Windows 10/Apache 24: Failed to configure encrypted (?) private key

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
start apache

It produced this output:
Failed to configure encrypted (?) private key

My web server is (include version):
Apache 24

The operating system my web server runs on is (include version):
Windows 10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

I should have added that I also get the error message “Init: SSLPassPhraseDialog builtin is not supported on Win32” even though SSLPassPhraseDialog is commented out in the config file. A previous (non letsencrypt) certificate has been working well for several years.

Could you please provide the complete error log? Not just snippets? It might be essential information is missing, but wasn’t recognised as such by yourself.

Also, it might be useful if you could copy/paste or upload your entire Apache configuration file(s).

Here is the full error log. I only removed the timestamp at the beginning of each line.

[ssl:emerg] [pid 6632:tid 664] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file D:/www/ssl_cert/cert1.pem)
[ssl:emerg] [pid 6632:tid 664] AH02564: Failed to configure encrypted (?) private key www.mydomain.com:443:0, check D:/www/ssl_cert/cert1.pem
[ssl:emerg] [pid 6632:tid 664] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[ssl:emerg] [pid 6632:tid 664] SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
[ssl:emerg] [pid 6632:tid 664] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[ssl:emerg] [pid 6632:tid 664] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSA)
[ssl:emerg] [pid 6632:tid 664] SSL Library Error: error:04093004:rsa routines:old_rsa_priv_decode:RSA lib
[ssl:emerg] [pid 6632:tid 664] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[ssl:emerg] [pid 6632:tid 664] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)

The issue appears to be with the file privkey1.pem

Here Apache thinks it’s reading a private key, but the file is a certificate? Is your configuration correct? Which ACME client are you using? Did you encrypt the files with that client?

Giving your domain name will enable tests to be performed which makes it a lot easier to diagnose your problem.

1 Like

The certificate was created with Certbot. I did not encrypt the certificate or key from Certbot. None of the files appear to be encrypted when viewed with a text editor (Notepad ++).

The site has been working fine for quite a while with a certificate from godaddy. Therefore, I presume the configuration is correct. As an experiment, when I use the new cert and chain with the old key, I get an error that the certificate and key do not match. When I use the old cert and new key I get the above error. This seems to suggest that the problem is with the key file from Certbot.

I also tried converting the key to RSA format as described here: Error adding cert, Invalid private key

Thank you for any help you can provide!

1 Like

I just went through the configuration again and per Osiris, there was indeed an error. I had the key file specified as a cert file.

Thank you all! I cannot believe I overlooked this.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.