FAQ
When upgrading from 2.4.7 to 2.4.9 we found that the server complained about missing DH PARAMETERS in our certificate and would not start. Adding dhparams to it fixed it. After some troubleshooting we found that only systems that did not have SSLCertificateChainFile directives with the intermediate certificate exhibited this problem. Combining the server and intermediate certificates into the SSLCertificateFile also required adding dhparams.

Errors:

[Thu Apr 10 13:03:32.999467 2014] [ssl:emerg] [pid 27709] AH02562: Failed to configure certificate xxx:443:0 (with chain), check /usr/local/apache2/conf/xxx.crt
[Thu Apr 10 13:03:32.999486 2014] [ssl:emerg] [pid 27709] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
AH00016: Configuration Failed

OS is RHEL5, using distro provided openssl (0.9.8e).

Is this a bug or am I doing something wrong?

Thanks,
Jesse DeFer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Search Discussions

  • Kurt Newman at Apr 14, 2014 at 10:32 pm

    On Thu, 10 Apr 2014 20:34:11 GMT, Jesse Defer wrote:
    When upgrading from 2.4.7 to 2.4.9 we found that the server complained about missing DH PARAMETERS
    in our certificate and would not start. Adding dhparams to it fixed it. After some troubleshooting
    we found that only systems that did not have SSLCertificateChainFile directives with the intermediate
    certificate exhibited this problem. Combining the server and intermediate certificates into
    the SSLCertificateFile also required adding dhparams.

    Errors:

    [Thu Apr 10 13:03:32.999467 2014] [ssl:emerg] [pid 27709] AH02562: Failed to configure certificate
    xxx:443:0 (with chain), check /usr/local/apache2/conf/xxx.crt
    [Thu Apr 10 13:03:32.999486 2014] [ssl:emerg] [pid 27709] SSL Library Error: error:0906D06C:PEM
    routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format
    - or even just a forgotten SSLCertificateKeyFile?
    AH00016: Configuration Failed

    OS is RHEL5, using distro provided openssl (0.9.8e).

    Is this a bug or am I doing something wrong?

    Thanks,
    Jesse DeFer

    Are you using a self-signed certificate? I’m seeing the same thing.


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Jesse Defer at Apr 14, 2014 at 10:35 pm

    -----Original Message-----
    From: Kurt Newman
    Sent: Monday, April 14, 2014 3:32 PM
    To: users@httpd.apache.org
    Subject: Re: [users@httpd] 2.4.9 expecting DH PARAMETERS
    On Thu, 10 Apr 2014 20:34:11 GMT, Jesse Defer wrote:
    When upgrading from 2.4.7 to 2.4.9 we found that the server complained
    about missing DH PARAMETERS in our certificate and would not start.
    Adding dhparams to it fixed it. After some troubleshooting we found
    that only systems that did not have SSLCertificateChainFile directives
    with the intermediate certificate exhibited this problem. Combining the
    server and intermediate certificates into the SSLCertificateFile also
    required adding dhparams.
    Errors:

    [Thu Apr 10 13:03:32.999467 2014] [ssl:emerg] [pid 27709] AH02562:
    Failed to configure certificate
    xxx:443:0 (with chain), check /usr/local/apache2/conf/xxx.crt [Thu Apr
    10 13:03:32.999486 2014] [ssl:emerg] [pid 27709] SSL Library Error:
    error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH
    PARAMETERS) -- Bad file contents or format
    - or even just a forgotten SSLCertificateKeyFile?
    AH00016: Configuration Failed

    OS is RHEL5, using distro provided openssl (0.9.8e).

    Is this a bug or am I doing something wrong?

    Thanks,
    Jesse DeFer

    Are you using a self-signed certificate? I'm seeing the same thing.
    No, ours come from a CA.

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupusers @
categoriesapache
postedApr 10, '14 at 8:34p
activeApr 14, '14 at 10:35p
posts3
users2
websitehttpd.apache.org
irc#httpd

2 users in discussion

Jesse Defer: 2 posts Kurt Newman: 1 post

People

Translate

site design / logo © 2022 Grokbase