Cert.pem' does not exist or is empty - Action 'configtest' failed


#1

After backing up my site on unbuntu, apache and a lamp stack, nginx was running when I didn’t install it. I stopped nginx and restarted apache and this is the message I’m getting:

/etc/init.d/apache2 restart
* Restarting web server apache2 [fail] 
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 33 of /etc/apache2/sites-enabled/default-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/www.signa.com/cert.pem' does not exist or is empty
Action 'configtest' failed.
The Apache error log may have more information.

/etc/letsencrypt/live/www.signa.com/cert.pem
is not empty, there is a certificate inside I’ve just verified


#2

Any non-standard apache config changes you made to apache? What’s the output of ls -l /etc/letsencrypt/live/www.signa.com/ and openssl x509 -in /etc/letsencrypt/live/www.signa.com/cert.pem -noout -text?


#3

Is this what you mean?

$ ls -l 
total 47032
-rwxrwxr-x 1 user user    44115 Jun 16 15:15 certbot-auto
-rw-rw-r-- 1 user user       0 Jul  6 09:46 example.com.key
-rw-r--r-- 1 root  root         1 Jun 29 11:15 signa.com.conf
-rw-rw-r-- 1 user user     1139 Jul  6 09:48 signa.com.csr
-rw-rw-r-- 1 user user     1704 Jul  6 09:48 signa.com.key
-rw-r--r-- 1 user user 48089803 Jun 30 03:02 signa.sql
drwxr-xr-x 5 user user     4096 Jun 29 10:25 wordpress
-rw------- 1 user user     1675 Jul  1 04:15 x
-rw-r--r-- 1 user user      396 Jul  1 04:15 x.pub
user@server:~$ /etc/letsencrypt/live/www.signa.com/ and openssl x509 -in 
-bash: /etc/letsencrypt/live/www.signa.com/: Permission denied
user@server:~$ /etc/letsencrypt/live/www.signa.com/cert.pem -noout -text
-bash: /etc/letsencrypt/live/www.signa.com/cert.pem: Permission denied

#4

There are two commands:

ls -l /etc/letsencrypt/live/www.signa.com/

and

openssl x509 -in /etc/letsencrypt/live/www.signa.com/cert.pem -noout -text

If the latter results in a “Permission denied” error, try prefixing the command with sudo.


#5
$ sudo ls -l /etc/letsencrypt/live/www.signa.com/
total 0
lrwxrwxrwx 1 root root 37 Jul  6 09:58 cert.pem -> ../../archive/www.signa.com/cert1.pem
lrwxrwxrwx 1 root root 38 Jul  6 09:58 chain.pem -> ../../archive/www.signa.com/chain1.pem
lrwxrwxrwx 1 root root 42 Jul  6 09:58 fullchain.pem -> ../../archive/www.signa.com/fullchain1.pem
lrwxrwxrwx 1 root root 40 Jul  6 09:58 privkey.pem -> ../../archive/www.signa.com/privkey1.pem
sudo openssl x509 -in /etc/letsencrypt/live/www.signa.com/cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ***(serial number)***
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Jul  6 12:58:00 2016 GMT
            Not After : Oct  4 12:58:00 2016 GMT
        Subject: CN=www.signa.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    ***(key)***

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                F4:4B:*** (key) ***
            X509v3 Authority Key Identifier: 
                keyid:A8:4A*** (key) ***

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:signa.com, DNS:www.signa.com
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

    Signature Algorithm: sha256WithRSAEncryption
        *** (key) ***

#6

I don’t see any obvious issues. Is there anything interesting in your apache error log (i.e. a more detailed error message)?


#7

yes, I’ve got this error in file: /var/log/apache2/error.log.1

[Sun Jul 24 06:29:41.944613 2016] [mpm_prefork:notice] [pid 11543] AH00171: Graceful restart requested, doing restart
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message

#8

That doesn’t look like it’s related and wouldn’t prevent apache from starting.

Not sure what’s going on here, sorry. Anything worth mentioning regarding your apache configuration? Did you make any changes to how apache start, for example, changing it from the default of starting as root and then dropping privileges? What’s the output of:

ls -l /etc/letsencrypt/archive/www.signa.com/

#9

Oh man, headaches. I’m so new to all this

sudo su
root@signa-01:/home/clint# ls -l /etc/letsencrypt/archive/www.signa.com/
total 16
-rw-r–r-- 1 root root 1805 Jul 6 09:58 cert1.pem
-rw-r–r-- 1 root root 1647 Jul 6 09:58 chain1.pem
-rw-r–r-- 1 root root 3452 Jul 6 09:58 fullchain1.pem
-rw-r–r-- 1 root root 1708 Jul 6 09:58 privkey1.pem

  •  sudo ls -lah /etc/letsencrypt/live/www.signa.com/
    
    total 8.0K
    drwxr-xr-x 2 root root 4.0K Jul  6 09:58 .
    drwx------ 3 root root 4.0K Jul  6 09:58 ..
    lrwxrwxrwx 1 root root   37 Jul  6 09:58 cert.pem -> ../../archive/www.signa.com/cert1.pem
    lrwxrwxrwx 1 root root   38 Jul  6 09:58 chain.pem -> ../../archive/www.signa.com/chain1.pem
    lrwxrwxrwx 1 root root   42 Jul  6 09:58 fullchain.pem -> ../../archive/www.signa.com/fullchain1.pem
    lrwxrwxrwx 1 root root   40 Jul  6 09:58 privkey.pem -> ../../archive/www.signa.com/privkey1.pem
  • sudo su

root@signa-01:/home/clint# cd /etc/letsencrypt/live/www.signa.com/
root@signa-01:/etc/letsencrypt/live/www.signa.com# ls -l ../../archive/www.signa.com/ 
total 16
-rw-r--r-- 1 root root 1805 Jul  6 09:58 cert1.pem
-rw-r--r-- 1 root root 1647 Jul  6 09:58 chain1.pem
-rw-r--r-- 1 root root 3452 Jul  6 09:58 fullchain1.pem
-rw-r--r-- 1 root root 1708 Jul  6 09:58 privkey1.pem

#10

Just to eliminate some possibilities, try this:

cp /etc/letsencrypt/live/www.signa.com/cert.pem /any/other/path/cert.pem
chmod 0777 /any/other/path/cert.pem

This just copies the certificate to some other path (anything would work, somewhere in /etc/apache2 or /home/youruser) and then changes the permissions for that file to be readable by anyone (which is fine, as this is your certificate, which any visitor to your site would see. The stuff you need to keep private is in privkey.pem, which we’re not touching. If anyone ever tells you to chmod 0777 your private key, run. :smile:)

Then change the SSLCertificateFile path in /etc/apache2/sites-enabled/default-ssl.conf to /any/other/path/cert.pem and try restarting apache again. If the error changes or goes away, we’re probably looking at some kind of permission problem.


#11

pfg, I’ve figured it out. I wasn’t restarting apache as sudo, once I did that, everything reset just fine. So now I know.

Thank you so much for your help! I really appreciate it!


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.