[NCLUG] Apache/mod_ssl question

Gabriel L. Somlo somlo at acns.colostate.edu
Tue Mar 16 15:34:48 MST 2004 

Just my $0.02:

I fought a somewhat similar problem: got official certificates (free
to .edu's from ipsca.com), got another file with two more certs (these
were supposed to handle the CA chain), and followed their
instructions, which said to:

	1. Point SSLCertificateFile to the server cert file
	2. Point SSLCertificateChainFile to the file containing those
	two extra certs for the CA chain

Then, I tried it out, and the browser still gave me the popup about
how it couldn't verify my server cert, and how this could be a MITM.

The way I fixed it was to cat together the server cert file and the CA
chain file into one single file, and point both SSLCertificateFile
*and* SSLCertificateChainFile to it in the ssl config file.

That's the only way I got it to work on RedHat9 with apache 2.0.40.

Don't know if this is even related to your problem, but who knows --
maybe something worth trying.

Cheers,
Gabriel

On Tue, Mar 16, 2004 at 03:10:07PM -0700, Rich Young wrote:
> apachectl configtest didn't do much for me -- just verified that there
> are no invalid directives in the configuration files.  It wasn't a
> surprise, but it's nice to know that.
> 
> Following the instructions at
> http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#verify, I verified
> that the currently installed cert and key match.  I don't see much else
> in the SSL FAQ that looks applicable to this situation.
> 
> openssl s_client is providing much more information now.  I appear to
> have some sort of break in the CA chain - again, a bit mystifying
> because I don't remember messing with this in the first place....
> Anyway, I'm fooling around with the SSLCertificateChainFile and
> SSLCACertificateFile directives, trying to get rid of the errors I'm
> seeing (#'s 20 and 19, mostly -- both indicating that there's something
> wrong with the CA, if I'm reading the errors & google output correctly.)
> 
> Right now, my plan is to come in during the wee hours, back up my cert,
> key, web site, and current config files, and uninstall/reinstall apache.
> Then I'll work with the fresh config to bring the site back up and get
> it working with the key. Unless somebody else has a better idea ;^)
> 
> Thanks again, Steve.
> --Rich
> 
> > I forgot to mention the  '-debug' flag to the s_client command.
> > That will give you some more diagnostics.
> > 
> > Also, 'apachectl configtest' can help sort out any problems 
> > with the Apache configuration file.
> > 
> > Good luck, and let us know what the resolution was.
> 
> _______________________________________________
> NCLUG mailing list       NCLUG at nclug.org
> 
> To unsubscribe, subscribe, or modify
> your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug

More information about the NCLUG mailing list