If your apache2 on linux system (in this case ubuntu 20) does not start due to "'dhparam.pem' does not exist or is empty", because you might have changed your letencrypt certbot from http to dns in order to get a wildcard certificate, then the error might look like this:
Example:
user@ubuntu:/etc/apache2/sites-available#
user@ubuntu:/etc/apache2/sites-available# systemctl status apache2.service
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sun 2021-06-01 21:51:33 CET; 13s ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 542668 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
Jun 01 21:51:33 *yourdomain.tld* systemd[1]: Starting The Apache HTTP Server...Jun 01 21:51:33 *yourdomain.tld* apachectl[542686]: AH00526: Syntax error on line 70 of /etc/apache2/sites-enabled/*yourdomain.tld*.conf:Jun 01 21:51:33 *yourdomain.tld* apachectl[542686]: SSLOpenSSLConfCmd: file '/etc/letsencrypt/live/*yourdomain.tld*/dhparam.pem' does not exist or is emptyJun 01 21:51:33 *yourdomain.tld* apachectl[542668]: Action 'start' failed.Jun 01 21:51:33 *yourdomain.tld* apachectl[542668]: The Apache error log may have more information.Jun 01 21:51:33 *yourdomain.tld* systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILUREJun 01 21:51:33 *yourdomain.tld* systemd[1]: apache2.service: Failed with result 'exit-code'.Jun 01 21:51:33 *yourdomain.tld* systemd[1]: Failed to start The Apache HTTP Server.
user@ubuntu:/etc/apache2/sites-available#
user@ubuntu:/etc/apache2/sites-available#
Solution
To solve this issue, you have to create the missing dhparam.pem file. This is used as a Diffie-Hellman group, which is used in negotiating Perfect Forward Secrecy with clients.
sudo openssl dhparam -out /etc/letsencrypt/live/*yourdomain.tld*/dhparam.pem 2048
Example:
user@ubuntu:/etc/apache2/sites-available#
user@ubuntu:/etc/apache2/sites-available# sudo openssl dhparam -out /etc/apache2/sites-enabled/*yourdomain.tld*/dhparam.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...................+...........+.............+......
....................................................
.+.............................+....................
....................................................
...........................[...]..................++*
user@ubuntu:/etc/apache2/sites-available#
No comments:
Post a Comment