Apache2 certificates does not match

If your Apache2 is blocked (status inactive) because of SSL certificates’ issue, this article can be the solution you are looking for.

You can occasionally stumble in a problem of certificates mismatching, in other words you are probably using a certificate that is not related with the given private key.

It can happen especially if you are renewing your certificates manually, more over you can experience this issue when you use Certera or more generally letsencrypt certificates.

The symptoms are that the webserver is not active (inactive) and all your virtual hosts are not reachable on both 80 and 443 ports.

Furthermore the web server (apache2 in our case) is not up and running.

How to deal with that?

Simple, use the right certificates!

How can I be sure about the certificate mismatching?

Simple again 🙂

You can use this commands

openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in privkey.pem | openssl md5

You will be ok when the resulting md5 string is the same for both certificates.

Useful details and references

Note that your certificate can have .crt extension rather than the .pem one.
Also the privkey.pem can have a different name with .key extension.

To check if your apache2 is working correctly (i.e. status active) you can run this command:

systemctl status apache2

To check if there is some error you can use the command

tail -f /var/log/apache2/*.log

The solution has been ispired by this very useful article on Digicert.com.