The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache SSL Errors for self-signed certificates

Discussion in 'EasyApache' started by dezignguy, Apr 1, 2014.

  1. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    I just started having trouble with this after using EasyApache to update to Apache 2.4.9. Self-signed SSL certs were working fine before that, on 2.4.7 and before. Deleting the self-signed certs resolves the apache start issue. I always use WHM's SSL tools, so I'm not setting anything up manually for any of this. My SSL certs work for years, and then I update to Apache 2.4.9 and then they don't work. I have a 3rd party signed certificate for my server domain, and then two self-signed certs on two other domains.

    After adding a self-signed certificate via the WHM SSL tools, the SSL domain works temporarily (apparently apache just reloads but doesn't do a full restart). This warning shows up in the log at that time:

    Code:
    [Tue Apr 01 14:21:35.000801 2014] [ssl:warn] [pid 24921] AH01906: 123domain.com:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    But when doing a full restart of apache, it won't startup again, with this error in the logs:

    Code:
    [Tue Apr 01 14:21:36.000698 2014] [ssl:emerg] [pid 24922] AH02562: Failed to configure certificate 123domain.com:443:0 (with chain), check /var/cpanel/ssl/installed/certs/123domain_com_daaab_509a3_1427922863_9947ad6b02ca51d7df5521b4806b4043.crt
    [Tue Apr 01 14:21:36.000770 2014] [ssl:emerg] [pid 24922] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
    [Tue Apr 01 14:21:36.000785 2014] [:emerg] [pid 24922] AH00020: Configuration Failed, exiting
    Deleting the SSL config from WHM's SSL Management resolves the issue and Apache starts properly again.

    I just checked for a Cpanel update, and there is no update for the RELEASE tier, so I'm on WHM 11.42.0 (build 23). Apache is built with PHP5, DSO, mod_ruid2.

    - - - Updated - - -

    I should note that my main server certificate is fine throughout this. I just can't add any self-signed certificates, or Apache won't restart.

    Can anyone else duplicate this?
     
  2. nesta

    nesta Registered

    Joined:
    Oct 3, 2007
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    We are are having the same problem. We attempted to upgrade from Apache 2.2.27 to 2.4.9 and the upgrade failed due to a self-signed certificate that wouldn't load.

    Code:
    [Tue Apr 01 17:38:03.002247 2014] [ssl:emerg] [pid 29768] AH02562: Failed to configure certificate example.com:443:0 (with chain), check /var/cpanel/ssl/installed/certs/xxx.crt
    [Tue Apr 01 17:38:03.002404 2014] [ssl:emerg] [pid 29768] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
    [Tue Apr 01 17:38:03.002443 2014] [:emerg] [pid 29768] AH00020: Configuration Failed, exiting
    
    We deleted the SSL configuration on that site and the upgrade succeeded. After the upgrade we tried to add a new self-signed certificate to the site but then Apache wouldn't start with the same error as above.

    One data point is that we had another certificate causing this same problem first, but signed by Thawte instead of self-signed. We found that our other certificates had the intermediate CA bundle configured with SSLCACertificateFile, but this particular one didn't. Deleting the certificate in cPanel and adding it back, including the CA Bundle, fixed the issue for that certificate.

    Both the problem Thawte certificate and the self-signed one were working fine in Apache 2.2.27 prior to the upgrade.
     
  3. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Please open a support ticket using the link in my signature. One of our analysts will review this for you and if it's determined to be reproducable will file a case with development on this.
     
  4. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Opened support ticket, Id 4760773.
     
  5. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Kudos to Cpanel Support. They've diagnosed the issue and opened a ticket for the development team to look at it. And they also got a workaround for me in the meantime.

    This issue only happens on CentOS 5.10, not on CentOS 6.5. But it apparently is not only restricted to self-signed certificates, as it seems that 3rd-party signed certs without a ca-bundle are also caught.

    The internal case is #96229, if anyone is interested in knowing when it is fixed and shows up in the changelogs.
     
Loading...

Share This Page