Apache weird configuration problem with path to fullchain.pem


#1

I tried checking which Apache modules are loaded on my Linux server, and the server responded that there was an error in my ssl.conf file:

[ec2-user@ip-172-31-28-49 ~]$ httpd -M
AH00526: Syntax error on line 103 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/test.swansislandcompany.com/fullchain.pem' does not exist or is empty

But I can see that this file does exist on the server and it’s not empty (my SSL is working just fine). Anybody know what the problem might be here? Thanks.


#2

Are you certainly certain nothing has happened to it?

sudo ls -l /etc/letsencrypt/live/test.swansislandcompany.com/
sudo head -1 /etc/letsencrypt/live/test.swansislandcompany.com/fullchain.pem

Perhaps systemd or SELinux or somesuch is preventing Apache from accessing /etc/letsencrypt/? If so, there might be something in the system logs?


#3

What is at:
"line 103 of /etc/httpd/conf.d/ssl.conf"
or just upload the whole file here


#4

Thanks for your reply. Here’s what I got when I ran those two commands:

[ec2-user@ip-172-31-24-190 ~]$ sudo ls -l /etc/letsencrypt/live/test.swansislandcompany.com/
total 4
lrwxrwxrwx 1 root root 51 Mar 8 17:26 cert.pem -> …/…/archive/test.swansislandcompany.com/cert1.pem
lrwxrwxrwx 1 root root 52 Mar 8 17:26 chain.pem -> …/…/archive/test.swansislandcompany.com/chain1.pem
lrwxrwxrwx 1 root root 56 Mar 8 17:26 fullchain.pem -> …/…/archive/test.swansislandcompany.com/fullchain1.pem
lrwxrwxrwx 1 root root 54 Mar 8 17:26 privkey.pem -> …/…/archive/test.swansislandcompany.com/privkey1.pem
-rw-r–r-- 1 root root 543 Mar 8 17:26 README
[ec2-user@ip-172-31-24-190 ~]$ sudo head -1 /etc/letsencrypt/live/test.swansislandcompany.com/fullchain.pem
-----BEGIN CERTIFICATE-----

The SSL seems to be working fine. I can restart Apache with no errors. Is this even something I need to worry about? I just want to know exactly what’s going on with my server…


#5

rg305, line 103 in ssl.conf just points to the SSL Certificate file. It’s at the end of this block of text:

#Point SSLCertificateFile at a PEM encoded certificate. If
#the certificate is encrypted, then you will be prompted for a
#pass phrase. Note that restarting httpd will prompt again. Keep
#in mind that if you have both an RSA and a DSA certificate you
#can configure both in parallel (to also allow the use of DSA
#ciphers, etc.)
#Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#require an ECC certificate which can also be configured in
#parallel.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/letsencrypt/live/test.swansislandcompany.com/fullchain.pem


#6

Ah…

What happens if you run “sudo httpd -M”? Or log in as root and run “httpd -M”?

Your regular user shouldn’t have permission to access Certbot’s files, so Apache could produce strange errors. I didn’t expect that error, but…


#7

Yes, “sudo httpd -M” gives the list of apache modules. So the server wasn’t reporting an error in my configuration? It was just that the ec2-user doesn’t have permission to access that file? I’ll scratch this “problem” off my list–thanks!

But–am I correct in ssl.conf to comment out the SSLCertificateFile pointing at localhost.crt and replace it with the line pointing to fullchain.pem?


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.