SSL-related errors in Apache
Protect your brand and your users with a ÃÛÌÒTV Verified Mark Certificate.
There are a few different SSL-related errors in Apache that can cause the following issues:
- SSL errors are reported in the log file causing Apache to not start
- Untrusted certificate warnings in browsers or intermediate certificate errors on ÃÛÌÒTV.com/help
- The browser error message "ssl_error_rx_record_too_long"
Errors That Keep Apache from Starting
Errors that keep Apache from starting can be very frustrating. This usually happens when Apache is reading the configuration files and finds something it doesn't know how to handle. The first step when you experience this issue is to check your log file for an error that might point to the problem.
The default location of the log files is as follows:
Debian (Ubuntu): | /var/log/apache2/error_log |
Red Hat Enterprise Linux, CentOS: | /var/log/httpd/error_log |
Windows: | C:\Program Files\Apache Group\Apache2\logs\error.log |
Default Location From Compiling Source Code: | /usr/local/apache2/logs/error_log |
If the log files are not in the above location, you may have defined a different log file location in your httpd.conf file or the VirtualHost section of your .conf file.
Some possible conf file errors you may find are listed below.
"Unable to configure RSA server private key" and "certificate routines:X509_check_private_key:key values mismatch" Errors
If you see one of these errors it usually means that the private key that is being loaded in the VirtualHost section of your .conf file doesn't match the SSL Certificate being loaded in the same section.
To check if the two files match, run the following OpenSSL command on each of them:
openssl x509 -noout -modulus -in your_domain_com.crt | openssl md5
openssl rsa -noout -modulus -in your_domain_com.key | openssl md5
If the modulus of the two files doesn't match exactly, do one of the following:
- Find the .key file matching your .crt file and update the VirtualHost in your .conf file to match.
-
by either generating two new files with the OpenSSL CSR Wizard
or by creating a new CSR from your existing private key file using the following command.
Note that the existing private key must be at least 2048 bits. If the key is less than 2048 bits you will have to recreate the key.
openssl req -new -key your_domain_com.key -out your_domain_com.csr
"Invalid command 'SSLEngine'" Error
This error can be caused by mod_ssl not being installed on a server. This module is required by Apache to create SSL connections.
To enable this module on CentOS/RedHat Linux run the following command from the console:
sudo yum install mod_ssl
To enable this module on a Debian-based distro run the following command:
a2enmod ssl
"SSL3_READ_BYTES:sslv3 alert handshake failure" and "SSL23_WRITE:ssl handshake failure" Errors
These errors are caused by a directive in the configuration file that requires mutual authentication. For example, if an SSL Certificate is sent from the server and then a separate SSL Certificate is sent back from the client during the SSL handshake, this error will occur.
In our experience, this directive is usually included by accident. To remove the directive and thus fix the error, open your conf file. Change SSLVerifyClient or SSLVerifyClient optional_no_ca to SSLVerifyClient none, then restart Apache. This change will tell the Apache server to stop looking for a client certificate when completing the SSL handshake with a client computer.
Another possible cause of these errors is including the line SSLVerifyDepth 1 in the conf file. Comment out the line by adding a # to the beginning (ex. #SSLVerifyDepth 1).
"SSLSessionCache: Invalid argument: size has to be >=8192 bytes" Error
This error happens when the name of the folder where Apache for Windows is installed includes spaces or parenthesis.
To fix this, move all of the files for Apache to a different folder (ex. c:/Program Files (x86)/Apache2/ to c:/Apache/Apache2/).
Alternatively, you can change the folder name to a short name. Run the following command to find the short name for the folder:
dir /x C:\
You will also need to add a backslash (\) to avoid the ~ character as follows:
C:/Program Files (x86)/Apache2/ will change to C:/Progra\~2/Apache2/
Finally, restart Apache.
Untrusted and Missing Intermediate Certificate Errors
-
The VirtualHost section of your .conf file (usually httpd-ssl.conf, ssl.conf, or virtual-host.conf) for SSLCertificateChainFile is either commented out (e.g. #SSLCertificateChainFile), or is pointing to the wrong SSL Intermediate Certificate file. To correct this, simply uncomment the line and make sure the SSLCertificateChain file points to ÃÛÌÒTVCA.crt.
-
The VirtualHost section of your .conf file is configured correctly but you already have a virtual host configured using a different .conf file for the IP address and port that you are trying to install the SSL Certificate to. The problem is usually that the other .conf file is pointing to the wrong SSL Intermediate Certificate file.
To find this file, run a quick grep command (change /etc/apache2/ to your Apache home directory). This will search all of the subfolders in the current directory for a .conf file containing SSLCertificateChainFile.
grep -i -r "SSLCertificateChainFile" /etc/apache2/
On Windows use the following command:
findstr /s /i "SSLCertificateChainFile" *.conf
Two things can cause this error in the SSL Certificate Tester:
Once you find the file, uncomment the line if it is commented out (remove the #) and make sure the SSLCertificateChain file points to ÃÛÌÒTVCA.crt. Then restart Apache.
"SSL received a record that exceeded the maximum permissible length, ssl_error_rx_record_too_long" Error
-
The file /conf/extra/httpd-ssl.conf was configured with the correct SSL information but isn't being loaded because httpd.conf isn't loading it.
To fix this error, uncomment the following line (remove the #). Then restart Apache.
#Include conf/extra/httpd-ssl.conf
-
Apache isn't set to listen on port 443 for secure traffic. To fix this, add the following line before the <VirtualHost> block is loaded:
Listen 443
If you're using IPv6 you'll need to include the IP address as well as the port:
Listen 192.168.0.1:443
If you're running https on a non-standard port you'll need to tell Apache to listen for an SSL connection on that port:
Listen 192.168.0.1:8443 https
If you see the above inside of an <If DefineSSL> block, you need to make sure you are defining SSL when you start Apache. Normally SSL should be defined on its own, but if it isn't being defined you can try the following commands for earlier versions of Apache 2:
path/to/httpd -D SSL -k start
path/to/apachectl startssl
path/to/httpd startssl
-
If you're running Apache under Windows make sure the host file on the Windows server is set up correctly. It should be in C:\Windows\System32\Drivers\etc\hosts. Some people fix this error by changing VirtualHost your.domain.com:443 to VirtualHost _default_:443, etc.
-
Make sure in the <VirtualHost> block Apache is configured to use SSL with the SSLEngine directive as follows:
<VirtualHost your.domain.com:443>
SSLEngine On
[rest of VirtualHost]
</VirtualHost>
This error most commonly appears in Firefox browsers, but similar errors can appear in other browsers as well. This error often occurs because SSL traffic is not set up correctly on the server that you are trying to secure. For example, the DNS is not correct in the DNS name on your VirtualHost.
Here are some ways to fix this error:
This error can also occur if you have a misconfigured proxy that doesn't allow you to do an SSL handshake on port 443 correctly. The way to test this is to try connecting to the site from outside of your network with a few different web browsers and see if you still receive the error. If you do not receive the error the proxy is probably misconfigured.