]> SSL errors in Apache when starting an unencrypted site 🌐:aligrant.com

SSL errors in Apache when starting an unencrypted site

Alastair Grant | Thursday 25 October 2018

I finally got around to doing a distribution update on my development VM, which runs Apache.  After the update (moving to Apache 2.4.33), it would no longer start.  The only application to fail to start.  The complaint was around the SSL Key used to run a virtual host.

[ssl:emerg] [pid 23090] AH02572: Failed to configure at least one certificate and key for xxxx:80
[ssl:emerg] [pid 23090] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[ssl:emerg] [pid 23090] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?

The error seemed slightly confusing saying it couldn't read my SSL Key, but also that I might have forgotten to include one.  I checked the config, and it hadn't changed, pointing towards my private key.  The key was a ECDSA key, which I felt might have been being highlighted by the "Expecting: EC PARAMETERS" remark.

I checked the file permissions on the private key, but there was nothing funny about them (only readable by Root, which is normal when launching a process to avoid subsequent access from application code).  And I had plenty of other vhosts that would start fine using different keys - although none of the others were ECDSA keys.  My hunch was there must be something different with OpenSSL, but when tested, it could read the key fine.

But sometimes the answer is sitting in front of you.  The first line in the error log was complaining about configuring a host on port 80.   SSL runs on port 443, not 80.  Why would Apache need a certificate for port 80?  In all honesty, ports are just that, standards dictate that we run certain services on certain ports, but there is no reason why you can't run TLS over port 80, just browsers won't expect it, but you can get it to work.

The culprit was hiding away in a small vhost configuration for a HTTP to HTTPS redirect.  Just a simple vhost setup for port 80 for that virtual hostname.  Whilst the server name was set to include the port number, there was a mistake in the <VirtualHost> directive and it was also being bound to port 443, and not 80.  I'm not sure exactly what has changed in Apache, but it seems to parse the configuration files slightly different and where this misconfiguration didn't cause a problem before (although it likely didn't work), it was now preventing it to start up.  Adjusting the second virtual host entry to be bound correctly to port 80 allowed Apache to start up and not attempt to load a missing key for the HTTP site.

Breaking from the voyeuristic norms of the Internet, any comments can be made in private by contacting me.