Apache SSLCertificateFile error: Does not exist or is empty

I have Apache 2.4.20 running on Ubuntu 14.04. I’ve already installed the certificates and its working fine.

The problem is that when I use apachectl configtest an error would appear:

SSLCertificateFile: file '/etc/letsencrypt/live/www.example.com/fullchain.pem' not exist or is empty.

Fact: The file there at that directory.
Fact 2: I installed letsencrypt using ./letsencrypt-auto --apache -d www.example.com

And when I reload or restart Apache it would run with no errors and the website is accessible using the letsencrypt certificate.

Any ideas on what’s going on and do I fix this?

Thanks.

EDIT: How I installed this… Maybe I did something here?

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

cd /opt/letsencrypt

./letsencrypt-auto --apache -d www.example.com

EDIT_2 Addition to my setup since this is really getting confusing.

  1. I have 3 certificates installed from letsencrypt. All on different domains and were generated individually.

  2. The problem I believe is not on the particular certificate but somewhere on the setup? Please help me out… Because when I removed www.example.com from the enabled websites and did another apachectl configtest the same file does not exist or is empty appears but this time for the other domains (like site2.example.com).

EDIT_3
/etc/letsencrypt/live has 0700 permission and the rest inside it has 0755. I’ve tries changing 0700 to 0755 to no avail. Owner and Group is root:root.

That path should be /etc/letsencrypt/live/www.example.com/fullchain.pem (note the leading slash), or was that a copy & paste issue?

It would be odd if the client did that - any chance the value was (accidentally) changed by something else?

1 Like

My mistake. It was a typo. Edited my original post already. Path is ‘/etc/letsencrypt/live/www.example.com/fullchain.pem’. I’ve checked it already, its there. The setup was AUTO, I didn’t touch anything.

'/etc/letsencrypt/live/www.example.com/fullchain.pem' this is also a link from /etc/letsencrypt/archive/www…example.com. But again, the setup was done with AUTO.

Did you check the contents of that file? You could try to see if openssl is able to parse the file using openssl x509 -text -noout -in /etc/letsencrypt/live/www.example.com/fullchain.pem.

1 Like

I did as you mentioned and openssl returned the following errors:

Error opening Certificate /etc/letsencrypt/live/www.example.com/fullchain.pem
139774254929568:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/letsencrypt/live/www.example.com/fullchain.pem.','r')
139774254929568:error:2007402:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
ubable to load certificate

That’s a bit confusing given that you said the file exists. Can you confirm using cat /etc/letsencrypt/live/www.example.com/fullchain.pem? It should look like this:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

The server responded when I did sudo cat /etc/letsencrypt/live/www.example.com/fullchain.pem

I can see 2 chains.

That is very, very odd. To summarize:

  • openssl x509 -text -noout -in /etc/letsencrypt/live/www.example.com/fullchain.pem yields “No such file or directory”
  • sudo cat on the same file shows what appears to be a valid certificate

Can you try the openssl command with sudo as well? A permission problem should trigger a “Permission denied” error instead of “No such file or directory”, but since that’s the only difference between those commands, I’m curious.

1 Like

I did openssl again with sudo and generated the same errors.

I also edited main post again to include a diagnostic scenario. I think the issue here is not on the specific fullchain.pem file since if I a2dissite www.example.com, the error would again appear for other sites using letsencrypt.

The odd thing here is that sudo service apache2 reload works even if apachectl configtest shows the error. And the websites are shown with no problems. Green padlock and all. I can even check it with SSL Labs.

I finally got it to work. The issue was permissions The problem was that I was working on the permissions of /etc/letsencrypt/live and missing the fact that it was just a link from /etc/letsencrypt/archive. If I had to change permission, it should be there at the archive directory.

After changing the permission of /etc/letsencrypt/archive to 0755, I was already getting Syntax OK from apachectl configtest and openssl was already able to read the file.

I hope this post gets to the dev. team. Is this normal behavior? The steps I took to setup letsencrypt is mentioned in the original post including how I got the certificates, which was done Auto. I believe that something done in Auto should work fine. I don’t know if my user credentials had something to do with the permission issue. I installed letsencrypt using a non-root User and I did sudo.

I also got this running at Server Fault. Also marked as answered there.

More power to Let’s Encrypt!

5 Likes

Hi @jarvis, we haven't seen this before. I wonder if it has to do with root's umask value somehow? Supposedly the client will choose permissions explicitly for everything it creates, but I wonder if there are some cases in which we fail to specify them and then they get taken from root's default umask value.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.