Symptoms
- Unable to start Apache service with the following error in
/var/log/httpd/error_log(CentOS/RHEL) or/var/log/apache2/error_log(Debian/Ubuntu):[ssl:emerg] [pid 14058] AH02562: Failed to configure certificate example.com:443:0 (with chain), check /opt/psa/var/certificates/scf28bccT
[ssl:emerg] [pid 14058] SSL Library Error: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak -
The same error can be found in
/var/www/vhosts/system/example.com/logs/error_logfile if Piped logs option is enabled in Tools & Settings > Apache Web Server Settings
Cause
A domain's certificate CA is too old and has weak encryption. If it's unclear which exact domain has an outdated certificate, use the following command:
# grep -rl scf28bccT /var/www/vhosts/system/
Note: "scf28bccT" is the certificate's file name from the error message
Resolution
Contact the certificate's vendor in order to update the CA certificate.
Workarounds
- Issue a free Let's Encrypt certificate for the affected domain and replace the current certificate:
How to install an SSL certificate for a domain in Plesk (Let's Encrypt / other certificate authorities) - Alternatively, disable SSL support for the domain:
- Log in to Plesk
- Navigate to Domains > example.com > Hosting Settings
- Uncheck the SSL/TLS Support option and click OK/Apply to save the changes
with