Httpd -M says fullchain.pem does not exist or is empty

Help
1

After successful installation in CentOS8, is it normal for httpd -M to show this error?

AH00526: Syntax error on line 13 of /etc/httpd/conf.d/mydomain.com-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/mydomain.com/fullchain.pem' does not exist or is empty

The conf file has these 3 lines inserted by certbot:

SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

ls of the cert & key locations:

$ sudo ls -al /etc/letsencrypt/live/mydomain.com
total 4
drwxr-xr-x 2 root root  93 Feb 24 11:24 .
drwx------ 3 root root  40 Feb 21 13:47 ..
lrwxrwxrwx 1 root root  36 Feb 21 13:47 cert.pem -> ../../archive/mydomain.com/cert1.pem
lrwxrwxrwx 1 root root  37 Feb 21 13:47 chain.pem -> ../../archive/mydomain.com/chain1.pem
lrwxrwxrwx 1 root root  41 Feb 21 13:47 fullchain.pem -> ../../archive/mydomain.com/fullchain1.pem
lrwxrwxrwx 1 root root  39 Feb 21 13:47 privkey.pem -> ../../archive/mydomain.com/privkey1.pem
-rw-r--r-- 1 root root 692 Feb 21 13:47 README

$ sudo ls -al /etc/letsencrypt/archive/mydomain.com
total 16
drwxr-xr-x 2 root root   83 Feb 21 13:47 .
drwx------ 3 root root   26 Feb 21 13:47 ..
-rw-r--r-- 1 root root 1903 Feb 21 13:47 cert1.pem
-rw-r--r-- 1 root root 1647 Feb 21 13:47 chain1.pem
-rw-r--r-- 1 root root 3550 Feb 21 13:47 fullchain1.pem
-rw------- 1 root root 1704 Feb 21 13:47 privkey1.pem

Also, should apache have read permission to privkey1.pem?

1 Like
2

No, stay away from the archive folder.
[privkey# only exists in the archive folder]

This is correct:

2 Likes
3

Did you run httpd -M as root?

2 Likes
4

Well httpd - M just calls the functions, but anytime you try to make calls in apache it does a - t to check syntax, which is why you get the message.

Hmm… Not seeing any reason why it would be inaccessible. Your permissions are correct for the private key. Do a getenforce and see if selinux is set to enforce mode. If it is, set it to permissive (setenforce 0). Then do httpd - t to see if you still get the error. If you don’t then it’s more than likely missing a required file context. You can see those with ls -Z.

I would suggest setting it back once you confirm. setenforce 1

3 Likes
5

Oof. Didn't think about that one. Then again, it's force of habit for me to be elevated to root when setting up apache config. If you're not root or using sudo, your syntax checks will fail on Cert files.

2 Likes
6

Thank you rg305 and ZetaRevan!
It was due to running without root privileges!
Running giving sudo httpd -M gave the list of modules as expected!

1 Like
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.