Apache won't start when using letsencrypt certs


I am setting up a website that uses the WP Encrypt plugin for WordPress to generate Letsencrypt certs in Apache 2.4.6 on Linux. The plugin is working and it generates two files:

When I configure apache to use these two files with the lines:
SSLCertificateFile /pathtowebroot/letsencrypt/live/account/public.pem
SSLCertificateKeyFile /pathtowebroot/letsencrypt/live/account/private.pem

Apache will no longer start. The Apache error logs show:
[Thu Sep 13 12:34:30.457260 2018] [ssl:emerg] [pid 26858] AH02241: Init: Unable to read server certificate from file /pathtowebroot/letsencrypt/live/account/public.pem
[Thu Sep 13 12:34:30.457310 2018] [ssl:emerg] [pid 26858] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Sep 13 12:34:30.457325 2018] [ssl:emerg] [pid 26858] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=X509)
[Thu Sep 13 12:34:30.457333 2018] [ssl:emerg] [pid 26858] AH02312: Fatal error initialising mod_ssl, exiting.

I have tried copying the two pem files to other directories like /etc/pki/certs/… and double check permissions and still getting the same errors.
I’ve tried looking around for this problem and haven’t been able to find a solution. Hoping somebody has seen this or knows what we can try.
Thanks for the help.


Hi @devais,

Can you show us the output of something like this?

ls -l /pathtowebroot/letsencrypt/live/account


Sure thing. Here’s what we have:
-rw-r–r--. 1 apache apache 3268 Sep 10 09:46 private.pem
-rw-r–r--. 1 apache apache 800 Sep 10 09:46 public.pem


Wait, why are you pointing Apache to your account keys? You should be using the certificates generated, usually something like /etc/letsencrypt/live/domain.com/fullchain.pem and /etc/letsencrypt/live/domain.com/privkey.pem


Ah, I did not know that is what those files were. I thought they were the actual certs. I will have to look in to this further then, must be something wrong with the plugin afterall as it is not creating the “domain.com” directory.


Also, I’m pretty sure having private keys under the webroot with apache as user, so the webserver can access them is a bad idea. Even with .htaccess files I don’t think it’s smart…