Apache: SSLCertificateKeyFile: file does not exist or is empty

Question

I am configuring SSL for Apache 2. My system is Ubuntu Server 10.04 LTS. I have the following settings related to SSL in my vhost configuration:

SSLEngine On
SSLCertificateKeyFile /etc/ssl/private/server.insecure.key
SSLCertificateFile    /etc/ssl/certs/portal.selfsigned.crt

(Side note: I am using .insecure for the key file because the file is not passphrase-protected, and I like to clearly see that it is an insecure key file)

So, when I restart apache I get the following message:

Syntax error on line 39 of /etc/apache2/sites-enabled/500-portal-https:
SSLCertificateKeyFile: file '/etc/ssl/private/server.insecure.key' does not exist or is empty
Error in syntax. Not restarting.

But the file is there, and is not empty (actually it contains a private key):

sudo ls -l /etc/ssl/private/server.insecure.key
-rw-r----- 1 root www-data 887 2012-08-07 15:14 /etc/ssl/private/server.insecure.key
sudo ls -ld /etc/ssl/private/
drwx--x--- 2 root www-data 4096 2012-08-07 13:02 /etc/ssl/private/

I have tried changing the ownership, using two groups www-data and ssl-cert. I am not sure which is the right one in Ubuntu: by default Ubuntu uses ssl-cert, but on the other hand the apache processes run with user www-data: it is started by user root, but changes to www-data at some point, and I am not sure when are the certificates read.

But anyway, changing the group owner has not improved the situation. My questions are:

What else could I try to get this working?
How can I verify that my keyfile is a valid keyfile?
How can I verify that the keyfile and the certificate (/etc/ssl/certs/portal.selfsigned.crt) work together?

I think that Apache is giving a misleading error message, and I would like to pinpoint the error.

blueFast · Accepted Answer · 2012-08-13T10:31:40.980

I found the error. It was because I am using a script to setup the certificates, and one of the steps I am performing is apache2ctl configtest. The error was coming from this command, and not from apache restart, which was what was misleading me. Since I was running the apache2ctl command as normal user, it had no access the the keyfiles, and thus the error message.

Facit: make sure all your apache commands are run with sudo, even the ones which are only intended for syntax verification (apache2ctl), since they alse need access to the keys.

AntonioK · Answer 2 · 2015-01-12T14:51:14.190

I also get the message

SSLCertificateKeyFile: file '/path/to/file' does not exist or is empty

while /path/to/file exist and have right permissions, just because of SELinux turned on and this file was unaccessable for apache user.

It looks like this:

$ sudo ls -laZ /etc/pki/tls/certs/
drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
-rw-------. root root unconfined_u:object_r:cert_t:s0  this-one-works.crt
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 this-one-is-unaccessable.crt

To fix this, I run sudo restorecon -Rv /etc/pki/tls/certs/ - it will repair SELinux property for the problem file.

score 8 · Answer 3 · answered Sep 11 '14 at 13:40

8

I've done this and it helped me on CentOS 5.7

server:~ # chcon -t cert_t /etc/pki/tls/private/my.key 
server:~ # ls -laZ /etc/pki/tls/private/

answered Sep 11 '14 at 13:40

Radamanf

181

score 1 · Answer 4 · edited May 04 '20 at 19:19

1

No permission for normal users in /etc/ssl/private directory.

Please try

sudo apache2ctl configtest

edited May 04 '20 at 19:19

Swisstone

7,063

answered May 03 '20 at 07:33

Rithin Prabhakar

11
1

score 1 · Answer 5 · answered Nov 08 '15 at 05:22

I received a similar message:

SSLCertificateChainFile: file '/opt/bitnami/apache2/conf/DigiCertCA.crt\xe2\x80\x9d' does not exist or is empty

My problem was the text editor I was using placed a "right quote" ascii 148 instead of a normal double quote ascii 34; using a unix-type editor (e.g. TextWrangler) put in the right quote and fixed the problem.

Moctar · Answer 6 · 2020-09-24T11:03:11.900

0

Me too, I got this error message when I checked the httpd syntax :

SSLCertificateFile: file 'C:/wamp64/bin/apache/apache2.4.46/conf/key/certificate.crt\xe2\x80\x9c' does not exist or is empty

My problem was the "double Quote" I had pasted. So I deleted it and typed it, then it worked fine.

edited Sep 24 '20 at 11:03

answered Sep 24 '20 at 10:54

Moctar

1

score 0 · Answer 7 · answered May 31 '23 at 18:33

0

It appears this can also happen if your key file contains extra stuff before the -----BEGIN PRIVATE KEY----- line

answered May 31 '23 at 18:33

Brad Mace

1,034
3
17
32

score 0 · Answer 8 · answered Nov 29 '24 at 06:53

0

I was trying to restart apache with apachectl restart and got this error - using sudo fixed it.

answered Nov 29 '24 at 06:53

TheEagle

101

score 0 · Answer 9 · answered Aug 11 '12 at 23:28

Permissions are wrong, but according to your answer it wasn't the cause of the problem :

drwx--x--- 2 root www-data 4096 2012-08-07 13:02 /etc/ssl/private/

/etc/ssl/private usually belongs to group ssl-cert on debian based systems.

Just noticed the 0710 perms and wonder what it can be used for.

Apache: SSLCertificateKeyFile: file does not exist or is empty

9 Answers9

Linked