You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Carlos Mennens <ca...@gmail.com> on 2010/04/07 16:47:45 UTC
[users@httpd] Apache Doesn't See My SSLCACertificateFile
I have Apache running on my RHEL 5.4 web server and when someone goes
to my website, they get a scary warning that tells them my secure site
isn't safe because it can't be validated by a CA. I contacted my CA
(Verisign) today and was told that my web server (Apache) isn't
properly rendering my 'intermediate' certificate. I clearly show
Apache is properly displaying my public certificate and can read my
private SSL key so I don't know why it's missing the
SSLCACertificateFile entry from my httpd.conf file: My entry looks as
follows in 'httpd.conf':
<VirtualHost *:443>
DocumentRoot /var/www/html/int/main
ServerName www.mydomain.tld:443
ServerAdmin webmaster@mydomain.tld
ErrorLog /var/log/httpd/www.mydomain.tld-int-error_log
TransferLog /var/log/httpd/www.mydomain.tld-int-access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
#SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl/www.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/www.key
SSLCACertificateFile /etc/httpd/conf/ssl/intermediate.crt
Now I starting to look around and noticed I also have a
/etc/httpd/conf.d/ssl.conf file and it too has a section to list SSL
parameter/path. I am wondering if I need to also add my SSL www.crt,
www.key, and intermediate.crt in the 'ssl.con' file also? Or could it
be that simply that Apache doesn't have permissions to properly render
the 'intermediate.crt' which makes no sense to me since it can see the
www.crt & www.key fine and they all have the same permissions:
[root@ideweb1 ssl]# ls -la
total 24
dr-------- 2 root root 4096 Mar 26 14:36 .
drwxr-xr-x 3 root root 4096 Apr 7 10:46 ..
-r-------- 1 root root 1659 Jul 21 2009 intermediate.crt
-r-------- 1 root root 1936 Mar 26 14:36 www.crt
-r-------- 1 root root 887 Feb 11 2009 www.key
-r-------- 1 root root 1931 Mar 26 14:36 www.orig
Please help me understand this...
-Carlos
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache Doesn't See My SSLCACertificateFile
Posted by Carlos Mennens <ca...@gmail.com>.
On Wed, Apr 7, 2010 at 11:32 AM, János Löbb <ja...@yale.edu> wrote:
> Carlos,
>
> Make sure you delete your old intermediate.crt and copy down from the
> verisign site the appropriate intermediate certificate.
>
> I had to do this two days ago :-)
Yup. That was it!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache Doesn't See My SSLCACertificateFile
Posted by János Löbb <ja...@yale.edu>.
Carlos,
Make sure you delete your old intermediate.crt and copy down from the
verisign site the appropriate intermediate certificate.
I had to do this two days ago :-)
János
On Apr 7, 2010, at 10:47 AM, Carlos Mennens wrote:
> I have Apache running on my RHEL 5.4 web server and when someone goes
> to my website, they get a scary warning that tells them my secure site
> isn't safe because it can't be validated by a CA. I contacted my CA
> (Verisign) today and was told that my web server (Apache) isn't
> properly rendering my 'intermediate' certificate. I clearly show
> Apache is properly displaying my public certificate and can read my
> private SSL key so I don't know why it's missing the
> SSLCACertificateFile entry from my httpd.conf file: My entry looks as
> follows in 'httpd.conf':
>
> <VirtualHost *:443>
> DocumentRoot /var/www/html/int/main
> ServerName www.mydomain.tld:443
> ServerAdmin webmaster@mydomain.tld
> ErrorLog /var/log/httpd/www.mydomain.tld-int-error_log
> TransferLog /var/log/httpd/www.mydomain.tld-int-access_log
> # SSL Engine Switch:
> # Enable/Disable SSL for this virtual host.
> SSLEngine on
> #SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /etc/httpd/conf/ssl/www.crt
> SSLCertificateKeyFile /etc/httpd/conf/ssl/www.key
> SSLCACertificateFile /etc/httpd/conf/ssl/intermediate.crt
>
> Now I starting to look around and noticed I also have a
> /etc/httpd/conf.d/ssl.conf file and it too has a section to list SSL
> parameter/path. I am wondering if I need to also add my SSL www.crt,
> www.key, and intermediate.crt in the 'ssl.con' file also? Or could it
> be that simply that Apache doesn't have permissions to properly render
> the 'intermediate.crt' which makes no sense to me since it can see the
> www.crt & www.key fine and they all have the same permissions:
>
> [root@ideweb1 ssl]# ls -la
> total 24
> dr-------- 2 root root 4096 Mar 26 14:36 .
> drwxr-xr-x 3 root root 4096 Apr 7 10:46 ..
> -r-------- 1 root root 1659 Jul 21 2009 intermediate.crt
> -r-------- 1 root root 1936 Mar 26 14:36 www.crt
> -r-------- 1 root root 887 Feb 11 2009 www.key
> -r-------- 1 root root 1931 Mar 26 14:36 www.orig
>
> Please help me understand this...
>
> -Carlos
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache Doesn't See My SSLCACertificateFile
Posted by Crypto Sal <cr...@gmail.com>.
On 04/07/2010 10:47 AM, Carlos Mennens wrote:
> I have Apache running on my RHEL 5.4 web server and when someone goes
> to my website, they get a scary warning that tells them my secure site
> isn't safe because it can't be validated by a CA. I contacted my CA
> (Verisign) today and was told that my web server (Apache) isn't
> properly rendering my 'intermediate' certificate. I clearly show
> Apache is properly displaying my public certificate and can read my
> private SSL key so I don't know why it's missing the
> SSLCACertificateFile entry from my httpd.conf file: My entry looks as
> follows in 'httpd.conf':
>
> <VirtualHost *:443>
> DocumentRoot /var/www/html/int/main
> ServerName www.mydomain.tld:443
> ServerAdmin webmaster@mydomain.tld
> ErrorLog /var/log/httpd/www.mydomain.tld-int-error_log
> TransferLog /var/log/httpd/www.mydomain.tld-int-access_log
> # SSL Engine Switch:
> # Enable/Disable SSL for this virtual host.
> SSLEngine on
> #SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /etc/httpd/conf/ssl/www.crt
> SSLCertificateKeyFile /etc/httpd/conf/ssl/www.key
> SSLCACertificateFile /etc/httpd/conf/ssl/intermediate.crt
>
> Now I starting to look around and noticed I also have a
> /etc/httpd/conf.d/ssl.conf file and it too has a section to list SSL
> parameter/path. I am wondering if I need to also add my SSL www.crt,
> www.key, and intermediate.crt in the 'ssl.con' file also? Or could it
> be that simply that Apache doesn't have permissions to properly render
> the 'intermediate.crt' which makes no sense to me since it can see the
> www.crt& www.key fine and they all have the same permissions:
>
> [root@ideweb1 ssl]# ls -la
> total 24
> dr-------- 2 root root 4096 Mar 26 14:36 .
> drwxr-xr-x 3 root root 4096 Apr 7 10:46 ..
> -r-------- 1 root root 1659 Jul 21 2009 intermediate.crt
> -r-------- 1 root root 1936 Mar 26 14:36 www.crt
> -r-------- 1 root root 887 Feb 11 2009 www.key
> -r-------- 1 root root 1931 Mar 26 14:36 www.orig
>
> Please help me understand this...
>
> -Carlos
Carlos,
Word of advice... Use SSLCertificateChainFile vs. using
SSLCACertificateFile in Apache 2.x. SSLCACertificateFile is used for
CLIENT Authentication and may not work 100% of the time.
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcacertificatefile
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcertificatechainfile
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org