my Let's Encrypt certs "broken" overnight!

William Dudley wfdudley at
Tue Apr 3 13:48:19 UTC 2018

FreeBSD 10.3

I run a hobby web server, with a couple of small clubs that pay me for

I had letsencrypt certs for most of the sites I host, and they were working
until a recent upgrade -- either apache 2.4 or openssl changed and now
things are hosed.

An example:

I host  I have a "test" URL for development,
Both share the same certificates, or at least, they used to.

Now, if I uncomment the <VirtualHost *:443> section for,
apache throws an error and won't start.  If I comment the section out,
is happy but doesn't serve https pages. has almost the identical <VirtualHost *:443> section, and
works fine as

The apache error I get when I enable the <VirtualHost *:443> section for is:

[Tue Apr 03 09:13:29.141783 2018] [ssl:emerg] [pid 49861] AH02572: Failed
to configure at least one certificate and key for
[Tue Apr 03 09:13:29.141947 2018] [ssl:emerg] [pid 49861] SSL Library
Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate
[Tue Apr 03 09:13:29.141982 2018] [ssl:emerg] [pid 49861] AH02312: Fatal
error initialising mod_ssl, exiting.
AH00016: Configuration Failed

Here's the <VirtualHost *:443> section that causes failure:

<VirtualHost *:443>
    ServerAdmin webmaster at
    DocumentRoot /usr/local/www/
    Alias /.well-known/ /usr/local/www/.well-known/
    ScriptAlias /cgi-bin/ "/usr/local/www/"
    SSLEngine on
    SSLCertificateFile \
    SSLCertificateKeyFile \
    SSLCertificateChainFile \
    SSLOptions +StdEnvVars
    BrowserMatch "MSIE [2-5]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    CustomLog "/var/log/" \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    Header set Content-Security-Policy "default-src 'self'; script-src
'self' 'u
*.cloudflar; img-src 'self' *"
    Header set X-Frame-Options SAMEORIGIN
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options nosniff
    ErrorDocument 404 /errormessages/oatmeal_404.html
    ErrorDocument 500 /errormessages/oatmeal_500.html
    ErrorDocument 503 /errormessages/oatmeal_503.html
    ErrorLog /var/log/
    CustomLog /var/log/ combined
    <Directory "/usr/local/www/">
        Options +ExecCGI +FollowSymLinks +Includes +Indexes
        AllowOverride All
    <Location />
        Order allow,deny
        Allow from all

The ONLY difference between this section, that doesn't work, and the section
that DOES work is the ServerName line:

<     ServerName
>     ServerName

More info:

pkg info | grep apache
apache24-2.4.33                Version 2.4.x of Apache web server
pkg info | grep openssl
openssl-1.0.2o,1               SSL and crypto library

I am mystified, and running out of ideas on what to try.

I suspect the openssl I installed from a package, because of this scary
that the apache upgrade gave me:

Message from apache24-2.4.33:

!! mod_http2 on FreeBSD with OpenSSL from base results in a mostly !!
!! functionally unusable module due to lack of "Upgrade"           !!
!! capability in OpenSSL 1.0.1.                                    !!

How can I re-install the openssl from base?  I want to revert
to that and see if it fixes my problems.

Bill Dudley

This email is free of malware because I run Linux.

More information about the freebsd-questions mailing list