Why is HTTPD failing to start? Why is TLS failing to start? Missing certificate key is not missing!
For context, I followed this tutorial to configure SSL/TLS on an EC2 instance: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html
Everything was working fine, I've installed a web application (Drupal 9) from composer-based repo, maintained my code, fine.
I updated some packages with yum, update php, etc.
I attempt to start Apache:
[ec2-user@ip-172-31-32-159 ~]$ sudo systemctl restart httpd
Job for httpd.service failed. See "systemctl status httpd.service" and "journalctl -xe" for details.
I check journalctl -xe
The important part appears to be:
-- Unit httpd-init.service has begun starting up.
Jan 10 00:10:41 ip-172-31-32-159.us-east-2.compute.internal httpd-ssl-gencerts[9368]: Missing certificate key!
Jan 10 00:10:41 ip-172-31-32-159.us-east-2.compute.internal systemd[1]: httpd-init.service: main process exited, code=exited, status=1/FAILURE
Jan 10 00:10:41 ip-172-31-32-159.us-east-2.compute.internal systemd[1]: Failed to start One-time temporary TLS key generation for httpd.service.
-- Subject: Unit httpd-init.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd-init.service has failed.
--
-- The result is failed.
Here is something interesting. I check vim /etc/httpd/conf.d/ssl.conf
At line 100 is SSLCertificateFile /etc/pki/tls/certs/localhost.crt
Okay, very good.
The interesting thing is if I rename the file sudo mv /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.crt.bak
, and then try to start httpd sudo systemctl start httpd
, returned is Job for httpd.service failed because the control process exited with error code.
Checking journalctl -xe
again, we recieve a different error:
-- Unit httpd.service has begun starting up.
Jan 10 00:42:56 ip-172-31-32-159.us-east-2.compute.internal httpd[9841]: AH00526: Syntax error on line 100 of /etc/httpd/conf.d/ssl.conf:
Jan 10 00:42:56 ip-172-31-32-159.us-east-2.compute.internal httpd[9841]: SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or
Jan 10 00:42:56 ip-172-31-32-159.us-east-2.compute.internal systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Jan 10 00:42:56 ip-172-31-32-159.us-east-2.compute.internal systemd[1]: Failed to start The Apache HTTP Server.
Renaming localhost.crt to localhost.crt.bak changes the error, breaks the link, and SSLCertificateFile appropriately does not exist.
Changing localhost.crt.bak to localhost.crt restores the SSLCertificateFile link, and changes the error back to claiming there is a missing certificate key, when we can see it there:
Jan 10 00:47:07 ip-172-31-32-159.us-east-2.compute.internal httpd-ssl-gencerts[9884]: Missing certificate key!
What is going on here?
Relevant questions
Why Keypair is now being automatically downloaded upon creation?
asked 2 months agoCan't start server: listen tcp: address 80: missing port in address
asked 5 months agoAWS account is pending verification why?
asked a year agoEC2 Instance will not start
asked 3 years agoWhy is my iOS Swift generated SDK missing a defaultClient member?
asked 3 years ago[iOS] Why is Amplify upload to S3 failing?
asked a year agoMissing Instance
asked 2 years agounable to start httpd service - getting Address Already in use: make_sock: could not bind to address
asked 3 months agoWhy is HTTP/2 not being served on EC2 Linux2 Apache 2.4 although enabled?
asked 2 years agoWhy is HTTPD failing to start? Why is TLS failing to start? Missing certificate key is not missing!
asked 5 months ago
Is there a private key in the
localhost.crt
file, or just a certificate? To start a web server with TLS, you need the private key component as well as the certificate component in the file. Look for-----BEGIN PRIVATE KEY-----
and-----END PRIVATE KEY-----
in the file.