When transitioning from self-signed certificates to commercial CA certificates (like DigiCert) in Apache on Fedora, many developers encounter the frustrating "Failed to configure CA certificate chain" error during httpd restart. This typically occurs when the certificate chain isn't properly formatted or configured.
First, verify your certificate chain file contains the intermediate certificates in the correct order. The DigiCert CA file should look like this:
-----BEGIN CERTIFICATE-----
[Your Primary Certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate Certificate 1]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate Certificate 2]
-----END CERTIFICATE-----
For Apache 2.4.8+, the recommended syntax has changed. Instead of using SSLCertificateChainFile, you should concatenate the certificates:
SSLCertificateFile /path/to/your_domain.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCACertificateFile /path/to/DigiCertCA.crt
Or alternatively combine them in a single file:
SSLCertificateFile /path/to/fullchain.pem
SSLCertificateKeyFile /path/to/private.key
Before restarting Apache, always verify your configuration:
apachectl configtest
openssl verify -CAfile DigiCertCA.crt your_domain.crt
If you still encounter problems:
- Check file permissions (certificates should be readable by Apache user)
- Verify certificate expiration dates
- Ensure SELinux contexts are correct:
restorecon -Rv /etc/pki/tls/ - Check for hidden characters or incorrect line endings in certificate files
Here's a verified working configuration for Fedora with DigiCert:
<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/example.com.key
SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt
# Modern SSL configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
</VirtualHost>
When setting up SSL/TLS with trusted certificates (like DigiCert) instead of self-signed certificates, Apache requires proper certificate chain configuration. The error occurs when:
[error] Failed to configure CA certificate chain!
This typically means Apache couldn't properly validate the certificate chain you provided in SSLCertificateChainFile.
For DigiCert certificates, you need these files properly configured in your vhost:
SSLCertificateFile /path/to/your_domain.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
Common mistakes include:
The chain file must contain intermediate certificates in the correct order. For DigiCert, try:
cat IntermediateCA.crt RootCA.crt > DigiCertCA.crt
Or combine them in this order:
-----BEGIN CERTIFICATE-----
(Your Intermediate Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root Certificate)
-----END CERTIFICATE-----
Before restarting Apache, verify your chain with OpenSSL:
openssl verify -CAfile DigiCertCA.crt your_domain.crt
If this fails, your chain is incomplete or malformed.
Instead of SSLCertificateChainFile (deprecated in Apache 2.4.8+), use:
SSLCertificateFile /path/to/your_domain.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCACertificateFile /path/to/DigiCertCA.crt
Or bundle certificates in a single file:
cat your_domain.crt IntermediateCA.crt RootCA.crt > bundle.crt
Then reference just:
SSLCertificateFile /path/to/bundle.crt
Ensure Apache can read the files:
chmod 644 *.crt
chmod 640 *.key
chown root:apache *.key *.crt
For more detailed error messages, run:
apachectl configtest
tail -f /var/log/httpd/error_log