Apache cannot access existing certificate file linked in nextcloud.conf

I am currently setting up a nextcloud server on Debian 11. I’m struggling right now to enable SSL by linking the certificates from letsencrypt in the config:

apachectl configtest
AH00526: Syntax error on line 40 of /etc/apache2/sites-enabled/nextcloud.conf:
SSLCertificateFile: file '/etc/letsencrypt/archive/nextcloud.example.com/fullchain1.pem' does not exist or is empty
Action 'configtest' failed.
The Apache error log may have more information.

www-data should have access to the relevant letsencrypt directories:

$ sudo ls -l /etc/letsencrypt/archive/nextcloud.example.com
total 20
-rw-r--r-- 1 root root 1858 Dec 28 20:30 cert1.pem
-rw-r--r-- 1 root root 3749 Dec 28 20:30 chain1.pem
-rw-r--r-- 1 root root 5607 Dec 28 20:30 fullchain1.pem
-rw-r--r-- 1 root root 1704 Dec 28 20:30 privkey1.pem

Config section:

    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/archive/nextcloud.example.com/fullchain1.pem
    SSLCertificateKeyFile /etc/letsencrypt/archive/nextcloud.example.com/privkey1.pem

Originally, following an instruction guide, I used letsencrypt/live over letsencrypt/archive in the config, the certificate files in that directory are symlinks and I suspected that might be causing the problem. Changing the paths to archive, as above, did not solve the problem.

$ sudo ls -l /etc/letsencrypt/live/nextcloud.example.com/
total 4
lrwxrwxrwx 1 root root  45 Dec 28 20:30 cert.pem -> ../../archive/nextcloud.example.com/cert1.pem
lrwxrwxrwx 1 root root  46 Dec 28 20:30 chain.pem -> ../../archive/nextcloud.example.com/chain1.pem
lrwxrwxrwx 1 root root  50 Dec 28 20:30 fullchain.pem -> ../../archive/nextcloud.example.com/fullchain1.pem
lrwxrwxrwx 1 root root  48 Dec 28 20:30 privkey.pem -> ../../archive/nextcloud.example.com/privkey1.pem
-rw-r--r-- 1 root root 692 Dec 28 20:30 README

I suspect the error is really simple, but looking for solutions was fruitless, so I am asking for posterity.

Hi @the-tattered-mantle

Try to change the path back to “live” and use "fullchain.pem and “privkey.pem” without the “1” at the end of the file name…

SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/nextcloud.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.example.com/privkey.pem

That’s what I have and it’s also what certbot automatically adds to the VirualHost config when you start it with certbot --apache.

Thank you. Like I said in the OP, that’s what I started with, as set by certbot - it caused the same problem and I switched to archive because my best guess was a bug in resolving symbolic links.

I reverted to live just in case and unfortunately it made no difference.

I assume you have double and triple checked if there are any typos in the path. :wink: But did you also change back the file names from fullchain1.pem to fullchain.pem and from privkey1.pem to privkey.pem?

If the paths look ok and it still does not work, you could try to reinstall the certificates:

certbot --reinstall

If that doesn’t help either, I would delete the whole /etc/letsencrypt folder, reinstall certbot and issue new certificates.

Btw how exactly did you set up the certificates in the first place?

Personally I use this command:

certbot --apache --rsa-key-size 4096 --agree-tos --no-eff-email --redirect

certbot then automagically detects the existing apache virtual host and creates a second virtualhost with the ssl config. I never had any issues that apache couldn’t find or read the certificates when I did it that way.

Change permissions on the live and archive folders:
chmod 755 /etc/letsencrypt/live/
chmod 755 /etc/letsencrypt/archive/
apachectl -t
Syntax OK