of challenges that will satisfy the CA.

My web server is (include version): Apache

The operating system my web server runs on is (include version): DEBIAN

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I created a certificate for one of the websites in this server: admin.esiconta.com

It didn’t work properly, so I tried to revoke and delete, after that… Apache is down. I Have this in the apache error log:

[Fri Jan 18 09:47:30.203762 2019] [ssl:emerg] [pid 7065] AH02572: Failed to configure at least one certificate and key for admin.esiconta.com:443
[Fri Jan 18 09:47:30.203791 2019] [ssl:emerg] [pid 7065] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Jan 18 09:47:30.203817 2019] [ssl:emerg] [pid 7065] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Jan 18 09:47:30.203831 2019] [ssl:emerg] [pid 7065] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned

Hi @esija

deleting / revoking certificates if the private key isn't comprimised is always a bad idea.

So remove your complete https - configuration and start new with a http config.

1 Like

Thank you so much for your fast reply. My company app is down and I´m really worried with this.

How can I do this? I mean, the web service is totally down.

What do I have to “delete” or “purge” for this to work again?

1 Like

You have a vHost with port 443. There are links to the certificate. But the certificate doesn't exist, because you have deleted it.

So remove this vHost (and perhaps the standard 443 vHost).

Do you mean from “/etc/apache2/sites-enabled/admin.esiconta.com”?

OK, I will delete:

<VirtualHost *:443>

								DocumentRoot /var/www/admin.esiconta.com/web
					
	ServerName admin.esiconta.com
	ServerAdmin webmaster@admin.esiconta.com

	ErrorLog /var/log/ispconfig/httpd/admin.esiconta.com/error.log

	Alias /error/ "/var/www/admin.esiconta.com/web/error/"
	ErrorDocument 400 /error/400.html
	ErrorDocument 401 /error/401.html
	ErrorDocument 403 /error/403.html
	ErrorDocument 404 /error/404.html
	ErrorDocument 405 /error/405.html
	ErrorDocument 500 /error/500.html
	ErrorDocument 502 /error/502.html
	ErrorDocument 503 /error/503.html

	<IfModule mod_ssl.c>
	SSLEngine on
	SSLProtocol All -SSLv2 -SSLv3
	# SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
	SSLHonorCipherOrder     on
	# <IfModule mod_headers.c>
	# Header always add Strict-Transport-Security "max-age=15768000"
	# </IfModule>
	SSLCertificateFile /var/www/clients/client1/web8/ssl/admin.esiconta.com-le.crt
	SSLCertificateKeyFile /var/www/clients/client1/web8/ssl/admin.esiconta.com-le.key
			SSLCertificateChainFile /var/www/clients/client1/web8/ssl/admin.esiconta.com-le.bundle
					SSLUseStapling on
	SSLStaplingResponderTimeout 5
	SSLStaplingReturnResponderErrors off
			</IfModule>

	<Directory /var/www/admin.esiconta.com/web>
			# Clear PHP settings of this website
			<FilesMatch ".+\.ph(p[345]?|t|tml)$">
					SetHandler None
			</FilesMatch>
			Options +FollowSymLinks
			AllowOverride All
							Require all granted
					</Directory>
	<Directory /var/www/clients/client1/web8/web>
			# Clear PHP settings of this website
			<FilesMatch ".+\.ph(p[345]?|t|tml)$">
					SetHandler None
			</FilesMatch>
			Options +FollowSymLinks
			AllowOverride All
							Require all granted
					</Directory>




	# suexec enabled
	<IfModule mod_suexec.c>
		SuexecUserGroup web8 client1
	</IfModule>
	# php as fast-cgi enabled
# For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
	<IfModule mod_fcgid.c>
			FcgidIdleTimeout 300
			FcgidProcessLifeTime 3600
			# FcgidMaxProcesses 1000
			FcgidMaxRequestsPerProcess 5000
			FcgidMinProcessesPerClass 0
			FcgidMaxProcessesPerClass 10
			FcgidConnectTimeout 3
			FcgidIOTimeout 600
			FcgidBusyTimeout 3600
			FcgidMaxRequestLen 1073741824
	</IfModule>
	<Directory /var/www/admin.esiconta.com/web>
			<FilesMatch "\.php[345]?$">
				SetHandler fcgid-script
			</FilesMatch>
			FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php
			FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php3
			FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php4
			FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php5
			Options +ExecCGI
			AllowOverride All
							Require all granted
					</Directory>
	<Directory /var/www/clients/client1/web8/web>
			<FilesMatch "\.php[345]?$">
				SetHandler fcgid-script
			</FilesMatch>
			FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php
			FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php3
			FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php4
			FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php5
			Options +ExecCGI
			AllowOverride All
							Require all granted
					</Directory>



	# add support for apache mpm_itk
	<IfModule mpm_itk_module>
		AssignUserId web8 client1
	</IfModule>

	<IfModule mod_dav_fs.c>
	# Do not execute PHP files in webdav directory
		<Directory /var/www/clients/client1/web8/webdav>
			<ifModule mod_security2.c>
				SecRuleRemoveById 960015
				SecRuleRemoveById 960032
			</ifModule>
			<FilesMatch "\.ph(p3?|tml)$">
				SetHandler None
			</FilesMatch>
		</Directory>
		DavLockDB /var/www/clients/client1/web8/tmp/DavLock
		# DO NOT REMOVE THE COMMENTS!
		# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
  # WEBDAV BEGIN
		# WEBDAV END
	</IfModule>

Still not working… is like the 80 port is blocked. I dont have ping to the server

Yep, your http is blocked ( admin.esiconta.com - Make your website better - DNS, redirects, mixed content, certificates )

Domainname Http-Status redirect Sec. G
http://admin.esiconta.com/
37.187.144.223 -2 1.086 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.187.144.223:80
https://admin.esiconta.com/
37.187.144.223 -2 1.070 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.187.144.223:443
http://admin.esiconta.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
37.187.144.223 -2 1.076 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.187.144.223:80

Your http port 80 must be open to use http validation.

I still have this in the Apache error.log

[Fri Jan 18 13:16:54.815858 2019] [ssl:warn] [pid 18718] AH01906: ns3111216.ip-37-187-144.eu:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Jan 18 13:16:54.817134 2019] [ssl:warn] [pid 18718] AH01906: ns3111216.ip-37-187-144.eu:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Jan 18 13:16:54.817351 2019] [ssl:emerg] [pid 18718] AH02572: Failed to configure at least one certificate and key for admin.esiconta.com:443
[Fri Jan 18 13:16:54.817368 2019] [ssl:emerg] [pid 18718] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Jan 18 13:16:54.817376 2019] [ssl:emerg] [pid 18718] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Jan 18 13:16:54.817386 2019] [ssl:emerg] [pid 18718] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Fri Jan 18 13:16:54.817390 2019] [ssl:emerg] [pid 18718] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed

Then you have a second vHost with port 443. Make a backup and remove this second vHost. Perhaps you have to remove a "listen 443" - directive.

Where can I have this second vHost?

How can I remove the listen 443?

Sorry, I´m not an expert. You are my saviour!!! :frowning:

Check your main apache config file. I'm not so firm with debian, but if you have a config

/etc/apache2/sites-enabled/admin.esiconta.com

then /etc/apache2 is your start.

I have found one “Listen 443” in the ports.conf. But if I delete this, all the SSL won’t work, right?

This is the content of the file:

If you just change the port or add more ports here, you will likely also

have to change the VirtualHost statement in

/etc/apache2/sites-enabled/000-default.conf

Listen 80

Listen 443 Listen 443

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

NameVirtualHost *:80

NameVirtualHost *:443

If you don't have a certificate (valide or invalide), then 443 can't work.

Yes but I have 3 websites…

2 are running valids certificates and 1 is running his “missing one”.

Then change the links of your incorrect config to one of the working certificates.

So Apache has correct files instead of these messages:

[Fri Jan 18 13:16:54.817368 2019] [ssl:emerg] [pid 18718] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?

I tried, but still the same errors… Even restarting the apache2 service:

[Fri Jan 18 13:52:39.699043 2019] [ssl:warn] [pid 2957] AH01906: ns3111216.ip-37-187-144.eu:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Jan 18 13:52:39.724450 2019] [ssl:warn] [pid 2957] AH01906: ns3111216.ip-37-187-144.eu:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Jan 18 13:52:39.724957 2019] [ssl:emerg] [pid 2957] AH02572: Failed to configure at least one certificate and key for admin.esiconta.com:443
[Fri Jan 18 13:52:39.724999 2019] [ssl:emerg] [pid 2957] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Jan 18 13:52:39.725017 2019] [ssl:emerg] [pid 2957] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Jan 18 13:52:39.725040 2019] [ssl:emerg] [pid 2957] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Fri Jan 18 13:52:39.725049 2019] [ssl:emerg] [pid 2957] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed

Any clue of what to try?

Since your situation is “urgent”…
Try DNS validation (manually, if needed).

Thank you very much for your answer, but as I said, I´m not an expert.

Could you please be more technically specific?