Apache2 wont start due to missing dhparam.pem

If your apache2 on linux system (in this case ubuntu 20) does not start due to "'dhparam.pem' does not exist or is empty", because you might have changed your letencrypt certbot from http to dns in order to get a wildcard certificate, then the error might look like this:

Example:

user@ubuntu:/etc/apache2/sites-available#
user@ubuntu:/etc/apache2/sites-available# systemctl status apache2.service
● apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Sun 2021-06-01 21:51:33 CET; 13s ago
       Docs: https://httpd.apache.org/docs/2.4/
    Process: 542668 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)

Jun 01 21:51:33 *yourdomain.tld* systemd[1]: Starting The Apache HTTP Server...
Jun 01 21:51:33 *yourdomain.tld* apachectl[542686]: AH00526: Syntax error on line 70 of /etc/apache2/sites-enabled/*yourdomain.tld*.conf:
Jun 01 21:51:33 *yourdomain.tld* apachectl[542686]: SSLOpenSSLConfCmd: file '/etc/letsencrypt/live/*yourdomain.tld*/dhparam.pem' does not exist or is empty
Jun 01 21:51:33 *yourdomain.tld* apachectl[542668]: Action 'start' failed.
Jun 01 21:51:33 *yourdomain.tld* apachectl[542668]: The Apache error log may have more information.
Jun 01 21:51:33 *yourdomain.tld* systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
Jun 01 21:51:33 *yourdomain.tld* systemd[1]: apache2.service: Failed with result 'exit-code'.
Jun 01 21:51:33 *yourdomain.tld* systemd[1]: Failed to start The Apache HTTP Server.
user@ubuntu:/etc/apache2/sites-available#
user@ubuntu:/etc/apache2/sites-available#

Solution

To solve this issue, you have to create the missing dhparam.pem file. This is used as a Diffie-Hellman group, which is used in negotiating Perfect Forward Secrecy with clients.

sudo openssl dhparam -out /etc/letsencrypt/live/*yourdomain.tld*/dhparam.pem 2048

Example: 

user@ubuntu:/etc/apache2/sites-available#
user@ubuntu:/etc/apache2/sites-available# sudo openssl dhparam -out /etc/apache2/sites-enabled/*yourdomain.tld*
/dhparam.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...................+...........+.............+......
....................................................
.+.............................+....................
....................................................
...........................[...]..................++*
user@ubuntu:/etc/apache2/sites-available#


No comments:

Post a Comment