# Fix Apache SSLCertificateFile Not Found After Certificate Renewal

After renewing your SSL certificate, Apache refuses to start:

bash
[Thu Apr 08 06:00:01.234567 2026] [ssl:emerg] [pid 2345] AH02312: Fatal error initialising mod_ssl, exiting.
[Thu Apr 08 06:00:01.234568 2026] [ssl:emerg] [pid 2345] AH02563: Unable to configure RSA server private key
[Thu Apr 08 06:00:01.234569 2026] [ssl:error] [pid 2345] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Or:

bash
AH02238: Unable to configure RSA server private key
AH02574: Init: Unable to set private key file `/etc/ssl/private/example.com.key'

Apache cannot find or read the certificate or private key file specified in the SSL configuration.

Step 1: Verify File Paths

Check the paths in your Apache SSL configuration:

bash
grep -r "SSLCertificate" /etc/apache2/sites-enabled/
# or for RHEL/CentOS
grep -r "SSLCertificate" /etc/httpd/conf.d/

Common paths: - /etc/letsencrypt/live/example.com/fullchain.pem (Let's Encrypt) - /etc/ssl/certs/example.com.crt (custom certificate) - /etc/apache2/ssl/example.com.pem (Debian default)

Verify each file exists:

bash
ls -la /etc/letsencrypt/live/example.com/fullchain.pem
ls -la /etc/letsencrypt/live/example.com/privkey.pem

Let's Encrypt certificates are symlinks. If the renewal succeeded but the symlinks were not updated:

bash
ls -la /etc/letsencrypt/live/example.com/
# Should show:
# fullchain.pem -> ../../archive/example.com/fullchain5.pem
# privkey.pem -> ../../archive/example.com/privkey5.pem

If the symlink points to a non-existent file:

bash
sudo certbot renew --force-renewal
sudo systemctl reload apache2

Step 3: Verify File Permissions

The Apache process must be able to read the certificate and key files. Check the permissions:

bash
ls -la /etc/letsencrypt/live/example.com/
ls -la /etc/letsencrypt/archive/example.com/

Certificate files should be readable by all:

bash
sudo chmod 644 /etc/letsencrypt/live/example.com/fullchain.pem
sudo chmod 644 /etc/letsencrypt/live/example.com/cert.pem

Private key files must be readable only by root and the Apache user:

bash
sudo chmod 640 /etc/letsencrypt/live/example.com/privkey.pem
sudo chown root:ssl-cert /etc/letsencrypt/live/example.com/privkey.pem
sudo usermod -a -G ssl-cert www-data

On RHEL/CentOS systems, the Apache user is apache:

bash
sudo chown root:apache /etc/ssl/private/example.com.key
sudo chmod 640 /etc/ssl/private/example.com.key

Step 4: SELinux Context (RHEL/CentOS)

On SELinux-enabled systems, the security context matters:

bash
ls -Z /etc/ssl/private/example.com.key

If the context is wrong, Apache cannot read the file even with correct permissions. Fix it:

bash
sudo restorecon -v /etc/ssl/private/example.com.key
sudo chcon -t cert_t /etc/ssl/private/example.com.key

Or set the correct context permanently:

bash
sudo semanage fcontext -a -t cert_t "/etc/ssl/private(/.*)?"
sudo restorecon -Rv /etc/ssl/private/

Step 5: Verify Certificate and Key Match

A common cause of SSL startup failure is a mismatched certificate and key:

bash
openssl x509 -noout -modulus -in /etc/letsencrypt/live/example.com/fullchain.pem | md5sum
openssl rsa -noout -modulus -in /etc/letsencrypt/live/example.com/privkey.pem | md5sum

Both commands must output the same hash. If they differ, the certificate and key do not match -- you may have mixed up files from different renewals.

Step 6: Test Configuration Before Restart

Always test before restarting Apache:

bash
sudo apachectl configtest
# or
sudo apache2ctl configtest

Only restart if the test passes:

bash
sudo systemctl reload apache2

Using reload instead of restart avoids dropping existing connections during the SSL reconfiguration.