Apache won't start when using letsencrypt certs


#1

Hello:
I am setting up a website that uses the WP Encrypt plugin for WordPress to generate Letsencrypt certs in Apache 2.4.6 on Linux. The plugin is working and it generates two files:
/pathtowebroot/letsencrypt/live/account/public.pem
/pathtowebroot/letsencrypt/live/account/private.pem

When I configure apache to use these two files with the lines:
SSLCertificateFile /pathtowebroot/letsencrypt/live/account/public.pem
SSLCertificateKeyFile /pathtowebroot/letsencrypt/live/account/private.pem

Apache will no longer start. The Apache error logs show:
[Thu Sep 13 12:34:30.457260 2018] [ssl:emerg] [pid 26858] AH02241: Init: Unable to read server certificate from file /pathtowebroot/letsencrypt/live/account/public.pem
[Thu Sep 13 12:34:30.457310 2018] [ssl:emerg] [pid 26858] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Sep 13 12:34:30.457325 2018] [ssl:emerg] [pid 26858] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=X509)
[Thu Sep 13 12:34:30.457333 2018] [ssl:emerg] [pid 26858] AH02312: Fatal error initialising mod_ssl, exiting.

I have tried copying the two pem files to other directories like /etc/pki/certs/… and double check permissions and still getting the same errors.
I’ve tried looking around for this problem and haven’t been able to find a solution. Hoping somebody has seen this or knows what we can try.
Thanks for the help.


#2

Hi @devais,

Can you show us the output of something like this?

ls -l /pathtowebroot/letsencrypt/live/account


#3

Sure thing. Here’s what we have:
-rw-r–r--. 1 apache apache 3268 Sep 10 09:46 private.pem
-rw-r–r--. 1 apache apache 800 Sep 10 09:46 public.pem


#4

Wait, why are you pointing Apache to your account keys? You should be using the certificates generated, usually something like /etc/letsencrypt/live/domain.com/fullchain.pem and /etc/letsencrypt/live/domain.com/privkey.pem


#5

Ah, I did not know that is what those files were. I thought they were the actual certs. I will have to look in to this further then, must be something wrong with the plugin afterall as it is not creating the “domain.com” directory.


#6

Also, I’m pretty sure having private keys under the webroot with apache as user, so the webserver can access them is a bad idea. Even with .htaccess files I don’t think it’s smart…