Apache: SSLCertificateKeyFile: file does not exist or is empty

Question

I am configuring SSL for Apache 2. My system is Ubuntu Server 10.04 LTS. I have the following settings related to SSL in my vhost configuration:

SSLEngine On
SSLCertificateKeyFile /etc/ssl/private/server.insecure.key
SSLCertificateFile    /etc/ssl/certs/portal.selfsigned.crt

(Side note: I am using .insecure for the key file because the file is not passphrase-protected, and I like to clearly see that it is an insecure key file)

So, when I restart apache I get the following message:

Syntax error on line 39 of /etc/apache2/sites-enabled/500-portal-https:
SSLCertificateKeyFile: file '/etc/ssl/private/server.insecure.key' does not exist or is empty
Error in syntax. Not restarting.

But the file is there, and is not empty (actually it contains a private key):

sudo ls -l /etc/ssl/private/server.insecure.key
-rw-r----- 1 root www-data 887 2012-08-07 15:14 /etc/ssl/private/server.insecure.key
sudo ls -ld /etc/ssl/private/
drwx--x--- 2 root www-data 4096 2012-08-07 13:02 /etc/ssl/private/

I have tried changing the ownership, using two groups www-data and ssl-cert. I am not sure which is the right one in Ubuntu: by default Ubuntu uses ssl-cert, but on the other hand the apache processes run with user www-data: it is started by user root, but changes to www-data at some point, and I am not sure when are the certificates read.

But anyway, changing the group owner has not improved the situation. My questions are:

What else could I try to get this working?
How can I verify that my keyfile is a valid keyfile?
How can I verify that the keyfile and the certificate (/etc/ssl/certs/portal.selfsigned.crt) work together?

I think that Apache is giving a misleading error message, and I would like to pinpoint the error.

I should point out that I got this error message from the basic mistake of running service apache2 restart instead of **sudo** service apache2 restart... note to self: sudo make me a sandwich fool — icc97, Commented Jun 10, 2014 at 20:38
I find the following article very helpful. I could not setup the system by this thread. digitalocean.com/community/tutorials/… — Léo Léopold Hertz 준영, Commented May 31, 2016 at 15:28

blueFast · Accepted Answer · 2012-08-13 10:31:40Z

74

I found the error. It was because I am using a script to setup the certificates, and one of the steps I am performing is apache2ctl configtest. The error was coming from this command, and not from apache restart, which was what was misleading me. Since I was running the apache2ctl command as normal user, it had no access the the keyfiles, and thus the error message.

Facit: make sure all your apache commands are run with sudo, even the ones which are only intended for syntax verification (apache2ctl), since they alse need access to the keys.

edited Aug 13, 2012 at 10:31

answered Aug 11, 2012 at 12:08

blueFast

4,49015 gold badges38 silver badges56 bronze badges

3

O yes, use sudo. This line solved the issue.. Since I was running the apache2ctl command as normal user, it had no access the the keyfiles
– Sami
Commented Jan 11, 2021 at 13:32

Add a comment |

AntonioK · Accepted Answer · 2015-01-12 14:51:14Z

19

I also get the message

SSLCertificateKeyFile: file '/path/to/file' does not exist or is empty

while /path/to/file exist and have right permissions, just because of SELinux turned on and this file was unaccessable for apache user.

It looks like this:

$ sudo ls -laZ /etc/pki/tls/certs/
drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
-rw-------. root root unconfined_u:object_r:cert_t:s0  this-one-works.crt
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 this-one-is-unaccessable.crt

To fix this, I run sudo restorecon -Rv /etc/pki/tls/certs/ - it will repair SELinux property for the problem file.

edited Jan 12, 2015 at 14:51

answered Jan 12, 2015 at 14:43

AntonioK

6232 gold badges10 silver badges28 bronze badges

it helped me for a certs not generated on that server but uploaded from other source
– tymik
Commented May 27, 2015 at 14:10
2

sudo: restorecon: command not found
– Francisco Corrales Morales
Commented Dec 13, 2016 at 16:26
@FranciscoCorralesMorales restorecon is a part of policycoreutils package. Also you maybe don't have SELinux at all?
– AntonioK
Commented Dec 14, 2016 at 7:09
I was getting this error, and it was because I was running the command apache2ctl -t as my normal user. When I instead did sudo apache2ctl -t it works fine (gives me a warning about missing ServerName, but no errors about certificates not existing).
– Svend Hansen
Commented Jun 17 at 0:40

Add a comment |

Radamanf · Accepted Answer · 2014-09-11 13:40:52Z

8

I've done this and it helped me on CentOS 5.7

server:~ # chcon -t cert_t /etc/pki/tls/private/my.key 
server:~ # ls -laZ /etc/pki/tls/private/

answered Sep 11, 2014 at 13:40

Radamanf

1811 silver badge2 bronze badges

It work for Centos. Thanks
– Thao Ngo
Commented Nov 9, 2021 at 9:25

Add a comment |

dkpruett · Accepted Answer · 2015-11-08 05:22:55Z

1

I received a similar message:

SSLCertificateChainFile: file '/opt/bitnami/apache2/conf/DigiCertCA.crt\xe2\x80\x9d' does not exist or is empty

My problem was the text editor I was using placed a "right quote" ascii 148 instead of a normal double quote ascii 34; using a unix-type editor (e.g. TextWrangler) put in the right quote and fixed the problem.

answered Nov 8, 2015 at 5:22

dkpruett

111 bronze badge

Add a comment |

Swisstone · Accepted Answer · 2020-05-04 19:19:22Z

1

No permission for normal users in /etc/ssl/private directory.

Please try

sudo apache2ctl configtest

edited May 4, 2020 at 19:19

Swisstone

6,9257 gold badges23 silver badges32 bronze badges

answered May 3, 2020 at 7:33

Rithin Prabhakar

111 bronze badge

Add a comment |

user130370user130370 · Accepted Answer · 2012-08-11 23:28:45Z

0

Permissions are wrong, but according to your answer it wasn't the cause of the problem :

drwx--x--- 2 root www-data 4096 2012-08-07 13:02 /etc/ssl/private/

/etc/ssl/private usually belongs to group ssl-cert on debian based systems.

Just noticed the 0710 perms and wonder what it can be used for.

answered Aug 11, 2012 at 23:28

user130370

Your are probably right, it should be at least 0750. I have been trying different things, and the status I posted is probably not the most correct one. Running apache2ctl as root has for sure solved my problems.
– blueFast
Commented Aug 13, 2012 at 10:31
1

0710 is just fine, you need to know the file name to access it.
– ypnos
Commented Sep 7, 2015 at 8:49

Add a comment |

Moctar · Accepted Answer · 2020-09-24 11:03:11Z

0

Me too, I got this error message when I checked the httpd syntax :

SSLCertificateFile: file 'C:/wamp64/bin/apache/apache2.4.46/conf/key/certificate.crt\xe2\x80\x9c' does not exist or is empty

My problem was the "double Quote" I had pasted. So I deleted it and typed it, then it worked fine.

edited Sep 24, 2020 at 11:03

answered Sep 24, 2020 at 10:54

Moctar

11 bronze badge

Add a comment |

Brad Mace · Accepted Answer · 2023-05-31 18:33:09Z

0

It appears this can also happen if your key file contains extra stuff before the -----BEGIN PRIVATE KEY----- line

answered May 31, 2023 at 18:33

Brad Mace

1,0243 gold badges17 silver badges32 bronze badges

Add a comment |

Stack Exchange Network

Apache: SSLCertificateKeyFile: file does not exist or is empty

8 Answers 8

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
apache-2.2
ubuntu
ssl
ssl-certificate
mod-ssl
.

Linked

Hot Network Questions

Apache: SSLCertificateKeyFile: file does not exist or is empty

8 Answers 8

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged apache-2.2ubuntusslssl-certificatemod-ssl.

Linked

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
apache-2.2
ubuntu
ssl
ssl-certificate
mod-ssl
.