How to Fix Common Apache SSL Certificate Errors
Please see the error message in blue followed by information about the error and how to fix it with a minimal amount of brain wracking.
First and foremost we recommend using the default httpd-ssl.conf file as a template for configuring the virtual hosts for your SSL websites on your server because this file contains many settings that are required by mod_SSL working on your server. To do this simply open the httpd.conf file and near the end of the file uncomment the line (i.e. remove the ‘#’ symbol starting the line):
#Include conf/extra/httpd-ssl.conf
If you are using Suse Linux Enterprise Server (SLES), it is recommended that you copy the file /etc/apache2/vhosts.d/vhost-ssl.template to /etc/apache2/vhosts/your_domain_com.conf. Then edit /etc/apache2/vhosts/your_domain_com.conf per the instructions on the Apache SSL installation page.
There are a few different SSL related errors in Apache, and each of them can be detected a few different ways such as:
- SSL errors are reported in the logfile (these usually result in Apache refusing to start)
- Untrusted Certificate Warnings in browsers, or Intermediate Certificate errors on DigiCert.com/help
- The cryptic Browser error ‘ssl_error_rx_record_too_long‘
Errors Keeping Apache from Starting
This can be very frustrating problem, and it usually happens when Apache is reading in the configuration files line by line and finds something it doesn’t know how to handle. First check your log file for an error that might point to the problem. The default location of logfiles is:
Debian (Ubuntu):
/var/log/apache2/error_log
Red Hat Enterprise Linux, CentOS
/var/log/httpd/error_log
Default Location from Compiling Source Code:
/usr/local/apache2/logs/error_log
Windows
C:Program FilesApache GroupApache2logserror.log
Another thing you can check is if you have an Errorlog location defined in either your httpd.conf or VirtualHost section of your .conf file then track the error log file down.
Some possible conf file errors you’ll run into are listed below.
Unable to configure RSA server private key
[ … ]
certificate routines:X509_check_private_key:key values mismatch
This error usually menas that the private key that’s being loaded in the virtualhost section of your .conf file doesn’t match the SSL certificate being loaded in that same section. One thing you can do to check if you have the two files match is to run the following OpenSSL command on each of them (change red text to match your filenames):
openssl x509 -noout -modulus -in your_domain_com.crt | openssl md5openssl rsa -noout -modulus -in your_domain_com.key | openssl md5
If the modulus of the two files doesn’t match exactly you will need to do one of the following: Find .key file matching your .crt file and update the virtualhost in your .conf file. Second reissue your certificate by either generating two new files with the EasyCSR Generator, or by creating a new CSR from your existing private key file using the command below:
openssl req -new -key your_domain_com.key -out your_domain_com.csr
Invalid command ‘SSLEngine’
This could be caused by mod_ssl not being installed on the server which is required by Apache to create SSL connections.
If you are using CentOS/RedHat Linux you run the following command from the console:
sudo yum install mod_ssl
If you are running a Debian based distro then you may need to enable modssl with the following command:
a2enmod ssl
SSL3_READ_BYTES:sslv3 alert handshake failure
[ … ]
SSL23_WRITE:ssl handshake failure
These errors are caused by a directive in the configuration file that requires mutual authentication (i.e. an SSL certificate being sent first from the server, then a separate one being sent back from the client during the SSL handshake). If you don’t have this set up correctly you will receive this error. In our experience most of the time people including this directive and getting one of the above error messages are doing so on accident, so simply change the line in your conf file from SSLVerifyClient or SSLVerifyClient optional_no_ca to SSLVerifyClient none. Then restart Apache. This will tell the Apache server to stop looking for a client certificate while doing the SSL handshake with a client computer.
Another possible cause of this error is including the line SSLVerifyDepth 1. Just comment out this line so it reads #SSLVerifyDepth 1 and this should fix the problem.
SSLSessionCache: Invalid argument: size has to be >=8192 bytes
This means Apache doesn’t like the default folder name that Apache for Windows is installed to (it doesn’t like any spaces or parenthesis in the path to Apache).
Move all files Apache is loading from c:/Program Files (x86)/Apache2/… to a different folder C:/Apache/Apache2/…, or you can escape the long folder name to shorter folder names without the parenthesis: (to find out what name to use, you can run the following command to get the short name)
dir /x C:
You will need to add a backslash ” to escape the ~ character as follows: C:/Program Files (x86)/Apache2/… changes to C:/Progra~2/Apache2/…
Then restart apache and you should be good to go.
Untrusted Certificate Errors, and Missing Intermediate Certificate Errors
- Two things can cause this error on the SSL Certificate Tester:
-
The line in your Virtual Host in your .conf file (usually httpd-ssl.conf, ssl.conf or virtual-host.conf) for SSLCertificateChainFile is either commented out (e.g. #SSLCertificateChainFile), or is pointing to the wrong SSL Intermediate Certificate file. To correct this simply uncomment the line and make sure the SSLCertificateChain file points to DigiCertCA.crt.
-
You have the file with your virtual host configured correctly SSLCertificateChainFile; however, You already have a virtual host configured for the ip address and port that you are trying to install the SSL Certificate onto from a different .conf file and that file doesn’t have the SSLCertificateChainFile directive pointing to the correct Chain Certificate file. One way to find this file is by doing a quick grep command (change /etc/apache2/ to your apache home directory):
grep -i -r "SSLCertificateChainFile" /etc/apache2/For Windows users you can use the following command:
findstr /s /i "SSLCertificateChainFile" *.confThis will search all subfolders of the current directory for a .conf file containing SSLCertificateChainFile, you can then correct the one where SSLCertificateChainFile is commented out or not pointing to the correct file.
Then restart Apache and this should fix the
problem.
SSL received a record that exceeded the maximum permissible length, ssl_error_rx_record_too_long
- The preceding error most commonly appears in Firefox browsers, but similar ones will at times appear in other browsers as well. This error is often caused by SSL traffic not being setup correctly on the server, (e.g. DNS is not set up correctly on the DNS name in your virtualhost) you are trying to secure.
Here are some ways to fix this error:
The file /conf/extra/httpd-ssl.conf may have been configured with the correct SSL information but isn’t being loaded since it isn’t being loaded from httpd.conf. To fix this error uncomment the line below by removing the ‘#’ character. Then restart Apache.
#Include conf/extra/httpd-ssl.conf
Apache isn’t set up to listen on port 443 for secure traffic. To fix this, simply add the line below before your <VirtualHost> block is loaded:
Listen 443
If you’re using IPv6 you’ll need to include the IP address as well as the port: e.g.
Listen 192.168.0.1:443
If you’re running https on a non-standard port you will need to tell apache to listen for an SSL connection on that port, e.g.:
Listen 192.168.0.1:8443 https
If you see the above inside of an <If DefineSSL> block. Then you will need to make sure you are defining SSL when you start Apache. Normally this should start with SSL being defined on it’s own, but if it doesn’t you can try the following commands which are for earlier versions of Apache 2:
path/to/httpd -D SSL -k start
path/to/apachectl startssl
path/to/httpd startssl
If you’re running Apache under Windows make sure the host file on the Windows server is set up correctly (should be in C:WindowsSystem32Driversetchosts). Some people have experienced success in changing <VirtualHost your.domain.com:443> to <VirtualHost _default_:443> etc.
Also you need to make sure in your block Apache is configured to use SSL with the SSLEngine directive as follows:
<VirtualHost your.domain.com:443>
SSLEngine On
[rest of VirtualHost]
</VirtualHost>
<
