Apache SSL error : Unable to read server certificate from file

Question

I am getting an Apache error while server startup. The error reads:

[error] Init: Unable to read server certificate from file /etc/pki/tls/certs/ca-bundle.trust.crt [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error 

I have done some basic sanity checks like -

1. comparing mod of private and public key. It matches perfectly

2. Also, ran dos2unix on crt file

   openssl x509 -noout -modulus -in /etc/pki/tls/certs/ca-bundle.trust.crt | openssl md5

   openssl rsa -noout -modulus -in /etc/pki/tls/private/servername00.key | openssl md5

Any suggestions? what could be the root cause?

For reference: here is my conf.d/app.conf file and server version is Apache/2.2.15 (Unix)

<Directory "/path/to/app/source/html"> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny Allow from all </Directory> <VirtualHost *:80> ServerName servername.com # Trailing slash is important Redirect / https://servername.com/ </VirtualHost> <VirtualHost *:443> ServerAdmin [email protected] DocumentRoot /path/to/app/source/html ServerName servername #SSLEngine on # Update the path with the location of your new cert and key SSLCertificateFile /etc/pki/tls/certs/ca-bundle.trust.crt SSLCertificateKeyFile /etc/pki/tls/private/servername.key ErrorLog logs/appname-80-error_log CustomLog logs/appname-80-access_log common Header always set Access-Control-Allow-Origin "*" # Rewrite hostname to FQN RewriteEngine on RewriteCond %{HTTP_HOST} !^servername\.com [NC] RewriteCond %{HTTP_HOST} !^$ RewriteRule ^/(.*) https://servername.com/$1 [L,R] </VirtualHost> 

Answer 1

The extracted certificate had "Begin Trusted Certificate" as header. It needed to be "Begin Certificate."

Please note that there are two files at /etc/pki/tls/certs/ -

1. ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
2. ca-bundle.trust.crt

I made the mistake of referring to ca-bundle.trust.crt instead of ca-bundle.crt.

Source - https://manned.org/update-ca-trust/e1b1e94d

/etc/pki/tls/certs/ca-bundle.crt Legacy filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. If compatible CA trust replacements are disabled, this is a static file and will remain unchanged. Only if compatible CA trust replacements are enabled, this file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.

/etc/pki/tls/certs/ca-bundle.trust.crt Legacy filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. If compatible CA trust replacements are disabled, this is a static file and will remain unchanged. Only if compatible CA trust replacements are enabled, this file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.

Alternatively,

sed -i 's/BEGIN TRUSTED CERTIFICATE/BEGIN CERTIFICATE/g' /etc/pki/tls/certs/ca-bundle.trust.crt sed -i 's/END TRUSTED CERTIFICATE/END CERTIFICATE/g' /etc/pki/tls/certs/ca-bundle.trust.crt