Apache SSL Errors for self-signed certificates

[dezignguy]

I just started having trouble with this after using EasyApache to update to Apache 2.4.9. Self-signed SSL certs were working fine before that, on 2.4.7 and before. Deleting the self-signed certs resolves the apache start issue. I always use WHM's SSL tools, so I'm not setting anything up manually for any of this. My SSL certs work for years, and then I update to Apache 2.4.9 and then they don't work. I have a 3rd party signed certificate for my server domain, and then two self-signed certs on two other domains.

After adding a self-signed certificate via the WHM SSL tools, the SSL domain works temporarily (apparently apache just reloads but doesn't do a full restart). This warning shows up in the log at that time:

[Tue Apr 01 14:21:35.000801 2014] [ssl:warn] [pid 24921] AH01906: 123domain.com:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

But when doing a full restart of apache, it won't startup again, with this error in the logs:

[Tue Apr 01 14:21:36.000698 2014] [ssl:emerg] [pid 24922] AH02562: Failed to configure certificate 123domain.com:443:0 (with chain), check /var/cpanel/ssl/installed/certs/123domain_com_daaab_509a3_1427922863_9947ad6b02ca51d7df5521b4806b4043.crt
[Tue Apr 01 14:21:36.000770 2014] [ssl:emerg] [pid 24922] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Tue Apr 01 14:21:36.000785 2014] [:emerg] [pid 24922] AH00020: Configuration Failed, exiting

Deleting the SSL config from WHM's SSL Management resolves the issue and Apache starts properly again.

I just checked for a Cpanel update, and there is no update for the RELEASE tier, so I'm on WHM 11.42.0 (build 23). Apache is built with PHP5, DSO, mod_ruid2.

- - - Updated - - -

I should note that my main server certificate is fine throughout this. I just can't add any self-signed certificates, or Apache won't restart.

Can anyone else duplicate this?

 

[nesta]

We are are having the same problem. We attempted to upgrade from Apache 2.2.27 to 2.4.9 and the upgrade failed due to a self-signed certificate that wouldn't load.

[Tue Apr 01 17:38:03.002247 2014] [ssl:emerg] [pid 29768] AH02562: Failed to configure certificate example.com:443:0 (with chain), check /var/cpanel/ssl/installed/certs/xxx.crt
[Tue Apr 01 17:38:03.002404 2014] [ssl:emerg] [pid 29768] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Tue Apr 01 17:38:03.002443 2014] [:emerg] [pid 29768] AH00020: Configuration Failed, exiting

We deleted the SSL configuration on that site and the upgrade succeeded. After the upgrade we tried to add a new self-signed certificate to the site but then Apache wouldn't start with the same error as above.

One data point is that we had another certificate causing this same problem first, but signed by Thawte instead of self-signed. We found that our other certificates had the intermediate CA bundle configured with SSLCACertificateFile, but this particular one didn't. Deleting the certificate in cPanel and adding it back, including the CA Bundle, fixed the issue for that certificate.

Both the problem Thawte certificate and the self-signed one were working fine in Apache 2.2.27 prior to the upgrade.

 

[cPanelPeter]

Hello,

Please open a support ticket using the link in my signature. One of our analysts will review this for you and if it's determined to be reproducable will file a case with development on this.

 

[dezignguy]

Opened support ticket, Id 4760773.

 

[dezignguy]

Kudos to Cpanel Support. They've diagnosed the issue and opened a ticket for the development team to look at it. And they also got a workaround for me in the meantime.

Please be aware that you will need to remove your original self-signed certificate installed host(s) before continuing here:

I found that the error that is being generated is due to Apache 2.4.9 not seeing the certificate chain as valid. However, if you take the contents of the self-signed certificate in the "Certificate" box and paste these contents into the "Certificate Authority Bundle (optional)" box when installing the certificate, this should allow the chain to complete and register with Apache 2.4.9 as valid.

This issue only happens on CentOS 5.10, not on CentOS 6.5. But it apparently is not only restricted to self-signed certificates, as it seems that 3rd-party signed certs without a ca-bundle are also caught.

The internal case is #96229, if anyone is interested in knowing when it is fixed and shows up in the changelogs.