Apache fails to start, ssl issue

apache-2.2 ssl openssl gnutls
6,161

There are a few critical issues here. The errors that Apache is spitting out are telling you that the private key is failing to be parsed as valid ASN.1. This would suggest that you have extraneous data somewhere in the key such as a space. Secondly, your permissions are much too lax. The private key should be owned by root, and have the permissions similar to 640 or -rw-r----.

Share:
6,161

Related videos on Youtube

brandon
Author by

brandon

Updated on September 18, 2022

Comments

  • brandon
    brandon over 1 year

    For some reason Apache does not start. I tried rebooting the server but to no avail. It's about 2am and my brain is fried. Here is the apache log. I did not touch any configs, certs, or keys to cause this so I don't know what happened. There is the first line here but this is bogus but the key is in the exact place that I specified the virtualhosts file to look at.

    [Wed Mar 04 00:13:51.898515 2015] [ssl:error] [pid 4307] AH02203: Init: Private key not     found
[Wed Mar 04 00:13:51.899365 2015] [ssl:error] [pid 4307] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Mar 04 00:13:51.899381 2015] [ssl:error] [pid 4307] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Wed Mar 04 00:13:51.899391 2015] [ssl:error] [pid 4307] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Mar 04 00:13:51.899402 2015] [ssl:error] [pid 4307] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Wed Mar 04 00:13:51.899413 2015] [ssl:error] [pid 4307] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Wed Mar 04 00:13:51.899422 2015] [ssl:error] [pid 4307] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Mar 04 00:13:51.899432 2015] [ssl:error] [pid 4307] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)

    Virtual hosts:

    # Optionally load the headers module:
#LoadModule headers_module modules/mod_headers.so

LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
SSLCertificateFile /etc/ssl/certs/foobar.org.ssl.crt
SSLCertificateKeyFile /etc/ssl/private/foobar.org.ssl.key
SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/ca.pem
SSLCompression Off
SSLHonorCipherOrder On
SSLSessionCache shmcb:/etc/apache2/logs/ssl_gcache_data(512000)
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLSessionCacheTimeout  300

<VirtualHost *:443>
ServerAdmin [email protected]
ServerName foobar.org
#  ServerAlias foobar.org
DirectoryIndex index.html index.php
DocumentRoot /var/www/foobar.org/public_html/
LogLevel warn
ErrorDocument 404 /404.php
#  ErrorDocument 500 /500.html
ErrorLog /var/www/foobar.org/log/error.log
CustomLog /var/www/foobar.org/log/access.log combined
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"
</VirtualHost>

    ls command output:

    -rw-rw-r-- 1 brandon brandon  1767 Mar  4 00:02 foobar.org.ssl.key
-rw-r----- 1 root    ssl-cert 1704 Apr 20  2013 ssl-cert-snakeoil.key
    • user9517
      user9517 about 9 years
      You should just g to sleep. I'm sure this will take just a couple of minutes to solve when your head is clearer.
    • brandon
      brandon about 9 years
      I don't understand what the error is. I don't understand what the heck apache is bellyaching about.
    • Dan
      Dan about 9 years
      Tried to reboot?
    • brandon
      brandon about 9 years
      @Dan: Yes I have. Many times in fact.
    • Martin
      Martin about 9 years
      @brandon can you post the virtualHosts config and the output of ls -l /path/to/private.key please
    • Dan
      Dan about 9 years
      Sound like something is really wrong with the private key, whatever is in that file is not recognized as a private key
    • brandon
      brandon about 9 years
      Added virtualhosts and ls output.
    • Snowlockk
      Snowlockk about 9 years
      Your key should NOT be world readable.
    • brandon
      brandon about 9 years
      That's... weird. I swear I didn't set it as world.
    • user9517
      user9517 about 9 years
      It probably shouldn't be owned my you either - now honestly stop wasting your and our time and go to bed.
    • brandon
      brandon about 9 years
      Well I'm not coming back here for help again.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Ubuntu 16.04 openssl s_client write:errno=104
Setting up SSL: Recompiling Apache with mod_ssl
Openssl, my private key is either missing or lost
openssl giving me errors and apache is not working with https
Restart of nginx service fails because of /etc/nginx/nginx.conf test failure
How to install godaddy's ssl on apache
Apache2 fails to start with some specific SSLCipherSuite config
ssl_error_bad_mac_alert error in Firefox
ssl_error_handshake_failure_alert with Commercial CA-based client certificate
How to debug curl? gnutls_handshake failed -unexpected TLS packet (OpenSSL)