When configuring SSL/TLS for Apache, you might encounter certificate parsing errors like:
[error] Init: Unable to read server certificate from file /etc/apache2/domain.com.ssl/domain.com.crt [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
These typically indicate either certificate format issues or file permission problems.
First, verify your certificate's integrity using OpenSSL:
openssl x509 -noout -text -in domain.com.crt
If you get "no start line" errors, your file might have formatting issues. Check the PEM boundaries:
grep '^-----' domain.com.crt
Proper output should show:
-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
1. File Format Conversion
Try converting between PEM and DER formats:
# If PEM fails, try DER openssl x509 -inform DER -in domain.com.crt -out domain.com.pem # Or vice versa openssl x509 -outform DER -in domain.com.pem -out domain.com.der
2. File Permissions
Ensure Apache can read the certificate:
chmod 644 domain.com.crt chown www-data:www-data domain.com.crt
3. Apache Configuration Check
Verify your virtual host includes correct paths:
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/domain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain.com.key
SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt
</VirtualHost>
For deeper analysis, use these diagnostic commands:
# Check certificate validity openssl verify -CAfile /path/to/ca-bundle.crt domain.com.crt # Inspect certificate details openssl x509 -noout -subject -issuer -dates -in domain.com.crt # Test SSL handshake openssl s_client -connect yourdomain.com:443 -showcerts
If all local checks pass but Apache still rejects the certificate, contact your Certificate Authority. Provide them with:
- Your original CSR
- OpenSSL diagnostic output
- Apache error logs
Remember that certificate files must use Unix line endings (LF) - Windows CRLF characters can cause parsing failures.
When configuring SSL/TLS on Apache servers, one common roadblock is the certificate file format issue that manifests with these symptoms:
[error] Init: Unable to read server certificate from file /path/to/certificate.crt [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
First, verify your certificate format using OpenSSL commands. The errors suggest either:
- Incorrect file encoding (PEM vs DER)
- Malformed certificate content
- File corruption during transfer
Try these diagnostic commands:
# Check PEM format openssl x509 -noout -text -in certificate.crt # Force PEM format check openssl x509 -text -inform PEM -in certificate.crt # Force DER format check openssl x509 -text -inform DER -in certificate.crt
If you encounter "no start line" or "wrong tag" errors:
- Verify certificate boundaries:
- Ensure proper line endings:
- Check for hidden characters:
grep '^-----' certificate.crt
dos2unix certificate.crt
cat -v certificate.crt
For commercial certificates, you often need to combine files:
# Combine certificate with intermediate chain cat domain.crt intermediate.crt > combined.crt # Typical Apache SSL configuration SSLCertificateFile /path/to/combined.crt SSLCertificateKeyFile /path/to/domain.key SSLCertificateChainFile /path/to/intermediate.crt
Add these directives to your Apache config for detailed logging:
LogLevel info ssl:warn SSLEngine on SSLCertificateFile /path/to/certificate.crt SSLCertificateKeyFile /path/to/private.key SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:!aNULL:!MD5
If problems persist, try certificate conversion:
# Convert between formats if needed openssl x509 -in certificate.crt -outform DER -out certificate.der openssl x509 -in certificate.der -inform DER -out certificate.pem
Remember to restart Apache after configuration changes:
apachectl configtest service apache2 restart