SSLCACertificatePath: directory does not exist

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: httpd -t

It produced this output: SSLCACertificatePath: directory does not exist

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): fedora 37

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

The path and files nexist and are not empty :
sudo -u apache openssl x509 -text -noout -in /etc/letsencrypt/live/
Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Not Before: Feb 22 12:36:52 2023 GMT
Not After : May 23 12:36:51 2023 GMT
Subject: CN =
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
Authority Information Access:
CA Issuers - URI:
X509v3 Subject Alternative Name:,
X509v3 Certificate Policies:
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
Timestamp : Feb 22 13:36:53.115 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:
Timestamp : Feb 22 13:36:53.123 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
Signature Algorithm: sha256WithRSAEncryption
Signature Value:

SO I cannot figure out where does the problem is. I had spent lot of time, and some poeple with me on the httpd irc channel without result. Se linux is in permissive mode. I had read different post about this same error but did not solve my problem.
Thanks for your help.

Hello @Denis4l, welcome to the Let's Encrypt community. :slightly_smiling_face:

You have shown that a Let's Encrypt Certificate has been issued

I would say this is more of an Apache configuration issue.
Please look to Apache forums:

And kindly wait to see if there are more knowledgeable Let's Encrypt community volunteers willing to assist.

1 Like

Please show the configuration part with the SSLCACertificatePath directive.

Another question: why are you setting SSLCACertificatePath to begin with? It's not usually used, especially not for simply configuring TLS for the server.


HI. Thanks for the welcome.
I had spend, and other people as well, all the week chatting about this issue on #httpd channel of liberachat. Sure, also that the issue is httpd. No result.
Indeed, it bahave like if it does not read the ssl_conf file. But it does. The clue is that for some reason openssl does not recognise the certificates.
In a week we have checked the whole config files of httpd several times, I had upgraded from fedora 35 to 37, I had set up Selinux in permissive mode. No changes.
I also had tryied to reinstall the certificates. Like for installation the logs say everything fine. But at the end, I get this error of reading the files by the openssl process.


Thanks for your help.

I had this SSLCACertificatePath in ultimate test to see if it helps cause all these

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile '/etc/letsencrypt/live/'
SSLCertificateChainFile '/etc/letsencrypt/live/'

Fail (same error : file does not exist or is empty). No aparent reason since :

sudo -u apache namei -l /etc/letsencrypt/live/
f: /etc/letsencrypt/live/
dr-xr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root letsencrypt
drwx--x--- root apache live
drwxr-xr-x root root
lrwxrwxrwx root root fullchain.pem -> ../../archive/
drwx--x--- root apache ..
drwxr-xr-x root root ..
drwx--x--- root apache archive
drwxr-xr-x root root
-rw-r--r-- root root fullchain2.pem

So you can see there is no problem to access the files for the user apache, and, as you know already, these files are not empty. Indeed, we can say httpd's fault since httpd parse the config file which call for this certificate. But apache have no problem to access and read the files. Then, my feeling is the following :

  • option 1 : apache and openssl or something does not communicate properly;
  • option 2 : openssl or whatever operate with another user than apache (or root, which is normal);
  • option 3 : something wrong in the /etc/letsencrypt/options-ssl-apache.conf because sometimes had had the error about a version 3 (sorry don't know how to reproduce this and forgot the real message) into the error log of httpd [ssl:warning] or [ssl:info].

By the way, let's have a look at this options ?... (upload does not accept so, see below)

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

Like it is mentioned in the head of the file, I never touch this one.

What do you think ?

where is the SSLCACertificatePath?


What do you mean ? Where is that directive ? into the config file of the vhost. like the other SSLCertificate directives

You only require SSLCertificateFile and SSLCertificateKeyFile. But if I understand you correctly, those are giving errors too?


The fullchain.pem file is more than just a chain.
That should be chain.pem.

Have you rebooted everything?
[including any/all routers]


It should be removed if fullchain.pem is used as SSLCertificateFile. :wink:


SSLCertificateChainFile is deprecated. Unless your Apache is older than 2.4.8, you should not be using that directive.


Let's see if I can recap this thread ...

Your certificates are fine. And, your Apache is running and using certs you got very recently (see link here). Your Apache is not sending a duplicate chain as it would if you had the extra SSLCertificateChainFile.

Your first post says the error message was:

It produced this output: SSLCACertificatePath: directory does not exist

Key is: CA

That option is not related to your Let's Encrypt certs. See the Apache docs (link here). But, as Osiris already noted, you do not usually set this but it seems you have and it is wrong. Or, some other issue with that part of your Apache or Fedora system.


Yes, this is why, after all, I tried to set the SSLCACertificatePath thinking, as I said that it could help like for exemple in TeX you say where are the graghic file with the pass and then TeX the files just as needed. Anyway I will remove this diective.

All this was written by certbot. I did not touch anything of what certbot I set up, except intenting to the SSLCACertificatePath in the httpd conf file.

Thanks all of you for being so reactive.
@Osiris and @rg305 : SO my config file is now as follow...

SSLEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile '/etc/letsencrypt/live/'

These lines where not written by myself, but certbot. And yes, only like that I get this error to : file odes not exist or empty. You understand perfectly.

So now I have this error when parsing the files with httpd -t

AH00526: Syntax error on line 18 of /etc/httpd/conf.d/2-nuage-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/' does not exist or is empty

And I can't start httpd.service

1 Like

@linkp : here is (almost) everything about my server...

Server version: Apache/2.4.55 (Fedora Linux)
Server built: Jan 25 2023 00:00:00
Server's Module Magic Number: 20120211:126
Server loaded: APR 1.7.2, APR-UTIL 1.6.3, PCRE 10.40 2022-04-14
Compiled using: APR 1.7.0, APR-UTIL 1.6.1, PCRE 10.40 2022-04-14
Architecture: 64-bit
Server MPM: event
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

@MikeMcQ : Set or not, the problem comes from somewhere else, as I mantioned in my first post, I did a trial so see if it solve something. But, without that then I get the same error : the file, fullchain or whatever, does not exist or is empty.

Whom says it does not exist or empty ? httpd or openssl ? I say it is openssl, cause httpd, if I'm right, just have to open that file, and can do it (proof is the result of namei). If correct, then, the problem is httpd and openssl doesn't communicate properly, or openssl does not read properly the files. Which lead to a problem of config.
The httpd config files have been cjhecked with httpd community on irc channel over the week, so I hope it is correct. This is why I come here to solve this issue.

You mention may be a problem with my distro. but, as I mentioned, I had upgraded it from fedora 35 to fedora 37, no change ! And if fedora was not able to manage openssl for some reason it would be well known I guess.
Therefore, to my opinion, the problem is 95% in certbot/openssl.

PS : there is a kind of contradiction here, saying that better answer to everybody in one reply, and them complaining you cant repply at once to more than 2 users. :crazy_face:

sudo httpd -t


Same output : error !

What shows?:
ls -l /etc/letsencrypt/live/
certbot certificates

sudo -u apache ls -l /etc/letsencrypt/live/
total 20
lrwxrwxrwx. 1 root root  43 22 févr. 13:36 cert.pem -> ../../archive/
lrwxrwxrwx. 1 root root  44 22 févr. 13:36 chain.pem -> ../../archive/
lrwxrwxrwx. 1 root root  48 22 févr. 13:36 fullchain.pem -> ../../archive/
lrwxrwxrwx. 1 root root  46 22 févr. 13:36 privkey.pem -> ../../archive/
-rw-r--r--. 1 root root 692 22 févr. 13:35 README

You can also read the namei I gave in the first post

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name:
    Serial Number: 4be0e2726c8113169b611dbde72f11b8db0
    Key Type: RSA
    Expiry Date: 2023-05-23 12:36:51+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -