When configuring SSL in Apache, one common but misleading error is the SSLCertificateKeyFile: file does not exist or is empty message. This often appears even when the key file physically exists and contains valid data, as in your Ubuntu Server 10.04 LTS setup.
The first critical check involves file permissions and Apache's access rights:
# Verify file existence and content
sudo ls -l /etc/ssl/private/server.insecure.key
sudo file /etc/ssl/private/server.insecure.key
# Check directory permissions
sudo ls -ld /etc/ssl/private/
Key requirements:
- Directory must have
710permissions (drwx--x---) - Key file must be readable by Apache process (typically
640permissions) - Owner should be root with group either
www-dataorssl-cert
Before troubleshooting Apache configuration, verify your key-certificate pair integrity:
# Check if private key is valid
openssl rsa -in /etc/ssl/private/server.insecure.key -check -noout
# Verify key matches certificate
openssl x509 -noout -modulus -in /etc/ssl/certs/portal.selfsigned.crt | openssl md5
openssl rsa -noout -modulus -in /etc/ssl/private/server.insecure.key | openssl md5
The MD5 hashes must match for a valid pair.
When basic checks pass but Apache still complains:
# 1. Temporarily relax permissions for testing
sudo chmod 644 /etc/ssl/private/server.insecure.key
# 2. Test Apache configuration without restarting
sudo apache2ctl -t
# 3. Check Apache error logs
sudo tail -n 50 /var/log/apache2/error.log
# 4. Verify SELinux context (if applicable)
ls -Z /etc/ssl/private/server.insecure.key
If the issue persists, consider these alternatives:
# Option 1: Combine key and certificate
cat /etc/ssl/private/server.insecure.key /etc/ssl/certs/portal.selfsigned.crt > combined.pem
SSLCertificateFile /path/to/combined.pem
# Option 2: Use absolute paths with symlinks
sudo ln -s /etc/ssl/private/server.insecure.key /etc/apache2/ssl.key
SSLCertificateKeyFile /etc/apache2/ssl.key
After successful configuration, verify SSL handshake:
openssl s_client -connect localhost:443 -showcerts -state
Look for SSL handshake has read N bytes and Verify return code: 0 (ok) in output.
When configuring SSL for Apache 2 on Ubuntu Server 10.04 LTS, you might encounter the error:
SSLCertificateKeyFile: file '/etc/ssl/private/server.insecure.key' does not exist or is empty
Error in syntax. Not restarting.
This occurs despite the file being present and containing a valid private key. Let's explore why this happens and how to resolve it.
The most common cause is incorrect permissions. Apache needs read access to both the key file and its parent directory. Check current permissions:
sudo ls -l /etc/ssl/private/server.insecure.key
sudo ls -ld /etc/ssl/private/
For Ubuntu, the recommended setup is:
sudo chmod 640 /etc/ssl/private/server.insecure.key
sudo chown root:ssl-cert /etc/ssl/private/server.insecure.key
sudo chmod 710 /etc/ssl/private/
To verify your key file is valid:
openssl rsa -in /etc/ssl/private/server.insecure.key -check -noout
If the key is encrypted (even though you named it .insecure), you'll need to decrypt it first:
openssl rsa -in encrypted.key -out server.insecure.key
Verify that your certificate and key match using their modulus:
openssl x509 -noout -modulus -in /etc/ssl/certs/portal.selfsigned.crt | openssl md5
openssl rsa -noout -modulus -in /etc/ssl/private/server.insecure.key | openssl md5
The MD5 hashes should match. If they don't, you're using mismatched files.
Ensure your virtual host configuration is correct. Here's a working example:
<VirtualHost *:443>
ServerName portal.example.com
SSLEngine On
SSLCertificateFile /etc/ssl/certs/portal.selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/server.insecure.key
# Other directives...
</VirtualHost>
For more detailed error messages, run:
apachectl configtest
apachectl -S
Or start Apache in debug mode:
apache2 -X -e debug
If issues persist:
- Try moving the key file to a different location with simpler permissions
- Regenerate your self-signed certificate and key pair
- Check for SELinux or AppArmor restrictions on Ubuntu
Remember that while the error message suggests the file doesn't exist, the real issue is usually either permissions or an invalid key file format.