Failed to configure CA certificate chain

Solution 1:

Make sure there's no missing certificates in the chain, in the SSLCertificateChainFile file there should be all the certificates in order from the CA first and then down to any intermediate certificate that was used to sign your CRT, otherwise you'll get the error.

If you don't have any intermediate certificates (looking at the Digicert page it looks like there's none http://www.digicert.com/ssl-certificate-installation-apache-ensim.htm) you should use SSLCACertificateFile instead

Solution 2:

An update to an old thread...

I just had this happened when I created a CA chain file by cat-ing the intermediate & root .crt files together into a new .ca-bundle file; the issue was that the first of the cert files didn't end with a newline, so its "END" line and the next one's BEGIN line were joined together, like

-----END CERTIFICATE----------BEGIN CERTIFICATE----- 

I just edited the file and put the newline in, giving:

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

And then it worked.


Solution 3:

The fix above may be useful, but for me the fix was this:

http://blog.oneiroi.co.uk/openssl/x.509/pcks7/openssl-unable-to-load-certificate-wrong-asn1-encoding-routines-asn1-check-tlen-tag-tasn-dec-dot-c-1319/

In case the link goes:

The format in this case is p7b (PCKS #7); to use the certificate witih apache you’re going to have to convert this.

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Within the resulting .cer file you will file you x.509 certificate bundled with relevant CA certificates, break these out into your relevant .crt and ca.crt files and load as normal into apache.


Solution 4:

Well this was originally a comment to @lynxman but it was too long.

I just had this issue using Let's Encrypt cert with Arch Linux. Upon booting after the first restart in a couple months the httpd service failed with this error:

 AH01903: Failed to configure CA certificate chain!

First I tried renewing the certificate since it's easy and free. My SSLCertificateChainFile then had one cert listed instead of two (?). So I commented that line out:

#SSLCertificateChainFile "/etc/letsencrypt/live/mywebsite.com/chain.pem"

Voila! It started up fine. ¯_(ツ)_/¯