06 August 2020

Apache Configuration Error AH02572: Failed to configure at least one certificate and key

Introduction

Apache generates an AH02572: Failed to configure at least one certificate and key error message when it is configured to use the ssl module, but is missing a TLS/SSL public certificate and corresponding private key. The error will prevent Apache from starting up, and the error message itself will be found in Apache’s logs.

In this tutorial you will learn how to troubleshoot an AH02572 error using the methods described in the How to Troubleshoot Common Apache Errors tutorial at the beginning of this series. You will also learn how to set the SSLCertificateFile and SSLCertificateKeyFile directives to resolve the message.

If you have already determined that your Apache server is affected by an AH02572 error and you would like to skip the troubleshooting steps, the Adding an SSL Certificate to Apache section at the end of this tutorial explains how to resolve the error.

Troubleshooting Using systemctl

When you are troubleshooting an AH02572: Failed to configure at least one certificate and key error message, Apache will not be running. Its systemctl status will show a failed message.

To examine Apache’s status with systemctl, run the following command on Ubuntu and Debian derived Linux distributions:

[label Ubuntu and Debian Systems]
sudo systemctl status apache2.service -l --no-pager

On CentOS and Fedora systems, use this command to examine Apache’s status:

[label CentOS and Fedora Systems]
sudo systemctl status httpd.service -l --no-pager

The -l flag will ensure that systemctl outputs the entire contents of a line, instead of substituting in ellipses () for long lines. The --no-pager flag will output the entire log to your screen without invoking a tool like less that only shows a screen of content at a time.

You should receive output that is similar to the following:

[secondary_label Output]
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
  Drop-In: /lib/systemd/system/apache2.service.d
           └─apache2-systemd.conf
   Active: <^>failed<^> (Result: exit-code) since Fri 2020-07-31 16:02:41 UTC; 20s ago
  Process: 36 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)

Jul 31 16:02:41 7d6ef84b6907 systemd[1]: Starting The Apache HTTP Server...
Jul 31 16:02:41 7d6ef84b6907 apachectl[36]: Action 'start' failed.
Jul 31 16:02:41 7d6ef84b6907 apachectl[36]: The Apache error log may have more information.
Jul 31 16:02:41 7d6ef84b6907 systemd[1]: apache2.service: Control process exited, code=exited status=1
Jul 31 16:02:41 7d6ef84b6907 systemd[1]: apache2.service: Failed with result 'exit-code'.
<^>Jul 31 16:02:41 7d6ef84b6907 systemd[1]: Failed to start The Apache HTTP Server.<^>

The important lines to note are the ones showing that Apache failed to start. However, there is nothing in the output that indicates an AH02572 error message. Examining the systemd logs for Apache using the journalctl command, or checking Apache’s configuration files with apachectl configtest will not help locate information that you can use to troubleshoot the error.

To diagnose and resolve an AH02572 error, the next section explains how to examine Apache’s logs directly.

Examining Apache’s Logs

Apache logs diagnostic information about its internal operations to various locations, which differ depending on your Linux distribution. Typically, Apache is configured to log error messages to a separate log file from access requests in order to help with debugging, monitoring, and alerting.

On Ubuntu and Debian-derived systems, Apache defaults to using /var/log/apache2/error.log for error messages.

On CentOS, Fedora, and RedHat-derived systems, Apache defaults to logging errors to the /var/log/httpd/error_log file.

To examine Apache’s logs for evidence of an AH02572 error message, use the grep utility to search for the error code in the appropriate log file for your distribution. While there are other tools like less that you could use to find evidence of an AH02572 error, grep will only display lines with the error code so you can be sure of whether you’re affected by the issue.

Invoke grep like this on Ubuntu and Debian-derived systems:

sudo grep AH02572 /var/log/apache2/error.log

On CentOS, Fedora, and RedHat-derived systems, use the following command:

sudo grep AH02572 /var/log/httpd/error_log

If your Apache server is affected by an AH02572 error, you will have output like the following:

[secondary_label Output]
[Mon Aug 03 13:21:47.677235 2020] [ssl:emerg] [pid 26:tid 140355819735360] <^>AH02572: Failed to configure at least one certificate and key<^> for 203.0.113.0:443

If your server is affected by an AH02572 error, the next section of this tutorial explains how to resolve it, by either disabling the ssl module, or configuring Apache with a private key and public certificate file.

Resolving an AH02572 Error

There are three ways to resolve an AH02572 error. The first option to resolve the error is to configure Apache with a private key and public certificate that is signed by a recognized Certificate Authority (CA). Let’s Encrypt is a free CA and you can use it to issue a valid certificate. This approach will ensure that traffic to and from your server is encrypted properly, and that web browsers and other HTTP clients trust your Apache server.

Another approach is to create a self-signed certificate for your Apache server. This approach is useful for development and testing environments, or in cases where your server is not directly connected to the Internet and you can establish trust between systems manually.

The last approach to resolving an AH02572 error is to turn off Apache’s ssl module entirely. This option is the least preferred since traffic to and from your server will not be encrypted. However, if you are only using your Apache server for local development or in a trusted environment, this approach can be valid.

The following sections explain how to resolve an AH02572 error using each of the three options.

Resolving an AH02572 Error with a Let’s Encrypt TLS Certificate

To encrypt traffic to your Apache server using a free Let’s Encrypt TLS Certificate, use one of the guides that is specific to your Linux distribution from this tutorial series: How To Secure Apache with Let’s Encrypt.

The Let’s Encrypt process is mostly automated, and the scripts will configure Apache for you. Moreover, the issued certificate will also be renewed automatically so you do not have to worry about it expiring in the future.

If you are using a Linux distribution that is not included in the How To Secure Apache with Let’s Encrypt series, the Let’s Encrypt documentation includes links to interactive Certbot instructions that can help you configure your Apache server with a valid TLS certificate.

Resolving an AH02572 Error with a Self-Signed Certificate

To encrypt traffic to your Apache server using a self-signed certificate, use one of the tutorials from this series that explains how to create Self-signed SSL Certificates with Apache.

These tutorials demonstrate how to generate a private key and public certificate for your Apache server. They also demonstrate how to use the SSLCertificateFile and SSLCertificateKeyFile Apache directives to configure your server with the certificate that you generate.

If you are not using a distribution that is listed in the Self-signed SSL Certificates with Apache set of tutorials, this OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs guide can help you create a private key and self-signed public certificate that you can use with Apache.

<$>[note] Note: Where possible, it is best to use a free Let’s Encrypt certificate, or other commercially issued TLS certificate. Self-signed TLS certificates are not trusted by default by browsers and other HTTP clients. As a result, your users will see a security error when visiting your site. However, if you are doing local development, or your use case does not require a valid TLS certificate you can opt for the self-signed approach. <$>

Disabling the ssl Module

The last approach to resolving an AH02572 error is to turn off Apache’s TLS/SSL support by disabling the ssl module. This approach is less desirable than encrypting traffic to your server with a TLS certificate, so be certain that you do not need TLS support before disabling the module.

To disable Apache’s ssl module on Ubuntu and Debian-derived systems, run the following command:

sudo a2dismod ssl

On CentOS, Fedora, and RedHat-derived systems, disable the module with the following command:

sudo rm /etc/httpd/conf.modules.d/00-ssl.conf

Once you have disabled the ssl module, run apachectl to test that the configuration is valid.

sudo apachectl configtest

A successful apachectl configtest invocation should result in output like this:

[secondary_label Output]
Syntax OK

You can now restart Apache using the appropriate systemctl restart command for your Linux distribution.

On Ubuntu and Debian-derived systems, run the following:

sudo systemctl restart apache2.service

On CentOS, Fedora, and RedHat-derived systems use this command to restart Apache:

sudo systemctl restart httpd.service

If there are no errors from the systemctl command then you have disabled the ssl module successfully.

Conclusion

AH02572: Failed to configure at least one certificate and key errors are challenging to detect and troubleshoot. They cannot be diagnosed with the usual systemctl, journalctl, and apachectl commands. In this tutorial you learned how to use the grep utility to examine Apache’s logs directly for evidence of an AH02572 error.

Next you learned how to use Let’s Encrypt to configure Apache with a TLS certificate to secure your traffic and resolve the AH02572 error. You also learned about using self-signed TLS certificates for development and isolated environments. Finally you learned how to turn off the ssl module for those situations where it is not needed.