Apache won't start when using letsencrypt certs

devais · September 13, 2018, 4:43pm

Hello:
I am setting up a website that uses the WP Encrypt plugin for WordPress to generate Letsencrypt certs in Apache 2.4.6 on Linux. The plugin is working and it generates two files:
/pathtowebroot/letsencrypt/live/account/public.pem
/pathtowebroot/letsencrypt/live/account/private.pem

When I configure apache to use these two files with the lines:
SSLCertificateFile /pathtowebroot/letsencrypt/live/account/public.pem
SSLCertificateKeyFile /pathtowebroot/letsencrypt/live/account/private.pem

Apache will no longer start. The Apache error logs show:
[Thu Sep 13 12:34:30.457260 2018] [ssl:emerg] [pid 26858] AH02241: Init: Unable to read server certificate from file /pathtowebroot/letsencrypt/live/account/public.pem
[Thu Sep 13 12:34:30.457310 2018] [ssl:emerg] [pid 26858] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Sep 13 12:34:30.457325 2018] [ssl:emerg] [pid 26858] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=X509)
[Thu Sep 13 12:34:30.457333 2018] [ssl:emerg] [pid 26858] AH02312: Fatal error initialising mod_ssl, exiting.

I have tried copying the two pem files to other directories like /etc/pki/certs/… and double check permissions and still getting the same errors.
I’ve tried looking around for this problem and haven’t been able to find a solution. Hoping somebody has seen this or knows what we can try.
Thanks for the help.

schoen · September 13, 2018, 4:49pm

Hi @devais,

Can you show us the output of something like this?

ls -l /pathtowebroot/letsencrypt/live/account

devais · September 13, 2018, 4:51pm

Sure thing. Here’s what we have:
-rw-r–r--. 1 apache apache 3268 Sep 10 09:46 private.pem
-rw-r–r--. 1 apache apache 800 Sep 10 09:46 public.pem

jared.m · September 13, 2018, 5:13pm

Wait, why are you pointing Apache to your account keys? You should be using the certificates generated, usually something like /etc/letsencrypt/live/domain.com/fullchain.pem and /etc/letsencrypt/live/domain.com/privkey.pem

devais · September 13, 2018, 6:46pm

Ah, I did not know that is what those files were. I thought they were the actual certs. I will have to look in to this further then, must be something wrong with the plugin afterall as it is not creating the “domain.com” directory.

Osiris · September 13, 2018, 8:26pm

Also, I’m pretty sure having private keys under the webroot with apache as user, so the webserver can access them is a bad idea. Even with .htaccess files I don’t think it’s smart…

system · October 13, 2018, 8:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Please help, configuration failure Help	9	1461	May 7, 2021
Apache can not start after cert Server	5	4039	March 31, 2018
Help with Ubuntu 16.04 Apache and LetsEncrypt set up Server	16	8711	August 15, 2016
Httpd not running after installation Server	3	2242	August 30, 2016
Letsencrypt Bitnami Wordpress intermediate/chain cert missing Help	6	2701	March 11, 2017

Apache won't start when using letsencrypt certs

Related topics