Headscratcher: Server should be SSL-aware but has no certificate configured

Written by - 0 comments

Published on September 14th 2016 - Listed in Linux


Today I came across a very annoying problem which seemed so simple yet I was looking way too far to see the solution right in front of me.

When I set up a new virtual host on an Apache 2.4 webserver (running on Ubuntu 14.04). Besides the normal http vhost, I also added a second virtual host for SSL with the following ssl configuration:

<VirtualHost *:443>
  ServerName my.example.com
  DocumentRoot /srv/www/example

  <Directory /srv/www/example>
    Require all granted
    Options +FollowSymLinks
    AllowOverride All
  </Directory>

  # Logging
  ErrorLog /var/log/apache2/example.error.log
  CustomLog /var/log/apache2/example.access.log combined

  <IfModule mod_ssl.c>
  # SSL
  SSLEngine on
  SSLCertificateFile "/etc/apache2/ssl.crt/mycert.crt"
  SSLCertificateKeyFile "/etc/apache2/ssl.key/mycert.key"
  SSLCACertificateFile "/etc/apache2/ssl.crt/mycert.ca.crt"
  </IfModule>

</VirtualHost>

I then realized that this was the first SSL config on this Apache webserver, so I still had to enable the ssl module. And this is where the problems started.

# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  service apache2 restart

# service apache2 restart
 * Restarting web server apache2
Action 'start' failed.
The Apache error log may have more information.

I checked the error log and found the following information:

[Wed Sep 14 08:29:27.585173 2016] [ssl:emerg] [pid 28482] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Wed Sep 14 08:29:27.585183 2016] [ssl:emerg] [pid 28482] AH02312: Fatal error initialising mod_ssl, exiting.

I immediately disabled the ssl module again and started to scratch my head. I did A LOT of Apache SSL configurations over the past 10 years, yet I've never seen this one before. I googled and there are a lot of different solutions - yet all point out that there must be a problem in the SSL configuration. I triple-checked my ssl config, even copy-pasted a working SSL config from another Apache webserver. No success.
I then modified ports.conf to make sure the listener port 443 is also enabled for mod_ssl.c. Turned out it was already enabled for ssl_module, which got me confused because, If I remember correctly, this was called mod_ssl in Apache 2.2.
So no results from ports.conf, the default seems to be correct already. Talking of default, I checked out the default vhosts and indeed, the default-ssl.conf was not enabled. I checked that file out but didn't see anything which would explain why THIS would make it work compared to my vhost config but I enabled it anyway:

/etc/apache2/sites-enabled # ln -s ../sites-available/default-ssl.conf 001-default-ssl.conf

# apache2ctl configtest
Syntax OK

# service apache2 restart
 * Restarting web server apache2

I enabled the ssl module again, restarted Apache and here we go again:

# service apache2 restart
 * Restarting web server apache2
Action 'start' failed.
The Apache error log may have more information.

WTF?! This is the point where I asked myself what exactly am I missing. I must be missing something obvious, yet I wasn't able to see it. Even when I set Apache's logging to trace2, there was not really any helpful hint in the error logs:

[Wed Sep 14 08:37:29.170593 2016] [ssl:trace2] [pid 29664] ssl_engine_rand.c(124): Init: Seeding PRNG with 656 bytes of entropy
[Wed Sep 14 08:37:29.170663 2016] [ssl:info] [pid 29664] AH02200: Loading certificate & private key of SSL-aware server 'webserver.example.com:443'
[Wed Sep 14 08:37:29.170667 2016] [ssl:emerg] [pid 29664] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Wed Sep 14 08:37:29.170671 2016] [ssl:emerg] [pid 29664] AH02312: Fatal error initialising mod_ssl, exiting.

Eventually I came across yet another serverfault question which basically mentions the same ssl problem. Although I couldn't find a solution there, I picked up a hint, to verify all existing (other) virtual hosts with apache2ctl:

# apache2ctl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443                  somethingelse.example.com (/etc/apache2/sites-enabled/somethingelse.example.com.conf:1)
*:80                   is a NameVirtualHost
         default server webserver.example.com (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost webserver.example.com (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost www.example.com (/etc/apache2/sites-enabled/example.com.conf:1)
                 alias test.example.com
[...]

And there we had it. In the very first line a SSL-listener 443 for somethingelse.example.com was defined.
I checked the this virtual host configuration and it looked like this:

# cat /etc/apache2/sites-enabled/somethingelse.example.com.conf
<VirtualHost *:443>
  ServerName  somethingelse.example.com

  <ifmodule mod_rewrite.c="">
  RewriteEngine On
  RewriteCond %{HTTPS} on
  RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
  </ifmodule>

</VirtualHost>

[...]

I immediately saw that this is not at all a correct ssl configuration. I removed that whole section after confirmation from my colleague that he was working on it but it's not needed anymore (because it didn't work, duh) and tried again:

# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  service apache2 restart

# service apache2 restart
 * Restarting web server apache2    

Yes! Now it worked.

Conclusion: The error message "AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)" indeed tells you there is something wrong in your SSL configuration but unfortunately doesn't point you to the very file which is causing the error. Dig (or better grep in this case) through all config files to find the bad one.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.