Apache weird configuration problem with path to fullchain.pem

I tried checking which Apache modules are loaded on my Linux server, and the server responded that there was an error in my ssl.conf file:

[ec2-user@ip-172-31-28-49 ~]$ httpd -M
AH00526: Syntax error on line 103 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/test.swansislandcompany.com/fullchain.pem' does not exist or is empty

But I can see that this file does exist on the server and it’s not empty (my SSL is working just fine). Anybody know what the problem might be here? Thanks.

Are you certainly certain nothing has happened to it?

sudo ls -l /etc/letsencrypt/live/test.swansislandcompany.com/
sudo head -1 /etc/letsencrypt/live/test.swansislandcompany.com/fullchain.pem

Perhaps systemd or SELinux or somesuch is preventing Apache from accessing /etc/letsencrypt/? If so, there might be something in the system logs?

What is at:
"line 103 of /etc/httpd/conf.d/ssl.conf"
or just upload the whole file here

Thanks for your reply. Here's what I got when I ran those two commands:

[ec2-user@ip-172-31-24-190 ~]$ sudo ls -l /etc/letsencrypt/live/test.swansislandcompany.com/
total 4
lrwxrwxrwx 1 root root 51 Mar 8 17:26 cert.pem -> ../../archive/test.swansislandcompany.com/cert1.pem
lrwxrwxrwx 1 root root 52 Mar 8 17:26 chain.pem -> ../../archive/test.swansislandcompany.com/chain1.pem
lrwxrwxrwx 1 root root 56 Mar 8 17:26 fullchain.pem -> ../../archive/test.swansislandcompany.com/fullchain1.pem
lrwxrwxrwx 1 root root 54 Mar 8 17:26 privkey.pem -> ../../archive/test.swansislandcompany.com/privkey1.pem
-rw-r--r-- 1 root root 543 Mar 8 17:26 README
[ec2-user@ip-172-31-24-190 ~]$ sudo head -1 /etc/letsencrypt/live/test.swansislandcompany.com/fullchain.pem
-----BEGIN CERTIFICATE-----

The SSL seems to be working fine. I can restart Apache with no errors. Is this even something I need to worry about? I just want to know exactly what's going on with my server...

rg305, line 103 in ssl.conf just points to the SSL Certificate file. It's at the end of this block of text:

#Point SSLCertificateFile at a PEM encoded certificate. If
#the certificate is encrypted, then you will be prompted for a
#pass phrase. Note that restarting httpd will prompt again. Keep
#in mind that if you have both an RSA and a DSA certificate you
#can configure both in parallel (to also allow the use of DSA
#ciphers, etc.)
#Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#require an ECC certificate which can also be configured in
#parallel.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/letsencrypt/live/test.swansislandcompany.com/fullchain.pem

Ah…

What happens if you run “sudo httpd -M”? Or log in as root and run “httpd -M”?

Your regular user shouldn’t have permission to access Certbot’s files, so Apache could produce strange errors. I didn’t expect that error, but…

Yes, “sudo httpd -M” gives the list of apache modules. So the server wasn’t reporting an error in my configuration? It was just that the ec2-user doesn’t have permission to access that file? I’ll scratch this “problem” off my list–thanks!

But–am I correct in ssl.conf to comment out the SSLCertificateFile pointing at localhost.crt and replace it with the line pointing to fullchain.pem?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.