Solving the Apache SSL error “Oops, no RSA or DSA server certificate found for ‘www.somedomain.com:0’?!”

Posted by Benjamin Close on January 21, 2011 under OpenSource | 28 Comments to Read

Recently a colleague of mine came to me with a problem he was having with SSL certificates and the web server Apache 2.2. Put simply Apache (httpd) would not start. It was an unusual situation as this server had been running flawlessly for almost 2 years and it was only a recent power outage that had caused the error to occur. Running apachectl configtest revealed no problems with the setup but when running apachectl start, whilst there was no errors reported on the command line, apache would instantly die/crash. Checking the log files we found:

[Thu Jan 20 14:15:16 2011] [error] Oops, no RSA or DSA server certificate found for 'www.somedomain.com:0'?!

Whilst somedomain.com isn’t the official domain name reported (I can’t reveal the client), this error was being printed for every SSL host except the default SSL host. Ironically the default SSL host was simply a redirect to one of the others. A quick check and indeed the problem lied with the SSL hosts – we removed every ssl host and the webserver would start fine – obviously without any ssl.

My colleague and I were  perplexed. He’d tried a quite few things to fix this all without luck. A so call Server Admin told him it was due to not using ip based virtual hosts for ssl, he claimed you can’t use Name Base Virtual hosts with SSL. No doubt this was obtained from a quick google search for the error. The problems is you can run NamedBasedVirtual hosts with SSL on port 443 provided you have a wildcard SSL certificate. A wild is required for NamedBaseVirtual hosts as the SSL connection is established first before the headers are sent. A wildcard will allow any subdomain to use the SSL connection then apache will see the host header and respond with the appropriate vhost. If on only have a single certificate this does not work and you’ll need a separate IP per certificate.

Anyway, we began trying to debug the issue. First we checked the certificate files were at the specified locations – they were. Next we checked the certificates were actually valid. You can use the openssl command below to do this:

openssl x509 -noout -text -in YOURCERTIFICATE.crt

The certificate, key, and certificate authority (CA) were all valid and in date.
Next we tried putting each Vhost in to the config one by one to see if one host had errors over another. Turns out it didn’t matter what order each host was in the config file or which ssl hosts were included, they all had issues – except for the default ssl vhost.

At this point we were a little lost. So we decided to go back to basics and work out what the error really meant. We search to see what apache module the error came from. A simple grep later we’d narrowed down the error to mod_ssl. A search of the mod_ssl source code found the following instance of the message:

# grep Oops *
ssl_engine_init.c:                         "Init: Oops, you want to request client "
ssl_engine_init.c:                "Oops, no RSA or DSA server certificate found "
ssl_engine_init.c:                "Oops, no RSA or DSA server private key found?!");
ssl_engine_io.c:                    (argp != NULL ? "(BIO dump follows)" : "(Oops, no memory buffer?)"));

Looking in ssl_engine_init.c we found the error came from the following function

static void ssl_init_server_certs(server_rec *s,
                                  apr_pool_t *p,
                                  apr_pool_t *ptemp,
                                  modssl_ctx_t *mctx)
{
    const char *rsa_id, *dsa_id;
    const char *vhost_id = mctx->sc->vhost_id;
    int i;
    int have_rsa, have_dsa;
 
    rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
    dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
 
    <em>have_rsa</em> = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
    <em>have_dsa</em> = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
 
    if (!(have_rsa || have_dsa)) {
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                <strong>"Oops, no RSA or DSA server certificate found "
                "for</strong> '%s:%d'?!", s-&gt;server_hostname, s-&gt;port);
        ssl_die();
    }
 
    for (i = 0; i &lt; SSL_AIDX_MAX; i++) {         ssl_check_public_cert(s, ptemp, mctx-&gt;pks-&gt;certs[i], i);
    }
 
    have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA);
    have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA);
 
    if (!(have_rsa || have_dsa)) {
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                "Oops, no RSA or DSA server private key found?!");
        ssl_die();
    }
}

Hence  the error was caused by the certificates not being able to be imported. Once again we checked paths to make sure the certificates/keys were correct. Alas they were. So we began to wonder why the certificates couldn’t be found. We’d specified the correct files, confirmed they were correct. It occurred to me that perhaps the openSSL context had not been setup correctly. But why not? I took a look at the default SSL vhost which did work and noticed a single line that were not in any of the other ssl vhosts.

SSLEngine on

The comment above this line read:

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.

I added “SSLEngine On” to the other ssl vhosts and it worked! So it turns out you can have an vhost setup on port 443 without SSL hence for each vhost you want SSL working in you must add the above line. My colleague was extremely thankful – why it happened in the  first place, we still don’t know. We suspect previously the option may have been enabled globally. However the fix allows apache to run again and works after a clean shutdown and startup.



Donations keep this site alive

  • avatar

    Ben said,

    Thanks agian, this was another of the ‘good’ questions you always help with! Soo glad it was something simple to implement the fix!

  • avatar

    ssl247.com said,

    Thanks for taking the time to write up this post. A friend of mine came to me with the same problem and I was completely stumped, so I decided to browse the net looking for a solution, which led me to this very post. I couldn’t believe my luck, thank you again for the tips and instructions.

  • avatar

    erkin tek said,

    Same problem, I only added “SSLEngine On” to virtual host definition and it worked.

  • avatar

    Hendy Irawan said,

    THANK YOU !!!!!!!!!!!!!!!!!!!!!!!!

    You are a savior dude !!

    I was so puzzled by this error…

    Many thanks. I wish I could buy you a beer right now.

  • avatar

    James Cooksey said,

    Life saver! Had this problem with OS X Lion Server.

    Thank you!

  • avatar

    Nasir Iqbal said,

    Lot of Thanks!!

  • avatar

    Lucas Machado said,

    I was struggling for a couple of hours and this saved my life, thanks a LOT!

  • avatar

    Bernie Roehl said,

    Thank you!!! I ran into exactly the same problem. Your fix saved me hours of debugging!

  • avatar

    Justin said,

    I already have this setting on, created a new vhost today for a new portal i’ve got to turn on and I get this error and the site doesn’t work. Not sure were to go from here since I already have SSLEngine on

    =/

  • avatar

    Brian Tkatch said,

    Thanx!

  • avatar

    Vishakha said,

    lot of thanks!!

  • avatar

    Nathan said,

    Thank so you much for this, SSL can be a bit perplexing sometimes!

  • avatar

    gdm said,

    thank you! this saved me a loooong time spent debugging :-)

  • avatar

    Rachel said,

    Thank you so much. I configured multiple VHosts and they were working fine and when I added SSL, they were all pointing to same directory. Have been struggling with this and this helped. Great Help!

  • avatar

    CJV said,

    just in case anyone else stumbles upon this page with the same error — we ran into this problem also but the fix was different in our case. for us, it was that one vhost block was accidentally duplicated in the httpd.conf — and apparently this confused apache to no end.

    so check to make sure you don’t have the same vhost block in there twice.

  • avatar

    Lionel Morrison said,

    Simply Gold!

    BTW you need to make sure that your running Apache 2.2.12 or newer and have it compiled with OpenSSL 0.9.8f or new.

    While will give you SNI capability thats useful for name based vhosts that need there own SSL certs.

  • avatar

    Ramon Araujo said,

    Hey! You’re a legend mate,

    Thanks a lot!

  • avatar

    Tozz said,

    Thanks, was exactly the same issue here.

  • avatar

    JLeoni said,

    Same issue, but I’ve already got SSLEngine on, I’ve got several secure domains one of which has several vHosts working just fine, was adding a staging site to my primary domain which now has a wild card cert.

    No dice … sigh

  • avatar

    Joe said,

    Thank you very much, I had the same issue and this post solved the problem.

  • avatar

    Bosco said,

    Thank you so much.
    This save me a lot of time troubleshooting..

  • avatar

    Ankur said,

    Thanks . You tips saved my time !

  • avatar

    Simon said,

    Amazing. Thank you.

  • avatar

    Kevin said,

    Exactly the same issue, same cause, (brief power outage). The solution in this post was spot on – I added the SSLEngine directive to my virtual host and the server immediately sprang back to life.

    For what it’s worth, I read on another site that the server behaviour is slightly different when an ‘apachectl restart’ command is issued as opposed to ‘apachectl stop / apachectl start’ series of commands. A full stop / start of a server with the missing SSLEngine directive will prevent the server from starting, but a restart will let the server continue functioning with the missing directive. I suspect that is why your client’s (and my own) server ran for quite some time without issue – I modified my httpd.conf file and restarted the server, (not stop / start) to force my virtual host changes to load. The power loss forced a cold server start, at which point the missing directive was recognized.

    Anyway, thanks again for the time you’ve saved me with this post!

  • avatar

    lyon said,

    Recently I was migrating a couple of webs to a newer server and hit this issue as well even if the configuration was left pretty much intact. The thing is with the older Apache version this wasn’t really needed — a single global SSLEngine directive was enough for all the vhosts available. Thanks for the post!

  • avatar

    Giuseppe said,

    Good work ! Thanks for sharing and saving me headaches :-)

  • avatar

    Mr. Muddled said,

    OMG!!! THANK YOU MAN!!! Been through exactly the same issues. Hahahahah

  • avatar

    muhammed said,

    Wow…I also had end up with same issue.. your blog saved my time…

    Thanks

Add A Comment

*