The below error will be seen in the ssl_error_log typically located in /var/log/httpd for numerous reasons. Below is an explanation of what two of those reasons might cause Apache to not start and how to resolve the problem.
- [Sat Oct 25 22:38:33 2008] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
- [Sat Oct 25 22:38:33 2008] [warn] RSA server certificate CommonName (CN) `server1.example.com' does NOT match server name!?
The first item to check is to see if there are any errors in /var/log/httpd/error_log. If the timestamps match the times of the errors located in /var/log/httpd/ssl_error_log then they are more than likely related and should lead to the problem.
An example of what might cause the initial CommonName error and could be resolved by looking in error_log in detail is another error like the below.
- [Sat Oct 25 23:17:12 2008] [error] Init: Unable to read server certificate from file /etc/httpd/ssl/yourcert.crt
- [Sat Oct 25 23:17:12 2008] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
- [Sat Oct 25 23:17:12 2008] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
This error above could be caused for numerous reasons all revolving around an issue with your certificate file or .crt file. First check permissions on this file and make sure they are -rw-r–r– which can be acheived by typing the following:
- [root@server ssl]#chmod 644 yourcert.crt
Next make sure the formatting of the file is correct so Apache can read it. Next check to make sure that the path that Apache is using to locate the file is correct. In this case the file should be located in /etc/httpd/ssl.
Another issue that can cause the initial CommonName error is not having the ServerName Apache directive set properly. Make sure that if ServerName is not set in the SSL virtualhost that it matches the default ServerName of the server in httpd.conf like the below example.
- # ServerName gives the name and port that the server uses to identify itself.
- # This can often be determined automatically, but we recommend you specify
- # it explicitly to prevent problems during startup.
- # If this is not set to valid DNS name for your host, server-generated
- # redirections will not work. See also the UseCanonicalName directive.
- # If your host doesn't have a registered DNS name, enter its IP address here.
- # You will have to access it by its address anyway, and this will make
- # redirections work in a sensible way.
- #ServerName www.example.com:80
- ServerName www.yourdomain.com
If neither of the above resolve the issue then look at anything else relating to the .crt file getting loaded properly by Apache.