Recently i was migrating an Apache HTTP Server (httpd) server from one linux machine to another. The problem was, that on the source linux machine Apache HTTP Server (httpd) was a custom compiled 2.4.4 and we were having constant problems when patching the linux machine (openssl libraries etc.). So we decided to replace the custom compiled Apache HTTP Server (httpd) with the RPM version of it but still wanted to stay on 2.4.X version – do not like going back to CentOS/RHEL repository 2.2 Apache HTTP Server versions.
Since all our machines are virtual machines, it is much easier to deploy a new virtual machine from template, install & update the required RPM packages and migrate the apache configuration to the new linux machine – and it is way more cleaner too! 🙂
I built the latest Apache HTTP Server RPM (version 2.4.9) which i also described in THIS how to and started the process of migration – just for additional info, our Apache HTTP Server instance is only used as a proxy server.
So after installing the Apache HTTP Server 2.4.9 from RPM and transfering the Apache HTTP Server configuration from the source machine i tried to start Apache to check if any errors exist (ofcourse small configuration change was inevitable). The Apache HTTP Server would not start, it said FAILED and the error in /var/log/httpd/ssl_error.log was:
[Fri Aug 08 15:40:30.908717 2014] [ssl:emerg] [pid 8242:tid 139656074909504] AH02562: Failed to configure certificate 192.168.1.3:443:0 (with chain), check /etc/httpd/ssl/geekpeek.cer [Fri Aug 08 15:40:30.908864 2014] [ssl:emerg] [pid 8242:tid 139656074909504] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile? [Fri Aug 08 15:40:30.908888 2014] [ssl:emerg] [pid 8242:tid 139656074909504] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
Let’s Fix SSL Library Error: error:0906D06C:PEM – Apache Error!
1. Check Certificate With OpenSSL
I started checking certificate key and certificate for errors. After checking certificate /etc/httpd/ssl/geekpeek.cer this is what i got:
[root@geekpeek ~]# openssl x509 -in /etc/httpd/ssl/geekpeek.cer -text -noout unable to load certificate 140028248876872:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
This “SSL Library Error: error:0906D06C:PEM” error is the same error we get in /var/log/httpd/ssl_error.log.
A bit of googling got me to THIS great webpage which says i quote “If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate below””. This is good news for us!
2. View DER Encoded Certificate With OpenSSL
By running the following command i confirmed that the certificate was in DER format since the DID NOT exit with “SSL Library Error: error:0906D06C:PEM” error again but showed certificate information:
[root@geekpeek ~]# openssl x509 -in /etc/httpd/ssl/geekpeek.cer -inform der -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: ......
3. Convert DER Certificate To PEM With OpenSSL
For Apache to be able to read the certificate and therefore successfully start we need to convert DER certificate to PEM by running the following command:
[root@geekpeek ~]# openssl x509 -inform der -in /etc/httpd/ssl/geekpeek.cer -out /etc/httpd/ssl/geekpeek.pem
And voila!
Change the Apache configuration to point to the newly created PEM certificate and Apache should start without “SSL Library Error: error:0906D06C:PEM” error!
Pingback: simpleNewz - GeekPeek.Net RSS Feed for 2014-10-28
Pingback: How To Fix Error Adding Etc Ssl Certs in Windows