06 August 2020
Apache Configuration Error AH02572: Failed to configure at least one certificate and key
Introduction
Apache generates an AH02572: Failed to configure at least one certificate and key
error message when it is configured to use the ssl
module, but is missing a TLS/SSL public certificate and corresponding private key. The error will prevent Apache from starting up, and the error message itself will be found in Apache’s logs.
In this tutorial you will learn how to troubleshoot an AH02572 error using the methods described in the How to Troubleshoot Common Apache Errors tutorial at the beginning of this series. You will also learn how to set the SSLCertificateFile
and SSLCertificateKeyFile
directives to resolve the message.
If you have already determined that your Apache server is affected by an AH02572 error and you would like to skip the troubleshooting steps, the Adding an SSL Certificate to Apache section at the end of this tutorial explains how to resolve the error.
Troubleshooting Using systemctl
When you are troubleshooting an AH02572: Failed to configure at least one certificate and key
error message, Apache will not be running. Its systemctl
status will show a failed
message.
To examine Apache’s status with systemctl
, run the following command on Ubuntu and Debian derived Linux distributions:
[label Ubuntu and Debian Systems]
sudo systemctl status apache2.service -l --no-pager
On CentOS and Fedora systems, use this command to examine Apache’s status:
[label CentOS and Fedora Systems]
sudo systemctl status httpd.service -l --no-pager
The -l
flag will ensure that systemctl
outputs the entire contents of a line, instead of substituting in ellipses (…
) for long lines. The --no-pager
flag will output the entire log to your screen without invoking a tool like less
that only shows a screen of content at a time.
You should receive output that is similar to the following:
[secondary_label Output]
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: <^>failed<^> (Result: exit-code) since Fri 2020-07-31 16:02:41 UTC; 20s ago
Process: 36 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
Jul 31 16:02:41 7d6ef84b6907 systemd[1]: Starting The Apache HTTP Server...
Jul 31 16:02:41 7d6ef84b6907 apachectl[36]: Action 'start' failed.
Jul 31 16:02:41 7d6ef84b6907 apachectl[36]: The Apache error log may have more information.
Jul 31 16:02:41 7d6ef84b6907 systemd[1]: apache2.service: Control process exited, code=exited status=1
Jul 31 16:02:41 7d6ef84b6907 systemd[1]: apache2.service: Failed with result 'exit-code'.
<^>Jul 31 16:02:41 7d6ef84b6907 systemd[1]: Failed to start The Apache HTTP Server.<^>
The important lines to note are the ones showing that Apache failed to start. However, there is nothing in the output that indicates an AH02572 error message. Examining the systemd
logs for Apache using the journalctl
command, or checking Apache’s configuration files with apachectl configtest
will not help locate information that you can use to troubleshoot the error.
To diagnose and resolve an AH02572 error, the next section explains how to examine Apache’s logs directly.
Examining Apache’s Logs
Apache logs diagnostic information about its internal operations to various locations, which differ depending on your Linux distribution. Typically, Apache is configured to log error messages to a separate log file from access requests in order to help with debugging, monitoring, and alerting.
On Ubuntu and Debian-derived systems, Apache defaults to using /var/log/apache2/error.log
for error messages.
On CentOS, Fedora, and RedHat-derived systems, Apache defaults to logging errors to the /var/log/httpd/error_log
file.
To examine Apache’s logs for evidence of an AH02572 error message, use the grep
utility to search for the error code in the appropriate log file for your distribution. While there are other tools like less
that you could use to find evidence of an AH02572 error, grep
will only display lines with the error code so you can be sure of whether you’re affected by the issue.
Invoke grep
like this on Ubuntu and Debian-derived systems:
sudo grep AH02572 /var/log/apache2/error.log
On CentOS, Fedora, and RedHat-derived systems, use the following command:
sudo grep AH02572 /var/log/httpd/error_log
If your Apache server is affected by an AH02572 error, you will have output like the following:
[secondary_label Output]
[Mon Aug 03 13:21:47.677235 2020] [ssl:emerg] [pid 26:tid 140355819735360] <^>AH02572: Failed to configure at least one certificate and key<^> for 203.0.113.0:443
If your server is affected by an AH02572 error, the next section of this tutorial explains how to resolve it, by either disabling the ssl
module, or configuring Apache with a private key and public certificate file.
Resolving an AH02572 Error
There are three ways to resolve an AH02572 error. The first option to resolve the error is to configure Apache with a private key and public certificate that is signed by a recognized Certificate Authority (CA). Let’s Encrypt is a free CA and you can use it to issue a valid certificate. This approach will ensure that traffic to and from your server is encrypted properly, and that web browsers and other HTTP clients trust your Apache server.
Another approach is to create a self-signed certificate for your Apache server. This approach is useful for development and testing environments, or in cases where your server is not directly connected to the Internet and you can establish trust between systems manually.
The last approach to resolving an AH02572 error is to turn off Apache’s ssl
module entirely. This option is the least preferred since traffic to and from your server will not be encrypted. However, if you are only using your Apache server for local development or in a trusted environment, this approach can be valid.
The following sections explain how to resolve an AH02572 error using each of the three options.
Resolving an AH02572 Error with a Let’s Encrypt TLS Certificate
To encrypt traffic to your Apache server using a free Let’s Encrypt TLS Certificate, use one of the guides that is specific to your Linux distribution from this tutorial series: How To Secure Apache with Let’s Encrypt.
The Let’s Encrypt process is mostly automated, and the scripts will configure Apache for you. Moreover, the issued certificate will also be renewed automatically so you do not have to worry about it expiring in the future.
If you are using a Linux distribution that is not included in the How To Secure Apache with Let’s Encrypt series, the Let’s Encrypt documentation includes links to interactive Certbot instructions that can help you configure your Apache server with a valid TLS certificate.
Resolving an AH02572 Error with a Self-Signed Certificate
To encrypt traffic to your Apache server using a self-signed certificate, use one of the tutorials from this series that explains how to create Self-signed SSL Certificates with Apache.
These tutorials demonstrate how to generate a private key and public certificate for your Apache server. They also demonstrate how to use the SSLCertificateFile
and SSLCertificateKeyFile
Apache directives to configure your server with the certificate that you generate.
If you are not using a distribution that is listed in the Self-signed SSL Certificates with Apache set of tutorials, this OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs guide can help you create a private key and self-signed public certificate that you can use with Apache.
<$>[note] Note: Where possible, it is best to use a free Let’s Encrypt certificate, or other commercially issued TLS certificate. Self-signed TLS certificates are not trusted by default by browsers and other HTTP clients. As a result, your users will see a security error when visiting your site. However, if you are doing local development, or your use case does not require a valid TLS certificate you can opt for the self-signed approach. <$>
Disabling the ssl
Module
The last approach to resolving an AH02572 error is to turn off Apache’s TLS/SSL support by disabling the ssl
module. This approach is less desirable than encrypting traffic to your server with a TLS certificate, so be certain that you do not need TLS support before disabling the module.
To disable Apache’s ssl
module on Ubuntu and Debian-derived systems, run the following command:
sudo a2dismod ssl
On CentOS, Fedora, and RedHat-derived systems, disable the module with the following command:
sudo rm /etc/httpd/conf.modules.d/00-ssl.conf
Once you have disabled the ssl
module, run apachectl
to test that the configuration is valid.
sudo apachectl configtest
A successful apachectl configtest
invocation should result in output like this:
[secondary_label Output]
Syntax OK
You can now restart Apache using the appropriate systemctl restart
command for your Linux distribution.
On Ubuntu and Debian-derived systems, run the following:
sudo systemctl restart apache2.service
On CentOS, Fedora, and RedHat-derived systems use this command to restart Apache:
sudo systemctl restart httpd.service
If there are no errors from the systemctl
command then you have disabled the ssl
module successfully.
Conclusion
AH02572: Failed to configure at least one certificate and key
errors are challenging to detect and troubleshoot. They cannot be diagnosed with the usual systemctl
, journalctl
, and apachectl
commands. In this tutorial you learned how to use the grep
utility to examine Apache’s logs directly for evidence of an AH02572 error.
Next you learned how to use Let’s Encrypt to configure Apache with a TLS certificate to secure your traffic and resolve the AH02572 error. You also learned about using self-signed TLS certificates for development and isolated environments. Finally you learned how to turn off the ssl
module for those situations where it is not needed.