Openssl verify error on full chain

My domain is lmat.gun.vn

I ran openssl verify fullchain.pem; I’m not exactly experienced with openssl; is this the right test to be performing? Should I expect this test to succeed?

It produced this output: error 20 at 0 depth lookup: unable to get local issuer certificate

I ran /usr/bin/httpd -k start -DFOREGROUND

It produced this in the logs: “SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: DH PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?”

My web server is (include version): Apache httpd 2.4.39

The operating system my web server runs on is (include version): Arch Linux (latest)

I can login to a root shell on my machine.

The version of my certbot client is 0.34.2

My openssl version is 1.1.1.

Hello
I’m not sure that openssl verify is intended to be run against a file agglomerating Ca files and certificate. Try to split the fullchain file in 2 files, the web certificate and the ca certificate and run
openssl verify -CAfile ca.pem webcert.pem

Thank you for the tip. That worked fine. That leaves me with the remaining question of my apache httpd error. Any clues about that?

I am sure that no one will be able to provide you with a clue until you fill something like the standard error reporting form :-). Until then there is not much to go on.

I think I did. What information am I lacking?

Take a look at

for a recent post using the predefined fields of a formatted issue report

That's what I used:

I ran /usr/bin/httpd -k start -DFOREGROUND

It produced this in the logs: “SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: DH PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?”

I mean...I smoothed out the english a bit, but I think all the information is there.

Hi @lmat

what’s the content of your config file?

Your domain is invisible, http doesn’t work, same with https.

Right, the web server isn’t up. There are two errors:

SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format

SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format

I found my configuration file and its contents are:

# renew_before_expiry = 30 days
version = 0.34.2
archive_dir = /etc/letsencrypt/archive/lmat.gun.vn
cert = /etc/letsencrypt/live/lmat.gun.vn/cert.pem
privkey = /etc/letsencrypt/live/lmat.gun.vn/privkey.pem
chain = /etc/letsencrypt/live/lmat.gun.vn/chain.pem
fullchain = /etc/letsencrypt/live/lmat.gun.vn/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = ...redacted...
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory

That's the Certbot configuration file, not the config file of your webserver.

Oh, that configuration file looks like this:

ServerRoot "/etc/httpd"
Listen 80
Listen 443

LoadModule authz_core_module modules/mod_authz_core.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule alias_module modules/mod_alias.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule headers_module modules/mod_headers.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule rewrite_module modules/mod_rewrite.so

User http
Group http
ServerAdmin lmat@gmail.com
ServerName lmat.gun.vn
DocumentRoot "/srv/http"

# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
<Directory />
    AllowOverride none
    Require all denied
</Directory>

<Directory "/srv/http">
    Options FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<VirtualHost *:80>
    ServerName lmat.gun.vn
    Redirect permanent / https://lmat.gun.vn/
</VirtualHost>
<VirtualHost *:80>
    ServerName hebrew.gun.vn
    Redirect permanent / https://hebrew.gun.vn/
</VirtualHost>
<VirtualHost *:443>
    ServerName lmat.gun.vn
    ProxyPassMatch "/google.*" !
    ProxyPassMatch "/robots.txt" !
    ProxyPass "/blog/" "http://bloghtml/blog/"
    ProxyPass "/blog" "http://bloghtml/blog"
    ProxyPass "/fileserver/" "http://fileserver/fileserver/"
    ProxyPass "/fileserver" "http://fileserver/fileserver"
    ProxyPass "/speedline-test/websocket/" "ws://speedline-test:11200/speedline-test/websocket/"
    ProxyPass "/speedline-test/websocket" "ws://speedline-test:11200/speedline-test/websocket"
    ProxyPass "/speedline-test/" "http://speedline-test/speedline-test/"
    ProxyPass "/speedline-test" "http://speedline-test/speedline-test"
    RequestHeader edit Origin ^https http
    RewriteEngine On
    RewriteRule /speedlines/websocket   ws://speedlines:11200/speedlines/websocket/ [P,L]
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)           ws://speedlines/$1 [P,L]
    ProxyPass "/speedlines/" "http://speedlines/speedlines/"
    ProxyPass "/speedlines" "http://speedlines/speedlines"
    ProxyPreserveHost On
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"
    SSLEngine on
    SSLCertificateFile "/certs/live/lmat.gun.vn/fullchain.pem"
    SSLCertificateKeyFile "/certs/live/lmat.gun.vn/privkey.pem"
</VirtualHost>
<VirtualHost *:443>
    ProxyPassMatch "/google.*" !
    ProxyPassMatch "/robots.txt" !
    ProxyPreserveHost On
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"
    SSLEngine on
</VirtualHost>
<VirtualHost *:443>
    ServerName hebrew.gun.vn
    ProxyPassMatch "/google.*" !
    ProxyPassMatch "/robots.txt" !
    ProxyPass "/" "http://flashcard/"
    ProxyPreserveHost On
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"
    SSLEngine on
    SSLCertificateFile "/certs/live/hebrew.gun.vn/fullchain.pem"
    SSLCertificateKeyFile "/certs/live/hebrew.gun.vn/privkey.pem"
</VirtualHost>
<Files ".ht*">
    Require all denied
</Files>
ErrorLog /dev/stderr
TransferLog /dev/stdout
LogLevel notice

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog /dev/stdout common
</IfModule>

This

is another location then that

Oh yes; it’s on a different machine. I run certbot on a machine that puts certificates into /etc/letsencrypt/live… ,but they’re mounted into the httpd machine (a docker container) at /certs. I have verified that the certs are mounted and accessed properly. When they are not mounted properly, the error is “SSLCertificateFile: file ‘/certs/live/lmat.gun.vn/fullchain.pem’ does not exist or is empty”

Then define these parameters.

Okay, I’ll get to work on that. As I mentioned, this is a docker container; it hasn’t changed since June, so I was hoping there was a simple explanation from letsencrypt (some difference in the way certificates are updated or something).

I’ll do more research and figure out what these error messages are requesting and how to fulfill their demands. Thank you very much for your time!

https://grokbase.com/t/apache/users/144aqrv01k/httpd-2-4-9-expecting-dh-parameters

Turns out my problem was in the fourth VirtualHost block: I was missing

SSLCertificateFile “/certs/live/lmat.gun.vn/fullchain.pem”
SSLCertificateKeyFile “/certs/live/lmat.gun.vn/privkey.pem”

directives. (That VirtualHost wasn’t doing anything, so I just removed it.) Thanks a ton for your help with troubleshooting!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.