Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: dennet.eu
I ran this command: httpd -t
It produced this output: SSLCACertificatePath: directory does not exist
My web server is (include version): apache 2.4
The operating system my web server runs on is (include version): fedora 37
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0
The path and files nexist and are not empty :
sudo -u apache openssl x509 -text -noout -in /etc/letsencrypt/live/www.nuage.dennet.eu/fullchain.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:be:0e:27:26:c8:11:31:69:b6:11:db:de:72:f1:1b:8d:b0
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Feb 22 12:36:52 2023 GMT
Not After : May 23 12:36:51 2023 GMT
Subject: CN = www.nuage.dennet.eu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e5:13:dc:87:e8:eb:dd:7e:fa:5e:a0:ac:92:54:
d9:01:c5:fa:f7:0b:e2:70:2e:07:d2:8f:d8:c2:81:
89:b0:b9:d6:85:c2:b1:b2:c9:b2:c8:23:24:29:39:
ca:19:3b:cb:c7:b3:9c:c6:4e:83:37:62:7c:52:ac:
f7:fa:d2:60:c6:4d:7d:4c:08:85:bc:bb:2f:9e:b7:
08:35:d2:22:5b:5c:06:a6:8c:8a:f2:e5:a4:2b:49:
46:05:ad:94:87:73:40:24:e2:a2:60:8f:d3:d4:7e:
f0:77:c8:ab:cb:4c:1d:1a:01:9e:f0:21:2b:e3:b2:
8b:ce:71:81:8f:f4:99:4a:f1:1b:7a:e0:74:b1:90:
c6:ca:13:5b:c8:81:35:85:aa:3d:11:5d:61:f0:76:
1f:14:47:64:00:85:74:7f:d1:da:12:0a:3e:8c:ef:
50:12:a8:b3:44:8a:70:f9:59:aa:44:42:c7:74:d2:
40:63:86:27:e6:24:51:66:ab:f9:44:43:be:65:96:
16:48:55:66:11:03:62:2c:d9:90:57:0a:4f:29:35:
3f:f1:de:f8:14:42:a3:9d:d7:3a:de:d4:82:58:9b:
1e:2e:fa:95:d1:0f:13:ba:22:7a:f8:a4:bc:a8:84:
66:63:e3:35:99:64:8f:2f:f2:3e:4d:76:75:cf:2d:
3d:63
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
C1:EA:80:15:25:10:95:9C:F0:73:4E:4D:11:45:DC:54:19:FA:70:80
X509v3 Authority Key Identifier:
14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:nuage.dennet.eu, DNS:www.nuage.dennet.eu
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
Timestamp : Feb 22 13:36:53.115 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:6C:0E:B5...
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:
16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52
Timestamp : Feb 22 13:36:53.123 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:71:FA:FC:...
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
65:c4:78:ea:20:fe:c3:49:36:10:dc:f0:ef:2...
SO I cannot figure out where does the problem is. I had spent lot of time, and some poeple with me on the httpd irc channel without result. Se linux is in permissive mode. I had read different post about this same error but did not solve my problem.
Thanks for your help.
Please show the configuration part with the SSLCACertificatePath directive.
Another question: why are you setting SSLCACertificatePath to begin with? It's not usually used, especially not for simply configuring TLS for the server.
HI. Thanks for the welcome.
I had spend, and other people as well, all the week chatting about this issue on #httpd channel of liberachat. Sure, also that the issue is httpd. No result.
Indeed, it bahave like if it does not read the ssl_conf file. But it does. The clue is that for some reason openssl does not recognise the certificates.
In a week we have checked the whole config files of httpd several times, I had upgraded from fedora 35 to 37, I had set up Selinux in permissive mode. No changes.
I also had tryied to reinstall the certificates. Like for installation the logs say everything fine. But at the end, I get this error of reading the files by the openssl process.
So you can see there is no problem to access the files for the user apache, and, as you know already, these files are not empty. Indeed, we can say httpd's fault since httpd parse the config file which call for this certificate. But apache have no problem to access and read the files. Then, my feeling is the following :
option 1 : apache and openssl or something does not communicate properly;
option 2 : openssl or whatever operate with another user than apache (or root, which is normal);
option 3 : something wrong in the /etc/letsencrypt/options-ssl-apache.conf because sometimes had had the error about a version 3 (sorry don't know how to reproduce this and forgot the real message) into the error log of httpd [ssl:warning] or [ssl:info].
By the way, let's have a look at this options ?... (upload does not accept so, see below)
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
Like it is mentioned in the head of the file, I never touch this one.
Your certificates are fine. And, your Apache is running and using certs you got very recently (see link here). Your Apache is not sending a duplicate chain as it would if you had the extra SSLCertificateChainFile.
Your first post says the error message was:
It produced this output: SSLCACertificatePath: directory does not exist
Key is: CA
That option is not related to your Let's Encrypt certs. See the Apache docs (link here). But, as Osiris already noted, you do not usually set this but it seems you have and it is wrong. Or, some other issue with that part of your Apache or Fedora system.
Yes, this is why, after all, I tried to set the SSLCACertificatePath thinking, as I said that it could help like for exemple in TeX you say where are the graghic file with the pass and then TeX the files just as needed. Anyway I will remove this diective.
All this was written by certbot. I did not touch anything of what certbot I set up, except intenting to the SSLCACertificatePath in the httpd conf file.
Thanks all of you for being so reactive. @Osiris and @rg305 : SO my config file is now as follow...
SSLEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.nuage.dennet.eu/fullchain.pem
SSLCertificateKeyFile '/etc/letsencrypt/live/www.nuage.dennet.eu/privkey.pem'
These lines where not written by myself, but certbot. And yes, only like that I get this error to : file odes not exist or empty. You understand perfectly.
So now I have this error when parsing the files with httpd -t
AH00526: Syntax error on line 18 of /etc/httpd/conf.d/2-nuage-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/www.nuage.dennet.eu/fullchain.pem' does not exist or is empty
@MikeMcQ : Set or not, the problem comes from somewhere else, as I mantioned in my first post, I did a trial so see if it solve something. But, without that then I get the same error : the file, fullchain or whatever, does not exist or is empty.
Whom says it does not exist or empty ? httpd or openssl ? I say it is openssl, cause httpd, if I'm right, just have to open that file, and can do it (proof is the result of namei). If correct, then, the problem is httpd and openssl doesn't communicate properly, or openssl does not read properly the files. Which lead to a problem of config.
The httpd config files have been cjhecked with httpd community on irc channel over the week, so I hope it is correct. This is why I come here to solve this issue.
You mention may be a problem with my distro. but, as I mentioned, I had upgraded it from fedora 35 to fedora 37, no change ! And if fedora was not able to manage openssl for some reason it would be well known I guess.
Therefore, to my opinion, the problem is 95% in certbot/openssl.
PS : there is a kind of contradiction here, saying that better answer to everybody in one reply, and them complaining you cant repply at once to more than 2 users.
