SSLCertificateFile: file '/etc/letsencrypt/live/example.com/cert.pem' does not exist or is empty


#1

Please fill out the fields below so we can help you better.

My domain is: example.com

I ran this command: service apache2 reload

It produced this output:

  • The apache2 configtest failed. Not doing anything.
    Output of config test was:
    AH00526: Syntax error on line 22 of /etc/apache2/sites-enabled/example.com-le-ssl.conf:
    SSLCertificateFile: file ‘/etc/letsencrypt/live/joliefanny.com/cert.pem’ does not exist or is empty
    Action ‘configtest’ failed. (my apache2 error.log is empty)

My operating system is (include version): Ubuntu 14.04

My web server is (include version): Apache 2.4.7

My hosting provider, if applicable, is: Amazon

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

I assume before you ran the “service apache2 reload” command you ran a certbot command of some sort to obtain a certificate. Can you provide that command, and the result it gave ?


#3

COMMAND : /usr/local/sbin$ ./certbot-auto --apache

Requesting root privileges to run certbot…
/home/ubuntu/.local/share/letsencrypt/bin/letsencrypt --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Then I select : joliefanny.com and www.joliefanny.com in the blue box.

The certbot ran without errors and then :

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/joliefanny.com/fullchain.pem. Your cert will
    expire on 2017-03-06. To obtain a new or tweaked version of this
    certificate in the future, simply run certbot-auto again with the
    "certonly" option. To non-interactively renew all of your
    certificates, run “certbot-auto renew”

#4

Can you do a full directory listing in /etc/letsencrypt/live/joliefanny.com/ please ( ls -l … so it includes all files and sizes )


#5

Here is apache2 error.log :

[Tue Dec 06 09:08:59.250240 2016] [ssl:warn] [pid 1574] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Dec 06 09:08:59.250499 2016] [ssl:warn] [pid 1574] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Dec 06 09:08:59.251326 2016] [ssl:warn] [pid 1574] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Tue Dec 06 09:08:59.251381 2016] [mpm_prefork:notice] [pid 1574] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.20 OpenSSL/1.0.1f configured – resuming normal operations
[Tue Dec 06 09:08:59.251388 2016] [core:notice] [pid 1574] AH00094: Command line: ‘/usr/sbin/apache2’
[Tue Dec 06 09:09:05.947595 2016] [mpm_prefork:notice] [pid 1574] AH00171: Graceful restart requested, doing restart

Here is the listing of the directory :

root@ip-172-31-19-213:/etc/letsencrypt/live/joliefanny.com# ls -l
total 0
lrwxrwxrwx 1 root root 38 Dec 6 09:09 cert.pem -> …/…/archive/joliefanny.com/cert4.pem
lrwxrwxrwx 1 root root 39 Dec 6 09:09 chain.pem -> …/…/archive/joliefanny.com/chain4.pem
lrwxrwxrwx 1 root root 43 Dec 6 09:09 fullchain.pem -> …/…/archive/joliefanny.com/fullchain4.pem
lrwxrwxrwx 1 root root 41 Dec 6 09:09 privkey.pem -> …/…/archive/joliefanny.com/privkey4.pem


#6

What is the content of cert.pem (or the file it links to, cert4.pem) ? ( note: the privkey.pem needs to be kept private, but the cert.pem is OK to provide )


#7

Here is the listing of letsencrypt directory :

root@ip-172-31-19-213:/etc/letsencrypt# ls -l
total 28
drwx------ 3 root root 4096 Aug 14 01:02 accounts
drwx------ 3 root root 4096 Aug 14 01:03 archive
drwxr-xr-x 2 root root 4096 Dec 6 09:09 csr
drwx------ 2 root root 4096 Dec 6 09:09 keys
drwxr-xr-x 3 root root 4096 Aug 14 01:03 live
-rw-r–r-- 1 root root 1389 Aug 14 01:02 options-ssl-apache.conf
drwxr-xr-x 2 root root 4096 Dec 6 09:09 renewal

Archive directory have not the same permissions of live directory.
I apply chmod 755 to archive and it work :slight_smile:


#8

Check the permissions of your private key though - that shouldn’t have world read permissions.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.