06 August 2020
Apache Configuration Error AH02572: Failed to configure at least one certificate and key
Apache generates an
AH02572: Failed to configure at least one certificate and key error message when it is configured to use the
ssl module, but is missing a TLS/SSL public certificate and corresponding private key. The error will prevent Apache from starting up, and the error message itself will be found in Apache’s logs.
In this tutorial you will learn how to troubleshoot an AH02572 error using the methods described in the How to Troubleshoot Common Apache Errors tutorial at the beginning of this series. You will also learn how to set the
SSLCertificateKeyFile directives to resolve the message.
If you have already determined that your Apache server is affected by an AH02572 error and you would like to skip the troubleshooting steps, the Adding an SSL Certificate to Apache section at the end of this tutorial explains how to resolve the error.
When you are troubleshooting an
AH02572: Failed to configure at least one certificate and key error message, Apache will not be running. Its
systemctl status will show a
To examine Apache’s status with
systemctl, run the following command on Ubuntu and Debian derived Linux distributions:
[label Ubuntu and Debian Systems] sudo systemctl status apache2.service -l --no-pager
On CentOS and Fedora systems, use this command to examine Apache’s status:
[label CentOS and Fedora Systems] sudo systemctl status httpd.service -l --no-pager
-l flag will ensure that
systemctl outputs the entire contents of a line, instead of substituting in ellipses (
…) for long lines. The
--no-pager flag will output the entire log to your screen without invoking a tool like
less that only shows a screen of content at a time.
You should receive output that is similar to the following:
[secondary_label Output] ● apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled) Drop-In: /lib/systemd/system/apache2.service.d └─apache2-systemd.conf Active: <^>failed<^> (Result: exit-code) since Fri 2020-07-31 16:02:41 UTC; 20s ago Process: 36 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE) Jul 31 16:02:41 7d6ef84b6907 systemd: Starting The Apache HTTP Server... Jul 31 16:02:41 7d6ef84b6907 apachectl: Action 'start' failed. Jul 31 16:02:41 7d6ef84b6907 apachectl: The Apache error log may have more information. Jul 31 16:02:41 7d6ef84b6907 systemd: apache2.service: Control process exited, code=exited status=1 Jul 31 16:02:41 7d6ef84b6907 systemd: apache2.service: Failed with result 'exit-code'. <^>Jul 31 16:02:41 7d6ef84b6907 systemd: Failed to start The Apache HTTP Server.<^>
The important lines to note are the ones showing that Apache failed to start. However, there is nothing in the output that indicates an AH02572 error message. Examining the
systemd logs for Apache using the
journalctl command, or checking Apache’s configuration files with
apachectl configtest will not help locate information that you can use to troubleshoot the error.
To diagnose and resolve an AH02572 error, the next section explains how to examine Apache’s logs directly.
Examining Apache’s Logs
Apache logs diagnostic information about its internal operations to various locations, which differ depending on your Linux distribution. Typically, Apache is configured to log error messages to a separate log file from access requests in order to help with debugging, monitoring, and alerting.
On Ubuntu and Debian-derived systems, Apache defaults to using
/var/log/apache2/error.log for error messages.
On CentOS, Fedora, and RedHat-derived systems, Apache defaults to logging errors to the
To examine Apache’s logs for evidence of an AH02572 error message, use the
grep utility to search for the error code in the appropriate log file for your distribution. While there are other tools like
less that you could use to find evidence of an AH02572 error,
grep will only display lines with the error code so you can be sure of whether you’re affected by the issue.
grep like this on Ubuntu and Debian-derived systems:
sudo grep AH02572 /var/log/apache2/error.log
On CentOS, Fedora, and RedHat-derived systems, use the following command:
sudo grep AH02572 /var/log/httpd/error_log
If your Apache server is affected by an AH02572 error, you will have output like the following:
[secondary_label Output] [Mon Aug 03 13:21:47.677235 2020] [ssl:emerg] [pid 26:tid 140355819735360] <^>AH02572: Failed to configure at least one certificate and key<^> for 203.0.113.0:443
If your server is affected by an AH02572 error, the next section of this tutorial explains how to resolve it, by either disabling the
ssl module, or configuring Apache with a private key and public certificate file.
Resolving an AH02572 Error
There are three ways to resolve an AH02572 error. The first option to resolve the error is to configure Apache with a private key and public certificate that is signed by a recognized Certificate Authority (CA). Let’s Encrypt is a free CA and you can use it to issue a valid certificate. This approach will ensure that traffic to and from your server is encrypted properly, and that web browsers and other HTTP clients trust your Apache server.
Another approach is to create a self-signed certificate for your Apache server. This approach is useful for development and testing environments, or in cases where your server is not directly connected to the Internet and you can establish trust between systems manually.
The last approach to resolving an AH02572 error is to turn off Apache’s
ssl module entirely. This option is the least preferred since traffic to and from your server will not be encrypted. However, if you are only using your Apache server for local development or in a trusted environment, this approach can be valid.
The following sections explain how to resolve an AH02572 error using each of the three options.
Resolving an AH02572 Error with a Let’s Encrypt TLS Certificate
To encrypt traffic to your Apache server using a free Let’s Encrypt TLS Certificate, use one of the guides that is specific to your Linux distribution from this tutorial series: How To Secure Apache with Let’s Encrypt.
The Let’s Encrypt process is mostly automated, and the scripts will configure Apache for you. Moreover, the issued certificate will also be renewed automatically so you do not have to worry about it expiring in the future.
If you are using a Linux distribution that is not included in the How To Secure Apache with Let’s Encrypt series, the Let’s Encrypt documentation includes links to interactive Certbot instructions that can help you configure your Apache server with a valid TLS certificate.
Resolving an AH02572 Error with a Self-Signed Certificate
To encrypt traffic to your Apache server using a self-signed certificate, use one of the tutorials from this series that explains how to create Self-signed SSL Certificates with Apache.
These tutorials demonstrate how to generate a private key and public certificate for your Apache server. They also demonstrate how to use the
SSLCertificateKeyFile Apache directives to configure your server with the certificate that you generate.
If you are not using a distribution that is listed in the Self-signed SSL Certificates with Apache set of tutorials, this OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs guide can help you create a private key and self-signed public certificate that you can use with Apache.
<$>[note] Note: Where possible, it is best to use a free Let’s Encrypt certificate, or other commercially issued TLS certificate. Self-signed TLS certificates are not trusted by default by browsers and other HTTP clients. As a result, your users will see a security error when visiting your site. However, if you are doing local development, or your use case does not require a valid TLS certificate you can opt for the self-signed approach. <$>
The last approach to resolving an AH02572 error is to turn off Apache’s TLS/SSL support by disabling the
ssl module. This approach is less desirable than encrypting traffic to your server with a TLS certificate, so be certain that you do not need TLS support before disabling the module.
To disable Apache’s
ssl module on Ubuntu and Debian-derived systems, run the following command:
sudo a2dismod ssl
On CentOS, Fedora, and RedHat-derived systems, disable the module with the following command:
sudo rm /etc/httpd/conf.modules.d/00-ssl.conf
Once you have disabled the
ssl module, run
apachectl to test that the configuration is valid.
sudo apachectl configtest
apachectl configtest invocation should result in output like this:
[secondary_label Output] Syntax OK
You can now restart Apache using the appropriate
systemctl restart command for your Linux distribution.
On Ubuntu and Debian-derived systems, run the following:
sudo systemctl restart apache2.service
On CentOS, Fedora, and RedHat-derived systems use this command to restart Apache:
sudo systemctl restart httpd.service
If there are no errors from the
systemctl command then you have disabled the
ssl module successfully.
AH02572: Failed to configure at least one certificate and key errors are challenging to detect and troubleshoot. They cannot be diagnosed with the usual
apachectl commands. In this tutorial you learned how to use the
grep utility to examine Apache’s logs directly for evidence of an AH02572 error.
Next you learned how to use Let’s Encrypt to configure Apache with a TLS certificate to secure your traffic and resolve the AH02572 error. You also learned about using self-signed TLS certificates for development and isolated environments. Finally you learned how to turn off the
ssl module for those situations where it is not needed.