Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#53790 - [apache] Failed to configure CA certificate chain

Attached to Project: Arch Linux
Opened by Donald Webster (fryfrog) - Monday, 24 April 2017, 16:49 GMT
Last edited by Jan de Groot (JGC) - Monday, 24 April 2017, 19:23 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description: After upgrading to apache-2.4.25-2, I get the error below when trying to start my webserver w/ SSL. I tried a forced renewal of the Let's Encrypt certificate, but it didn't change anything. Downgraded to 2.4.25-1 and it works fine.

[Mon Apr 24 09:30:22.606656 2017] [ssl:emerg] [pid 13442] AH01903: Failed to configure CA certificate chain!
[Mon Apr 24 09:30:22.606720 2017] [ssl:emerg] [pid 13442] AH02312: Fatal error initialising mod_ssl, exiting.
This task depends upon

Closed by  Jan de Groot (JGC)
Monday, 24 April 2017, 19:23 GMT
Reason for closing:  Works for me
Comment by Donald Webster (fryfrog) - Monday, 24 April 2017, 17:02 GMT
https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/apache&id=b8605ee55a448d493750741a8149f0efbf82db0a

Looks like the latest update did add some SSL stuff too.
Comment by Donald Webster (fryfrog) - Monday, 24 April 2017, 17:29 GMT
I was wrong, even downgrading to -1 didn't fix it, just gave new errors and a silent fail :/

I don't understand because openssl seems to have been upgraded months ago. :/
Comment by Donald Webster (fryfrog) - Monday, 24 April 2017, 18:02 GMT
I tried downgrading openssl also, but this obviously broke a ton of things. I'm not sure what to do, am happy to provide logs or whatever is needed. Not sure how to reasonably test non-Let's Encrypt SSL :/

Editing this comment in case anyone needs help fixing.

If you downgraded SSL, go to your package cache and extract the 1.1.0 version and place the two libraries where they belong. Then you can run the package updater and get it sorted for real.

For the certificate issue, whatever guide you followed was wrong and your config needs fixing.

SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

**OR**

SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

The *correct* way is found in the comments for top google result of "letsencrypt apache config" which shows the *wrong* way in the original post that *used* to work.

https://community.letsencrypt.org/t/apache-configuration-example/2338
Comment by Bob Arctor (oduesp) - Monday, 24 April 2017, 19:23 GMT
Hi same problem here, also with LE's certificate. And I cant downgrade openssl (first time I cant downgrade something on arch for me):
# pacman -U openssl-1.0.2.k-1-x86_64.pkg.tar.xz :(
loading packages...
warning: downgrading package openssl (1.1.0.e-1 => 1.0.2.k-1)
resolving dependencies...
looking for conflicting packages...
[...]
error: failed to commit transaction (conflicting files)
openssl: /usr/lib/libcrypto.so.1.0.0 exists in filesystem
openssl: /usr/lib/libssl.so.1.0.0 exists in filesystem
Errors occurred, no packages were upgraded.

----
Have downgraded apache and now it cores dump at start :(
So I'm totally stuck. No fun.

Comment by Jan de Groot (JGC) - Monday, 24 April 2017, 19:23 GMT
After looking into the configuration through IRC it looks like OpenSSL 1.1 is picky about the CA Chain that is provided. In this case the SSLCertificateChainFile contained CA+cert which should be put into SSLCertificateFile instead. Old version didn't bail out on this but new version does.

Loading...