Solving “No RSA/DSA Certificate Found for Virtual Host” Error in Apache 2.2 on Ubuntu


2 views

When configuring multiple virtual hosts in Apache 2.2 on Ubuntu 12.04, you might encounter this perplexing error:

[error] Oops, no RSA or DSA server certificate found for 'server.host.name:0'?!

This typically appears when Apache can't find appropriate SSL certificates for one or more of your virtual hosts, even if you didn't explicitly configure SSL.

The error stems from Apache's SSL module processing all virtual hosts through the SSL engine by default. Even non-SSL virtual hosts get checked, causing this warning when no certificate is configured.

Here are three approaches to resolve this:

1. Explicitly Disable SSL for Non-SSL Hosts

<VirtualHost *:80>
    ServerName example.com
    # Explicitly disable SSL for this host
    SSLEngine off
    # Rest of your configuration
</VirtualHost>

2. Separate SSL and Non-SSL Configurations

Create separate files for SSL and non-SSL hosts:

# For non-SSL
<VirtualHost *:80>
    ServerName example.com
    DocumentRoot /var/www/example
</VirtualHost>

# For SSL
<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/example
    SSLEngine on
    SSLCertificateFile /path/to/cert.pem
    SSLCertificateKeyFile /path/to/key.pem
</VirtualHost>

3. NameVirtualHost Directive

Ensure proper NameVirtualHost configuration:

NameVirtualHost *:80
NameVirtualHost *:443

For complex setups, consider conditional configuration:

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        # SSL configuration here
    </VirtualHost>
</IfModule>

<VirtualHost *:80>
    # Non-SSL configuration
</VirtualHost>

After making changes:

sudo apache2ctl configtest
sudo service apache2 restart

Check your error logs to confirm the warning has disappeared:

tail -f /var/log/apache2/error.log

When setting up multiple virtual hosts with Apache on Ubuntu, you might encounter this cryptic error during server restart:

Oops, no RSA or DSA server certificate found for 'server.host.name:0'?!

This typically occurs when:

  • Your SSL-enabled virtual host lacks proper certificate directives
  • Apache attempts to bind certificates to IP:port combinations incorrectly
  • There's a mismatch between NameVirtualHost and <VirtualHost> declarations

Unlike older versions, Apache 2.2+ handles SSL certificates differently. The ":0" suffix indicates Apache is trying to bind certificates to all available network interfaces but can't find matching certs.

Here's a problematic configuration example:

<VirtualHost *:443>
    ServerName example.com
    # Missing SSLCertificateFile directive
</VirtualHost>

For each SSL virtual host, you must explicitly specify certificate paths:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/example
    
    SSLEngine on
    SSLCertificateFile    /etc/ssl/certs/example.crt
    SSLCertificateKeyFile /etc/ssl/private/example.key
    SSLCertificateChainFile /etc/ssl/certs/ca-bundle.crt
    
    # Additional SSL settings
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
</VirtualHost>
</IfModule>

When hosting multiple SSL sites on a single IP (SNI required):

# Ensure SNI is enabled
NameVirtualHost *:443

# First host - requires wildcard or primary cert
<VirtualHost *:443>
    ServerName primary.example.com
    SSLCertificateFile /path/to/primary.crt
    ...
</VirtualHost>

# Subsequent hosts with different certs
<VirtualHost *:443>
    ServerName secondary.example.com
    SSLCertificateFile /path/to/secondary.crt
    ...
</VirtualHost>

If the error persists:

  1. Run apachectl configtest to check syntax
  2. Verify certificate paths and permissions (key files should be 600)
  3. Check for conflicting Listen directives
  4. Examine all enabled sites with apache2ctl -S