Articles in this section

The Apache service does not start: Failed to configure certificate: ca md too weak

Vincent Lauton
Updated
Plesk for Linux kb: technical

Applicable to:

  • Plesk for Linux

Symptoms

  • Unable to start Apache service with the following error in /var/log/httpd/error_log (CentOS/RHEL) or /var/log/apache2/error_log (Debian/Ubuntu):

    CONFIG_TEXT: [ssl:emerg] [pid 14058] AH02562: Failed to configure certificate example.com:443:0 (with chain), check /opt/psa/var/certificates/scf28bccT
    [ssl:emerg] [pid 14058] SSL Library Error: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

  • The same error can be found in /var/www/vhosts/system/example.com/logs/error_log file if Piped logs option is enabled in Tools & Settings > Apache Web Server Settings

Cause

A domain's certificate CA is too old and has weak encryption. If it's unclear which exact domain has an outdated certificate, use the following command:

# grep -rl scf28bccT /var/www/vhosts/system/

Note: "scf28bccT" is the certificate's file name from the error message

Resolution 

Contact the certificate's vendor in order to update the CA certificate.

Workarounds
  1. Issue a free Let's Encrypt certificate for the affected domain and replace the current certificate:
    How to install an SSL certificate for a domain in Plesk (Let's Encrypt / other certificate authorities)
  2. Alternatively, disable SSL support for the domain:
    1. Log in to Plesk
    2. Navigate to Domains > example.com > Hosting Settings
    3. Uncheck the SSL/TLS Support option and click OK/Apply to save the changes
Was this article helpful?

Comments

1 comment
Date Votes
  • Avatar
    Deepak Yogi

    Using wildcard SSL but getting the same

    0

Please sign in to leave a comment.