SSL Library Error: ... SSL_CTX_check_private_key:no certificate assigned

aldisaglobal · November 17, 2017, 7:00am

Hi

I have setup a Ubuntu Instance on Google Cloud Platform. My LAMP stack is configured and running. Multiple non-SSL vhosts are configured and operate without any problem.

I have three domains that I am trying to configure into four vhosts to be utilized within a single Wordpress MU installations. The hostnames are as follows:

wpmu.aldisa.ca – this is the primary WP MU website
aldisa.ca – a subdomain
myinvestorvisa.com – a subdomain
wynn.ae – a subdomain

I initially had Certbot issue three separate certificates as follows:

aldisa.ca, www.aldisa.ca, wpmu.aldisa.ca
myinvestorvisa.com, www.myinvestorvisa.com
wynn.ae, www.wynn.ae

I was able to use manual verification to issue the certificates as these website are currently running at a different hosting provider and I am trying migrate them to the GCP.

I have separate initially setup three separate .conf files for each domain group using the base domain for ServerName and the other domain(s) as ServerAliases. All the three virtual hosts point to the same root directory since they will be served from a single WP MU installation.

When I tried to restart the server, it fails, and the Apache Error Log contains the following:

[Fri Nov 17 06:36:20.168301 2017] [ssl:emerg] [pid 19821] AH02572: Failed to configure at least one certificate and key for aldisa.ca:443
[Fri Nov 17 06:36:20.168373 2017] [ssl:emerg] [pid 19821] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Fri Nov 17 06:36:20.168377 2017] [ssl:emerg] [pid 19821] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed

I saw that the error is reference the bare aldisa.ca domain. So I revoked and deleted the single aldisa.ca certificate which also contained both www.aldisa.ca and wpmu.aldisa.ca subdomains. I issued a new certificate for just wpmu.aldisa.ca, and I revised the virtual host configuration so that it now only contains wpmu.aldisa.ca and change the SSL file references to the new path. Strangely, I am getting the same error message for aldisa.ca. This domain is not reference in any of the virtual host conf files. If I disable the wpmu.aldisa.ca virtual host, then apache restarts with no errors with the other two SSL domains/certificates active.

I have tried many different things to figure this out, but have reached a deadend. Please help – let me know what debug logs or info would be helpful to post if my description is vague in any way.

Thanks in advance for your help.

rg305 · November 17, 2017, 11:36am

grep -ri aldisa.ca /your/conf/folder

aldisaglobal · November 17, 2017, 3:00pm

My apache conf folder is /etc/apache2, but the conf files include from the letsencrypt folder as well. So I did grep for the entire /etc folder:

sudo grep -ri aldisa.ca /etc
/etc/letsencrypt/renewal/wpmu.aldisa.ca.conf:archive_dir = /etc/letsencrypt/archive/wpmu.aldisa.ca
/etc/letsencrypt/renewal/wpmu.aldisa.ca.conf:cert = /etc/letsencrypt/live/wpmu.aldisa.ca/cert.pem
/etc/letsencrypt/renewal/wpmu.aldisa.ca.conf:privkey = /etc/letsencrypt/live/wpmu.aldisa.ca/privkey.pem
/etc/letsencrypt/renewal/wpmu.aldisa.ca.conf:chain = /etc/letsencrypt/live/wpmu.aldisa.ca/chain.pem
/etc/letsencrypt/renewal/wpmu.aldisa.ca.conf:fullchain = /etc/letsencrypt/live/wpmu.aldisa.ca/fullchain.pem
/etc/apache2/sites-available/001-aldisa_ca.conf: ServerName aldisa.ca
/etc/apache2/sites-available/001-aldisa_ca.conf: ServerAlias www.aldisa.ca
/etc/apache2/sites-available/001-aldisa_ca.conf: ServerAdmin www@aldisa.ca
/etc/apache2/sites-available/000-default-ssl.conf: ServerName wpmu.aldisa.ca
/etc/apache2/sites-available/000-default-ssl.conf: ServerAdmin www@aldisa.ca
/etc/apache2/sites-available/000-default-ssl.conf: SSLCertificateFile /etc/letsencrypt/live/wpmu.aldisa.ca/fullchain.pem
/etc/apache2/sites-available/000-default-ssl.conf: SSLCertificateKeyFile /etc/letsencrypt/live/wpmu.aldisa.ca/privkey.pem
/etc/apache2/sites-available/001-aldisa_ca-ssl.conf: ServerName aldisa.ca
/etc/apache2/sites-available/001-aldisa_ca-ssl.conf: ServerAlias www.aldisa.ca
/etc/apache2/sites-available/001-aldisa_ca-ssl.conf: ServerAdmin www@aldisa.ca
/etc/apache2/sites-available/001-aldisa_ca-ssl.conf: SSLCertificateFile /etc/letsencrypt/live/aldisa.ca/fullchain.pem
/etc/apache2/sites-available/001-aldisa_ca-ssl.conf: SSLCertificateKeyFile /etc/letsencrypt/live/aldisa.ca/privkey.pem
/etc/apache2/sites-available/000-default.conf: ServerName aldisa.ca
/etc/apache2/sites-available/000-default.conf: ServerAlias www.aldisa.ca wpmu.aldisa.ca
/etc/apache2/sites-available/000-default.conf: ServerAdmin www@aldisa.ca
/etc/apache2/apache2.conf:ServerName wpmu.aldisa.ca

The Ubuntu Apache2 package uses the /etc/apache2/sites-available and /etc/apache2/sites-enabled folders to manage it’s virtual hosts. So to be able to review the above here are both the folder listings:

ll /etc/apache2/sites-available/
total 40
drwxr-xr-x 2 root root 4096 Nov 17 06:23 ./
drwxr-xr-x 8 root root 4096 Nov 17 06:27 ../
-rw-r--r-- 1 root root  441 Nov 17 06:19 000-default-ssl.conf
-rw-r--r-- 1 root root  263 Nov 17 06:04 000-default.conf
-rw-r--r-- 1 root root  417 Nov 17 05:37 001-aldisa_ca-ssl.conf
-rw-r--r-- 1 root root  247 Nov 17 05:45 001-aldisa_ca.conf
-rw-r--r-- 1 root root  478 Nov 17 05:39 002-myinvestorvisa_com-ssl.conf
-rw-r--r-- 1 root root  290 Nov 17 05:45 002-myinvestorvisa_com.conf
-rw-r--r-- 1 root root  403 Nov 17 05:40 003-wynn_ae-ssl.conf
-rw-r--r-- 1 root root  237 Nov 17 05:45 003-wynn_ae.conf

ll /etc/apache2/sites-enabled/
total 8
drwxr-xr-x 2 root root 4096 Nov 17 06:36 ./
drwxr-xr-x 8 root root 4096 Nov 17 06:27 ../
lrwxrwxrwx 1 root root   35 Nov 15 05:35 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root   50 Nov 17 06:24 002-myinvestorvisa_com-ssl.conf -> ../sites-available/002-myinvestorvisa_com-ssl.conf
lrwxrwxrwx 1 root root   46 Nov 17 05:48 002-myinvestorvisa_com.conf -> ../sites-available/002-myinvestorvisa_com.conf
lrwxrwxrwx 1 root root   39 Nov 17 06:23 003-wynn_ae-ssl.conf -> ../sites-available/003-wynn_ae-ssl.conf
lrwxrwxrwx 1 root root   35 Nov 17 05:48 003-wynn_ae.conf -> ../sites-available/003-wynn_ae.conf

Currently the 000-default-ssl.conf file is not enabled because it is the one that generates the error.

Here is the output of certbot certificates:

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: wynn.ae
    Domains: wynn.ae www.wynn.ae
    Expiry Date: 2018-02-15 04:26:36+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/wynn.ae/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/wynn.ae/privkey.pem
  Certificate Name: wpmu.aldisa.ca
    Domains: wpmu.aldisa.ca
    Expiry Date: 2018-02-15 05:27:26+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/wpmu.aldisa.ca/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/wpmu.aldisa.ca/privkey.pem
  Certificate Name: myinvestorvisa.com
    Domains: myinvestorvisa.com www.myinvestorvisa.com
    Expiry Date: 2018-02-15 04:23:28+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/myinvestorvisa.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/myinvestorvisa.com/privkey.pem
-------------------------------------------------------------------------------

aldisaglobal · November 17, 2017, 5:28pm

I have been able to fix the problem, but I don’t understand why the problem was occurring.

I was including the /etc/letsencrypt/options-ssl-apache.conf file only once, and it was within the <IfModule mod_ssl.c> block but outside the <VirtualHost *:443> block where the default wpmu.aldisa.ca host is defined. I had done this with the idea that the directives in that options file were only required once and not every vhost definition. Apparently not. By moving this include directive into each vhost definition, the error I was receiving has gone away.

Here is the options-ssl-apache.conf file:

$ cat /etc/letsencrypt/options-ssl-apache.conf 
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

What I don’t understand is why putting this outside the vhost block was generating that specific error, i.e. an SSL certificate file not found error for a domain that was not referenced in the .conf files.

Anyway, that is more curiosity than anything else, since my server is now operating properly with SSL enabled for all four of vhost definitions.

rg305 · November 17, 2017, 7:50pm

Do you see the overlap?

schoen · November 17, 2017, 7:51pm

But I think that overlap might not have any effect if one of these has SSLEngine on and the other one doesn’t.

rg305 · November 17, 2017, 8:01pm

True.
But he disabled 000-default-ssl.conf to “correct” a problem but removed more than expected and created a different problem.

So, the original problem remains… It’s just disabled.

aldisaglobal · November 17, 2017, 8:40pm

The overlap in domains are in different port contexts. The vhost definition in 000-default.conf is in a <VirtualHost *:80> block while the other one in 000-default-ssl.conf is in <VirtualHost *:443>

The error only occurred when both the conf were enabled, and the Include statement for the letsencrypt options file containing the SSLEngine on statement was outside the VirtualHost declaration.

rg305 · November 17, 2017, 9:54pm

But you have that same setup for two other domains and they never had this problem?

aldisaglobal · November 17, 2017, 10:14pm

The difference was that those other setups did not have the Include statement at all in them. So basically the cause of the error was the singular occurence of the Include from the /etc/letsencrypt folder in the 000-default-ssl.conf file outside the VirtualHost block. How and Why that caused this specifc error – I have no idea. I can find no apparent linkage between the generic directives in the that conf file and the aldisa.ca domain or its certificates. Especially since the error was caused by those directives appearing outside the VirtualHost block where the aldisa subdomain is being declared.

system · December 17, 2017, 10:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.