Fullchain.pem failed on lighttpd



All was going well right up until I tried to get my site with https://
Everything, including the LetsEncrypt set up, looked like it was successful.
My site was (and still is) fine with just http://

NOTE: I first started looking into this online on the lighttpd forum, but still haven’t found my way through this issue, but it looks like a LetsEncrypt issue at the moment.
lighttpd Forum Post Link: https://redmine.lighttpd.net/boards/2/topics/9370

After setting up LetsEncrypt, I am supposed to add some code (below) to the lighttpd configuration file to read the LetsEncrypt files. After doing that, I try to re-start lighttpd, and fail.

Fail when re-starting lighttpd error:

$ sudo systemctl restart lighttpd
Job for lighttpd.service failed because the control process exited with error code.
See "systemctl status lighttpd.service" and "journalctl -xe" for details.

Code for lighttpd confg file:

server.modules += ("mod_openssl")
$SERVER["socket"] == "My Public IP:443" {
    ssl.engine = "enable" 
    ssl.privkey= "/etc/letsencrypt/live/website.com/privkey.pem" 
    ssl.pemfile= "/etc/letsencrypt/live/website.com/fullchain.pem" 
    ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") # (recommended to accept only TLSv1.2 and TLSv1.3)

Looking into error logs etc, the one that brings me some defined results is, what lighttpd call, a preFlight check

$ sudo lighttpd -f /etc/lighttpd/lighttpd.conf -tt
2020-09-16 18:32:35: (mod_openssl.c.471) SSL: BIO_read_filename('/etc/letsencrypt/live/website.com/fullchain.pem') failed
2020-09-16 18:32:35: (server.c.1207) Initialization of plugins failed. Going down.

When I check journelctl, I get:

So, lets look at fullchain.pem, as that looks like the item that is failing:

Looking in /etc/letsencrypt/live/website.com/:

lrwxrwxrwx 1 root root 38 Sep 16 12:16 fullchain.pem -> ../../archive/website.com/fullchain1.pem
lrwxrwxrwx 1 root root 36 Sep 16 12:16 privkey.pem -> ../../archive/website.com/privkey1.pem

Yes, the file does exist, and the permissions are as open as can be, and the same as the other key.

So, I followed the links to /etc/letsencrypt/live/archive/website.com/:

-rw-r--r-- 1 root root 1416 Sep 16 12:16 cert1.pem.gz
-rw-r--r-- 1 root root 1206 Sep 16 12:16 chain1.pem.gz
-rw-r--r-- 1 root root 2439 Sep 16 12:16 fullchain1.pem.gz
-rw------- 1 root root 1343 Sep 16 12:16 privkey1.pem.gz

Do these LetsEncrypt directories and file look right? I have nothing to base them on.

Permissions of the failing file are actully greater than the file that (I assume) is being read ok (privkey1.pem).

Does anyone have any suggestions that I could try?

I don’t know how this happened, but Certbot didn’t do it. They are not meant to be gzipped. There’s no code that could result in that happening.

Everything else looks fine.

OK thanks _az.
Question, is the a simple way to remove the certbot stuff and re-run it for a cert? Do, I simply recursively remove the letsencrypt directory and start again, or is that too straightforward?


You could first try gunzipping the files and seeing whether that fixes it for you.

You could also delete the certificate, which will remove the relevant files and directories:

certbot delete --cert-name example.com

Blowing away /etc/letsencrypt is certainly an option, but this (and the previous) option runs the danger of running into rate limits. I’d try something less drastic first.

OK, thanks for that.
I will play and get back to you - hopefully with a nice working web server.

OK, we appear to have success :smiley:

I just uncompressed the files, and we have a working web server.

# /etc/letsencrypt/archive/stderr.me# gunzip privkey1.pem.gz fullchain1.pem.gz chain1.pem.gz cert1.pem.gz 
# ls
cert1.pem  chain1.pem  fullchain1.pem  privkey1.pem

Thank you for your help @_az

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.