Fullchain.pem: missing, empty, or okay?!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gibhenry.com

I ran this command: certbot certificates

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: gibhenry.com-0001
Domains: gibhenry.com
Expiry Date: 2020-07-04 18:46:28+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/gibhenry.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/gibhenry.com-0001/privkey.pem
Certificate Name: gibhenry.com
Domains: gibhenry.com www.gibhenry.com
Expiry Date: 2020-07-03 22:46:25+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/gibhenry.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/gibhenry.com/privkey.pem

My web server is (include version): Apache 2.4.41

The operating system my web server runs on is (include version): MacOS 10.15.3 Catalina

My hosting provider, if applicable, is: [self-hosted]

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.3.0

I can surf to the site using http, and it redirects to https. And it passes the test at SSL Labs with a big green A. All well and good! However, apachectl (by itself) tells me

AH00112: Warning: DocumentRoot [/usr/docs/dummy-host.example.com] does not exist
AH00112: Warning: DocumentRoot [/usr/docs/dummy-host2.example.com] does not exist
AH00526: Syntax error on line 553 of /private/etc/apache2/httpd.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/gibhenry.com/fullchain.pem’ does not exist or is empty

And in fact, line 553 says

SSLCertificateFile /etc/letsencrypt/live/gibhenry.com/fullchain.pem

Listing that directory produces

lrwxr-xr-x  1 root  wheel   36 Apr  4 18:46 cert.pem -> ../../archive/gibhenry.com/cert1.pem
lrwxr-xr-x  1 root  wheel   37 Apr  4 18:46 chain.pem -> ../../archive/gibhenry.com/chain1.pem
lrwxr-xr-x  1 root  wheel   41 Apr  4 18:46 fullchain.pem -> ../../archive/gibhenry.com/fullchain1.pem
lrwxr-xr-x  1 root  wheel   39 Apr  4 18:46 privkey.pem -> ../../archive/gibhenry.com/privkey1.pem

So, who’s lying? Or is everything hunky-dory?


a basic test would be try to output the certificate content.
Please try the following commands:
openssl x509 -text -noout -in /etc/letsencrypt/live/gibhenry.com/fullchain.pem
cat /etc/letsencrypt/live/gibhenry.com/fullchain.pem

See if those commands had any meaningful outputs.

P.S. Why do you create two sets of certificate, with one include www one does not?

Thank you

Is it possible that you’re running apachectl as a regular user rather than as root with sudo?

This could be a confusing way for the Apache software to tell you that it’s not currently being run with enough permissions to read the certificate files from disk.

1 Like

Well, you’re both right!

First, stevenzhu’s two commands worked (when prefixed by sudo).

And that led me to suspect that the second would work, too…and it did, thank you guys very much!! It’s magic, that sudo!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.