How to Fix “Private Key Not Found” Apache SSL Error on Ubuntu – Certificate Configuration Guide


2 views

The error message clearly indicates Apache cannot locate the private key file required for SSL/TLS operations. The key symptoms appear in the error log:

[ssl:error] AH02203: Init: Private key not found
[ssl:error] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag

The main issue stems from incorrect file references in default-ssl.conf:

SSLCertificateKeyFile   /etc/apache2/ssl/domain.csr  # WRONG

This configuration mistakenly points to a Certificate Signing Request (CSR) file rather than the actual private key file. The CSR cannot function as a private key.

Here's the proper way to configure SSL certificates in Apache:

SSLCertificateFile      /etc/apache2/ssl/domain.crt
SSLCertificateKeyFile   /etc/apache2/ssl/domain.key  # Private key file
SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt  # If applicable

If you've lost the private key, you'll need to generate a new certificate. Here's how to create a new private key and CSR:

openssl genrsa -out domain.key 2048
openssl req -new -key domain.key -out domain.csr

Ensure proper permissions for the private key file:

sudo chmod 600 /etc/apache2/ssl/domain.key
sudo chown root:root /etc/apache2/ssl/domain.key

Verify your certificate and key match using:

openssl x509 -noout -modulus -in domain.crt | openssl md5
openssl rsa -noout -modulus -in domain.key | openssl md5

Both commands should output identical MD5 hashes.

To test your SSL configuration before restarting Apache:

sudo apachectl configtest
openssl s_client -connect localhost:443 -showcerts
  • Never share your private key (.key file) publicly
  • Ensure certificate chain is complete (especially for commercial CAs)
  • Verify file paths are absolute and correct
  • Check for hidden file extensions (like .key.txt)

When configuring SSL/TLS on Apache (particularly Ubuntu 14.04), you might encounter this sequence of errors in /var/log/apache2/error.log:

[ssl:error] AH02203: Init: Private key not found
[ssl:error] SSL Library Error: error:0D0680A8...wrong tag
[ssl:error] SSL Library Error: error:0D08303A...nested asn1 error
[ssl:emerg] AH02311: Fatal error initialising mod_ssl

The primary issue stems from two configuration mistakes in default-ssl.conf:

  1. Using .csr (Certificate Signing Request) file instead of .key (private key) for SSLCertificateKeyFile
  2. Potential format mismatch in certificate/key files

1. Verify File Types

First, confirm you have these three essential files:

domain.crt   # Certificate
domain.key   # Private Key (NOT .csr)
domain.csr   # Certificate Signing Request (only needed during generation)

2. Correct Apache Configuration

Modify your default-ssl.conf:

SSLCertificateFile /etc/apache2/ssl/domain.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain.key  # Changed from .csr to .key

3. Validate Key/Certificate Pair

Run these OpenSSL commands to verify:

# Check modulus matches (should output identical values):
openssl x509 -noout -modulus -in domain.crt | openssl md5
openssl rsa -noout -modulus -in domain.key | openssl md5

# Verify certificate chain:
openssl verify -CAfile /path/to/ca_bundle.crt domain.crt

File Permission Checks

Apache needs read access to these files:

chmod 400 /etc/apache2/ssl/domain.key
chmod 644 /etc/apache2/ssl/domain.crt
chown www-data:www-data /etc/apache2/ssl/*

Debugging with OpenSSL

For deeper diagnostics:

# Check private key format:
openssl rsa -in domain.key -check

# Test SSL configuration without restarting Apache:
apachectl configtest
  • Copy-pasting keys with extra whitespace
  • Using Windows line endings (CRLF) in Linux environment
  • Mismatched certificate and private key (regenerated one without updating the other)

A complete working default-ssl.conf example:

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/domain.crt
        SSLCertificateKeyFile /etc/apache2/ssl/domain.key
        SSLCertificateChainFile /etc/apache2/ssl/ca_bundle.crt
        
        # Modern SSL configuration
        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305...
    </VirtualHost>
</IfModule>

After making changes:

sudo service apache2 restart
tail -f /var/log/apache2/error.log

Test your configuration using SSL labs:

curl -Iv https://yourdomain.com
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com