By using AWS re:Post, you agree to the Terms of Use

Why is HTTPD failing to start? Why is TLS failing to start? Missing certificate key is not missing!


For context, I followed this tutorial to configure SSL/TLS on an EC2 instance:

Everything was working fine, I've installed a web application (Drupal 9) from composer-based repo, maintained my code, fine.

I updated some packages with yum, update php, etc.

I attempt to start Apache:

[ec2-user@ip-172-31-32-159 ~]$ sudo systemctl restart httpd
Job for httpd.service failed. See "systemctl status httpd.service" and "journalctl -xe" for details.

I check journalctl -xe

The important part appears to be:

-- Unit httpd-init.service has begun starting up.
Jan 10 00:10:41 httpd-ssl-gencerts[9368]: Missing certificate key!
Jan 10 00:10:41 systemd[1]: httpd-init.service: main process exited, code=exited, status=1/FAILURE
Jan 10 00:10:41 systemd[1]: Failed to start One-time temporary TLS key generation for httpd.service.
-- Subject: Unit httpd-init.service has failed
-- Defined-By: systemd
-- Support:
-- Unit httpd-init.service has failed.
-- The result is failed.

Here is something interesting. I check vim /etc/httpd/conf.d/ssl.conf

At line 100 is SSLCertificateFile /etc/pki/tls/certs/localhost.crt

Okay, very good.

The interesting thing is if I rename the file sudo mv /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.crt.bak, and then try to start httpd sudo systemctl start httpd, returned is Job for httpd.service failed because the control process exited with error code.

Checking journalctl -xe again, we recieve a different error:

-- Unit httpd.service has begun starting up.
Jan 10 00:42:56 httpd[9841]: AH00526: Syntax error on line 100 of /etc/httpd/conf.d/ssl.conf:
Jan 10 00:42:56 httpd[9841]: SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or
Jan 10 00:42:56 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Jan 10 00:42:56 systemd[1]: Failed to start The Apache HTTP Server.

Renaming localhost.crt to localhost.crt.bak changes the error, breaks the link, and SSLCertificateFile appropriately does not exist.

Changing localhost.crt.bak to localhost.crt restores the SSLCertificateFile link, and changes the error back to claiming there is a missing certificate key, when we can see it there:

Jan 10 00:47:07 httpd-ssl-gencerts[9884]: Missing certificate key!

What is going on here?

  • Is there a private key in the localhost.crt file, or just a certificate? To start a web server with TLS, you need the private key component as well as the certificate component in the file. Look for -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- in the file.