Can't start apache on OSX


I’ve generated a certificate using lets encrypt on OSX (Sierra) with the openssl that is on that OS.
I’ve trying to run a httpd 2.4 install from home-brew rathe than the default one, linked with openssl 1.0.2j but I can’t get it to start.

When I turn on the apache logs I see

[Fri Oct 07 00:30:06.482740 2016] [ssl:debug] [pid 40841] ssl_engine_init.c(949): AH01904: Configuring server certificate chain (1 CA certificate)
[Fri Oct 07 00:30:06.482746 2016] [ssl:debug] [pid 40841] ssl_engine_init.c(412): AH01893: Configuring TLS extension handling
[Fri Oct 07 00:30:06.482884 2016] [ssl:error] [pid 40841] AH02566: Unable to retrieve certificate my host:443

before the server stops. Any ideas? Could it be issues with the version of openssl and the certificate?


I have never seen this “Unable to retrieve certificate” message before but it’s part of the Apache SSL config stuff. I expect it’s probably some sort of typo in your configuration files. If you can’t see anything wrong with them, you could post them for others to critique.


I found the where in the apache source code that the error is generated. in ssl_engine_init.c

     * workaround for those OpenSSL versions where SSL_CTX_get0_certificate
     * is not yet available: create an SSL struct which we dispose of
     * as soon as we no longer need access to the cert. (Strictly speaking,
     * SSL_CTX_get0_certificate does not depend on the SSL_CONF stuff,
     * but there's no reliable way to check for its existence, so we
     * assume that if SSL_CONF is available, it's OpenSSL 1.0.2 or later,
     * and SSL_CTX_get0_certificate is implemented.)
    if (!(cert = SSL_CTX_get0_certificate(mctx->ssl_ctx))) {
    ssl = SSL_new(mctx->ssl_ctx);
    if (ssl) {
        /* Workaround bug in SSL_get_certificate in OpenSSL 0.9.8y */
        cert = SSL_get_certificate(ssl);
    if (!ssl || !cert) {
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02566)
                     "Unable to retrieve certificate %s", key_id);

but I have no idea why it gets there! Ideas? I’m linking to openssl 1.0.2j


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.