Troubleshooting Apache SSL Certificate Errors


There are a few different SSL-related errors in Apache that can cause the following issues:

Errors That Keep Apache from Starting

Errors that keep Apache from starting can be very frustrating. This usually happens when Apache is reading the configuration files and finds something it doesn't know how to handle.

The first step when you experience this issue is to check your log file for an error that might point to the problem.

The default location of the log files is as follows:

Debian (Ubuntu):

/var/log/apache2/error_log

Red Hat Enterprise Linux, CentOS:

/var/log/httpd/error_log

Windows:

C:\\Program Files\\Apache Group\\Apache2\\logs\\error.log

Default Location From Compiling Source Code:

/usr/local/apache2/logs/error_log


If the log files are not in the above location, you may have defined a different log file location in your httpd.conf file or the VirtualHost section of your .conf file.

Some possible conf file errors you may find are listed below.

'Unable to configure RSA server private key' and 'certificate routines:X509_check_private_key:key values mismatch' Errors

If you see one of these errors, it usually means that the private key that is being loaded in the VirtualHost section of your .conf file doesn't match the SSL Certificate being loaded in the same section.

To check if the two files match, run the following OpenSSL command on each of them:

openssl x509 -noout -modulus -in your_domain_com.crt | openssl md5 openssl rsa -noout -modulus -in your_domain_com.key | openssl md5

If the modulus of the two files doesn't match exactly, do one of the following:

  1. Find the .key file matching your .crt file and update the VirtualHost in your .conf file to match.

  2. Reissue your certificate generating a new CSR OpenSSL CSR Creation

    Note that the existing private key must be at least 2048 bits. If the key is less than 2048 bits you will have to recreate the key.

openssl req -new -key your_domain_com.key -out your_domain_com.csr

'Invalid command 'SSLEngine'' Error

This error can be caused by mod_ssl not being installed on a server. This module is required by Apache to create SSL connections.

To enable this module on CentOS/RedHat Linux run the following command from the console:

sudo yum install mod_ssl

  • To enable this module on a Debian-based distro run the following command:

a2enmod ssl

'SSL3_READ_BYTES:sslv3 alert handshake failure' and 'SSL23_WRITE:ssl handshake failure' Errors

These errors are caused by a directive in the configuration file that requires mutual authentication. For example, if an SSL Certificate is sent from the server and then a separate SSL Certificate is sent back from the client during the SSL handshake, this error will occur.

In our experience, this directive is usually included by accident. To remove the directive and thus fix the error, open your conf file. Change SSLVerifyClient or SSLVerifyClient optional_no_ca to SSLVerifyClient none, then restart Apache. This change will tell the Apache server to stop looking for a client certificate when completing the SSL handshake with a client computer.

Another possible cause of these errors is including the line SSLVerifyDepth 1 in the conf file. Comment out the line by adding a # to the beginning (ex. #SSLVerifyDepth 1).


'SSLSessionCache: Invalid argument: size has to be >=8192 bytes' Error

This error happens when the name of the folder where Apache for Windows is installed includes spaces or parenthesis.

To fix this, move all of the files for Apache to a different folder (ex. c:/Program Files (x86)/Apache2/ to c:/Apache/Apache2/).

Alternatively, you can change the folder name to a short name. Run the following command to find the short name for the folder:

dir /x C:\\

  • You will also need to add a backslash (\\) to avoid the ~ character as follows:

C:/Program Files (x86)/Apache2/ will change to C:/Progra\\~2/Apache2/

Finally, restart Apache.

Untrusted and Missing Intermediate Certificate Errors

Two things can cause this error in the SSL Certificate Checker:

    1. The VirtualHost section of your .conf file (usually httpd-ssl.conf, ssl.conf, or virtual-host.conf) for SSLCertificateChainFile is either commented out (e.g. #SSLCertificateChainFile), or is pointing to the wrong SSL Intermediate Certificate file. To correct this, simply uncomment the line and make sure the SSLCertificateChain file points to COMODOCA.crt.

    2. The VirtualHost section of your .conf file is configured correctly but you already have a virtual host configured using a different .conf file for the IP address and port that you are trying to install the SSL Certificate to. The problem is usually that the other .conf file is pointing to the wrong SSL Intermediate Certificate file.

      To find this file, run a quick grep command (change /etc/apache2/ to your Apache home directory). This will search all of the subfolders in the current directory for a .conf file containing SSLCertificateChainFile.

      grep -i -r 'SSLCertificateChainFile' /etc/apache2/

      On Windows use the following command:

      findstr /s /i 'SSLCertificateChainFile' *.conf

Once you find the file, uncomment the line if it is commented out (remove the #) and make sure the SSLCertificateChain file points to COMODOCA.crt. Then restart Apache.

'SSL received a record that exceeded the maximum permissible length, ssl_error_rx_record_too_long' Error

This error most commonly appears in Firefox browsers, but similar errors can appear in other browsers as well. This error often occurs because SSL traffic is not set up correctly on the server that you are trying to secure. For example, the DNS is not correct in the DNS name on your VirtualHost.

Here are some ways to fix this error:

  1. The file /conf/extra/httpd-ssl.conf was configured with the correct SSL information but isn't being loaded because httpd.conf isn't loading it.

    To fix this error, uncomment the following line (remove the #). Then restart Apache.

    #Include conf/extra/httpd-ssl.conf

  2. Apache isn't set to listen on port 443 for secure traffic. To fix this, add the following line before the <VirtualHost&gt block is loaded:

    Listen 443

    If you're using IPv6 you'll need to include the IP address as well as the port:

    Listen 192.168.0.1:443

    If you're running https on a non-standard port you'll need to tell Apache to listen for an SSL connection on that port:

    Listen 192.168.0.1:8443 https

    If you see the above inside of an <If DefineSSL> block, you need to make sure you are defining SSL when you start Apache. Normally SSL should be defined on its own, but if it isn't being defined you can try the following commands for earlier versions of Apache 2:

    path/to/httpd -D SSL -k start
    path/to/apachectl startssl
    path/to/httpd startssl

  3. If you're running Apache under Windows make sure the host file on the Windows server is set up correctly. It should be in C:\\Windows\\System32\\Drivers\\etc\\hosts. Some people fix this error by changing VirtualHost your.domain.com:443 to VirtualHost _default_:443, etc.

  4. Make sure in the <VirtualHost> block Apache is configured to use SSL with the SSLEngine directive as follows:

    <VirtualHost your.domain.com:443>
    SSLEngine On
    [rest of VirtualHost]
    </VirtualHost>

This error can also occur if you have a mis-configured proxy that doesn't allow you to do an SSL handshake on port 443 correctly. The way to test this is to try connecting to the site from outside of your network with a few different web browsers and see if you still receive the error. If you do not receive the error the proxy is probably mis-configured.