Failed to configure CA certificate chain

linux apache-2.2 ssl ssl-certificate fedora
29,316

Solution 1

Make sure there's no missing certificates in the chain, in the SSLCertificateChainFile file there should be all the certificates in order from the CA first and then down to any intermediate certificate that was used to sign your CRT, otherwise you'll get the error.

If you don't have any intermediate certificates (looking at the Digicert page it looks like there's none http://www.digicert.com/ssl-certificate-installation-apache-ensim.htm) you should use SSLCACertificateFile instead

Solution 2

An update to an old thread...

I just had this happened when I created a CA chain file by cat-ing the intermediate & root .crt files together into a new .ca-bundle file; the issue was that the first of the cert files didn't end with a newline, so its "END" line and the next one's BEGIN line were joined together, like

-----END CERTIFICATE----------BEGIN CERTIFICATE-----

I just edited the file and put the newline in, giving:

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

And then it worked.

Solution 3

The fix above may be useful, but for me the fix was this:

http://blog.oneiroi.co.uk/openssl/x.509/pcks7/openssl-unable-to-load-certificate-wrong-asn1-encoding-routines-asn1-check-tlen-tag-tasn-dec-dot-c-1319/

In case the link goes:

The format in this case is p7b (PCKS #7); to use the certificate witih apache you’re going to have to convert this.

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Within the resulting .cer file you will file you x.509 certificate bundled with relevant CA certificates, break these out into your relevant .crt and ca.crt files and load as normal into apache.

Solution 4

Well this was originally a comment to @lynxman but it was too long.

I just had this issue using Let's Encrypt cert with Arch Linux. Upon booting after the first restart in a couple months the httpd service failed with this error:

 AH01903: Failed to configure CA certificate chain!

First I tried renewing the certificate since it's easy and free. My SSLCertificateChainFile then had one cert listed instead of two (?). So I commented that line out:

#SSLCertificateChainFile "/etc/letsencrypt/live/mywebsite.com/chain.pem"

Voila! It started up fine. ¯_(ツ)_/¯

Share:
29,316

Related videos on Youtube

kron
Author by

kron

Updated on September 17, 2022

Comments

  • kron
    kron over 1 year

    I'm trying to setup SSL on fedora with apache.

    In my vhost...

    SSLCertificateFile /your/path/to/crt.crt
SSLCertificateKeyFile /your/path/to/key.key
SSLCertificateChainFile /your/path/to/DigiCertCA.crt

    I had it working fine with a self signed key, but can't get it to work with the DigiCertCA crt.

    When I run

    service httpd restart

    It fails to start. This is what I get in the logs...

    [Sat Jan 29 07:57:13 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suex$
[Sat Jan 29 07:57:13 2011] [error] Failed to configure CA certificate chain!

    Any assistance would be really appreciated!

  • Admin
    Admin over 13 years
    I don't know who downvoted you, this is entirely valid - the instructions even tell you to use SSLCACertificateFile.
  • kron
    kron over 13 years
    Thanks. turns out it was just there was an 'X' at the bottom of one of the crt files (that I had accidentally put in the file when pressing ctrl+x to close the file. Answer accepted for just checking the chain properly.
  • Daniel Sokolowski
    Daniel Sokolowski over 11 years
    If you think you copied and pasted correctly double check for white space. For example copying from the Verisign/Symantec the help page knowledge.verisign.com/support/ssl-certificates-support/… results in two extra spaces on each line.
  • Dan Garthwaite
    Dan Garthwaite about 8 years
    Good catch and useful caveat. You could use the editor to put the text fragments into "code blocks".
  • eel ghEEz
    eel ghEEz almost 8 years
    "CA first" sounds vague. The Apache documentation says that the chain "starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate" httpd.apache.org/docs/2.4/mod/… A script in the comment shows all certificates of the chain, kdecherf.com/blog/2015/04/10/…
  • Ben Brocka
    Ben Brocka almost 5 years
    Oh my god, this was what my problem was and I wasn't even using a bundle, just had to put a space before end cert. Same cert worked on a Windows box but not linux. Thanks
  • Hugh Wood
    Hugh Wood about 4 years
    Copy and pasted from windows into linux vi - and ended up with this problem in the chain cert - great addition to the answers!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Possible locations of ssl.conf and httpd.conf
Can an SSL certificate be on a single line in a file (no line breaks)?
Setting up SSL on apache on linux ubuntu
Permissions for SSL key?
How can I scan a IP & Port range to get information about all SSL certificates in use
sslv3 alert bad certificate when attempting to connect with Mail Client
Restart of nginx service fails because of /etc/nginx/nginx.conf test failure
Apache2 SSL Certificate error
Apache multiple virtual hosts with ssl certificates
apache2 won't start after ssl configuration