Fixing “SSL-aware server has no certificate configured” Error in Apache 2.4 on Ubuntu 14.04


11 views

When Apache throws the cryptic error AH02240: Server should be SSL-aware but has no certificate configured, it's typically not lying - it genuinely can't find your certificate despite your configuration appearing correct. Let's dissect this systematically.

Your VirtualHost setup looks technically sound at first glance:

<VirtualHost _default_:443>
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/domain.tld.crt
    SSLCertificateKeyFile /etc/ssl/private/domain.tld.key
    SSLCertificateChainFile /etc/ssl/certs/GandiStandardSSLCA2.pem
</VirtualHost>

Several subtle issues could trigger this error:

1. Certificate Path Validation

Run these diagnostic commands:

# Verify file existence
sudo ls -la /etc/ssl/certs/domain.tld.crt
sudo ls -la /etc/ssl/private/domain.tld.key

# Validate certificate format
openssl x509 -in /etc/ssl/certs/domain.tld.crt -text -noout

# Check key matches certificate
openssl x509 -noout -modulus -in /etc/ssl/certs/domain.tld.crt | openssl md5
openssl rsa -noout -modulus -in /etc/ssl/private/domain.tld.key | openssl md5

2. Permission Pitfalls

Beyond basic permissions, SELinux contexts matter:

# For RedHat-based systems:
ls -Z /etc/ssl/certs/domain.tld.crt
chcon system_u:object_r:cert_t:s0 /etc/ssl/certs/domain.tld.crt

3. The Sneaky Default VirtualHost

Apache processes the first VirtualHost for each IP:port combination. Try:

<VirtualHost *:443>
    ServerName domain.tld
    DocumentRoot /var/www/html
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/domain.tld.crt
    ...
</VirtualHost>

<VirtualHost *:443>
    ServerName www.domain.tld
    RedirectMatch (.*) https://domain.tld$1
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/domain.tld.crt
    ...
</VirtualHost>

Enable verbose SSL logging:

LogLevel info ssl:trace1
SSLStaplingCache shmcb:/var/run/ocsp(128000)
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)

Check for configuration syntax errors:

apachectl configtest
apachectl -S

Consider updating to current SSL standards:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

When setting up HTTPS on Apache 2.4.7 with mod_ssl, you might encounter this frustrating error despite having properly configured your SSL certificates. The key indicators in the error log are:

[ssl:emerg] AH02240: Server should be SSL-aware but has no certificate configured
[ssl:emerg] AH02312: Fatal error initialising mod_ssl, exiting.

Before diving deep, let's verify the basics:

  • The certificate files exist at specified paths
  • Apache has read permissions (certificates 644, private key 600)
  • Certificate chain is properly formatted
  • No syntax errors in virtual host configuration

In your configuration, I notice you have two VirtualHost blocks:

<VirtualHost *:443>
    ServerName www.domain.tld
    RedirectMatch (.*) https://domain.tld$1
</VirtualHost>

<VirtualHost _default_:443>
    ...
</VirtualHost>

The issue likely stems from Apache's handling of the default SSL virtual host. When you specify _default_:443, it becomes a catch-all for any SSL request that doesn't match other vhosts.

Here's the corrected version that should resolve the issue:

<IfModule mod_ssl.c>
    # Primary domain with SSL
    <VirtualHost *:443>
        ServerName domain.tld
        ServerAlias www.domain.tld
        DocumentRoot /home/user/www/domain.tld/public

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/domain.tld.crt
        SSLCertificateKeyFile /etc/ssl/private/domain.tld.key
        SSLCertificateChainFile /etc/ssl/certs/GandiStandardSSLCA2.pem
        
        # Rest of your configuration...
    </VirtualHost>
</IfModule>

After making these changes:

  1. Test your configuration with apachectl configtest
  2. Check file ownership: Apache needs read access to certificate files
  3. Verify certificate chain with OpenSSL: 
    openssl verify -CAfile /etc/ssl/certs/GandiStandardSSLCA2.pem /etc/ssl/certs/domain.tld.crt

Temporarily increase verbosity in your SSL configuration:

LogLevel info ssl:trace1

This will provide detailed SSL initialization logs to help pinpoint where exactly the configuration fails.

If you prefer maintaining separate VirtualHosts for www and non-www, ensure both have SSL configured:

<VirtualHost *:443>
    ServerName www.domain.tld
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/domain.tld.crt
    SSLCertificateKeyFile /etc/ssl/private/domain.tld.key
    SSLCertificateChainFile /etc/ssl/certs/GandiStandardSSLCA2.pem
    Redirect permanent / https://domain.tld/
</VirtualHost>

Remember that each VirtualHost listening on port 443 must have its SSL configuration, even if it's just for redirects.