Error when trying to start Apache after installing SSL cert

Question

I am trying to install an SSL certificate, and I get the following errors:

AH02241: Init: Unable to read server certificate from file /path/my.crt SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=X509) AH02312: Fatal error initialising mod_ssl, exiting. 

Here's the process I followed:

I generated my private key with:

openssl genrsa -out my.key 2048 

I created the CSR with:

openssl req -new -key my.key -out my.csr 

I provided the CSR to our IT department, and they returned a crt - it starts with

-----BEGIN CERTIFICATE----- 

My ssl.conf has (my.example.com matches the Common name used during the generation of the CSR):

 <VirtualHost my.example.com:443> SSLEngine On ServerName my.example.com SSLCertificateFile /path/my.crt SSLCertificateKeyFile /path/my.key </VirtualHost> 

I do not have SSLCertificateChainFile or SSLCACertificate file set.

The private key starts with

----BEGIN RSA PRIVATE KEY----- 

The csr starts with

-----BEGIN CERTIFICATE REQUEST----- 

I have verified that both:

openssl rsa -noout -modulus -in my.key openssl req -noout -modulus -in my.csr 

produce the same output. I cannot figure out how to verify the crt - trying both x509 and rsa produce an error.

Should this process have worked? Can I verify that my.crt matches the key somehow?

Answer 1

It turns out that the cert I was provided was bad.

Running

openssl x509 -in my.crt -text 

should have worked, but since the cert was corrupt it produced errors:

unable to load certificate 140513785948000:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:142: 140513785948000:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1306: 140513785948000:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509 140513785948000:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83: 

I guess I should have noticed that the lines in the block when viewing the bad cert weren't all the same length.

Answer 2

For:

SSLCertificateFile my.crt SSLCertificateKeyFile my.key 

You should be using the full path to those files, ie:

SSLCertificateFile /home/vhosts/domain.com/keys/my.crt SSLCertificateKeyFile /home/vhosts/domain.com/keys/my.crt 

Update the correct paths and restart Apache to apply the changes. Post back with an updated error/message if the issue remains.

-Brendan

Answer 3

Just for the record: I had the same kind of error report and the issue was not really in the certificate, but in the configuration.

By mistake I defined the key as the certificate and the certificate as the key. The result was the same error message.

The error resulted from the fact that my reference configuration presented these items in the opposite order.

Even the example by @Brendan has this error as it references two times the certificate - both for the certificate and for the key.

So be sure to check that you are referencing the correct files in the correct parameter.