SSLCertificate: File .... does not exist or is empty (the old posts do not cover this!)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: fambook.nu (onlyoffice.fambook.nu)

I ran this command: service apache2 reload

It produced this output: Job for apache2.service failed.
See "systemctl status apache2.service" and "journalctl -xe" for details.

My web server is (include version): Apache2 - 2.4.41 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: one.com

I can login to a root shell on my machine (yes or no, or I don't know): I can work in Terminal as root if that is the question (sudo...)

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.18.0

The output of

systemctl status apache2.service

is:

● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-08-27 20:14:53 CEST; 1 day 17h ago
Docs: Apache HTTP Server Version 2.4 Documentation - Apache HTTP Server Version 2.4
Process: 3396586 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=1/FAILURE)
Main PID: 3204531 (apache2)
Tasks: 55 (limit: 13603)
Memory: 19.6M
CGroup: /system.slice/apache2.service
├─3204531 /usr/sbin/apache2 -k start
├─3387213 /usr/sbin/apache2 -k start
└─3387214 /usr/sbin/apache2 -k start

Aug 29 12:44:45 nightcobe apachectl[3393740]: The Apache error log may have more information.
Aug 29 12:44:45 nightcobe systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
Aug 29 12:44:45 nightcobe systemd[1]: Reload failed for The Apache HTTP Server.
Aug 29 13:21:45 nightcobe systemd[1]: Reloading The Apache HTTP Server.
Aug 29 13:21:45 nightcobe apachectl[3396589]: AH00526: Syntax error on line 3 of /etc/apache2/sites-enabled/onlyoffice-le-ssl.conf:
Aug 29 13:21:45 nightcobe apachectl[3396589]: SSLCertificateFile: file '/etc/apache2/\xe2\x80\x9c/etc/letsencrypt/live/onlyoffice.fambook.nu/fullchain.pem\xe2\x80\x9d' does not exist or is empty
Aug 29 13:21:45 nightcobe apachectl[3396586]: Action 'graceful' failed.
Aug 29 13:21:45 nightcobe apachectl[3396586]: The Apache error log may have more information.
Aug 29 13:21:45 nightcobe systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
Aug 29 13:21:45 nightcobe systemd[1]: Reload failed for The Apache HTTP Server.

In the file onlyoffice-le-ssl.conf this is not how the path is typed: /etc/apache2/\xe2\x80\x9c/etc/letsencrypt/live/onlyoffice.fambook.nu/fullchain.pem**\xe2\x80\x9**

The parts in bold have been added and I do not at all understand why.

I am trying to follow this HOWTO: HOWTO - What to do for having Nextcloud / OnlyOffice on the same host? - onlyoffice - Nextcloud community

And I have made my le-ssl.conf file look like the one found there.

I have had great problems with the certificates and other things before. Maybe other files need to be eddited? Maybe I should ask this in the NextCloud forum or Only Office forum.

I'm just stuck and thankful for any help.

Cordially,
Martin Book

These three hexadecimal characters are Unicode for “. Are you sure there isn't such a pair of quotes in your Apache configuration file?

Although it's also weird the path would have been prefixed with /etc/apache2/...

Thank you for your reply.

The file 'onlyoffice-le-ssl.conf' contains those double quotations.

Should I change them for single ones?

It probably should not contain any quotes at all?

This is what that le-ssl.conf file looks like:

ServerName onlyoffice.fambook.nu
SSLEngine on
SSLCertificateFile “/etc/letsencrypt/live/onlyoffice.fambook.nu/fullchain.pem”
SSLCertificateKeyFile “/etc/letsencrypt/live/onlyoffice.fambook.nu/privkey.pem”

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off
SSLHonorCipherOrder on

Header always set Strict-Transport-Security “max-age=15768000; includeSubDomains”

SetEnvIf Host “^(.*)$” THE_HOST=$1
RequestHeader setifempty X-Forwarded-Proto https
RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
ProxyAddHeaders Off

ProxyPassMatch (.*)(/websocket)$ “ws://127.0.0.1/$1$2”
ProxyPass / “http://127.0.0.1/”
ProxyPassReverse / “http://127.0.0.1”

You are probably right.

Is this kind of file automatically generated when apache is run?

If it is, could I just delete it and run the command and see if it comes back right?

Is there something missing in the file?

Now, when I removed all the double quotations, the error in stead is:

Unknown parameter: includeSubDomains

No, it is not. It probably has been generated by certbot, looking at the postfix "-le-ssl" in the name of the file. Certbot can re-generate it again based on the non-HTTPS configuration file by using the "install" command, but I don't reallt see any reason in doing so: it should be fairly easy to fix the file manually.

That's because the Header directive does require quotes around the value if the header, if the value contains spaces. It probably should be just plain and simple ASCII double quotes like this one: " and not fancy Unicode quotes generated by many word processors.

Thank you very much for sharing your insight.

Should I leave the double quotes in Header by just changing them to normal ascii ones and take out the rest? Or should I just exchange all double quotes?

Cordially,
Martin

In most directives, quotes aren't necessary or even give errors, such as the case with the certificate path. Just in a few instances, quotes are necessary, such as your Header directives value.

I don't know which specific other directives require quotes, but you could think of a workflow to check this by changing the fancy quotes to regular ASCII quotes and if Apache still complains about that specific directive, remove the quotes entirely for that directive. Also a good rule of thumb is that quotes are only necessary if a specific value contains spaces.

Thank you!

I changed most back to what it was from the beginning and changed the double quotes. Now it seems to be fine as far as Apache and Letsencrypt is concerned:

# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly.

ServerName onlyoffice.domain.nu
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/onlyoffice.domain.nu/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/onlyoffice.domain.nu/privkey.pem"

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off
SSLHonorCipherOrder on

Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"

SetEnvIf Host “^(.*)$” THE_HOST=$1
RequestHeader setifempty X-Forwarded-Proto https
RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
ProxyAddHeaders Off

ProxyPassMatch (.*)(/websocket)$ "ws://127.0.0.1:81/$1$2"
ProxyPass / "http://127.0.0.1:81/"
ProxyPassReverse / "http://127.0.0.1:81"

ServerAdmin martin@fambook.nu
#DocumentRoot /var/www/html

<IfModule mod_headers.c>
	RewriteEngine On
	SetEnvIf Host "^(.*)$" THE_HOST=$1
	RequestHeader set X-Forwarded-Proto "https"
	ProxyAddHeaders Off
</IfModule>

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

Include /etc/letsencrypt/options-ssl-apache.conf


[/details]

Hm, so it seems that regular ASCII quotes are allowed, even if they aren't necessary. So it was just the use of those fancy Unicode quotes that was bugging Apache?

Apparently. Isn't that odd? They seem to have caused all the havoc...

Thank you so much for your time.

Now I am trying to install the docker image of OnlyOffice and there is an error about repositories not supposed to use uppercase letters. But I will ask about that in the right forum.

Thanks again!

Cordially,
Martin

Please show that entire file.

@rg305 The issue already has been addressed.

In an earlier post I actually did supply the entire content of the file, but a little changed. This is the line that was quarreled about in terminal:

SSLCertificateFile "/etc/letsencrypt/live/onlyoffice.domain.nu/fullchain.pem"

The problem was double quotations pasted from another program that made terminal nuts. It basically shouted: "HEY! Give me my ASCII double quotes and quit that fancy stuff you've got going."

Thanks for willingness to help.

Cordially,
Martin Book

Yes, sometimes quotes (single and double) aren't copy/pasted as we would expect them to be.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.