[users@httpd] Intermediate SSL cert problem with Apache 2.0.43

["Turner, John" <JT...@AAS.com>]

Hi -

I have a running installation of Apache 2.0.43, with SSL.  I have a Verisign
certificate that expires in Aug 2004.  I've followed the installation
description at Verisign (found here:
http://www.verisign.com/support/install/apache/v00Mod.html#global) exactly.

My SSL configuration in httpd.conf looks like this, for a single virtual
host (no other hosts are currently running, HTTP or HTTPS):

SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/ssl.key/domain.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/domain.key
SSLCertificateChainFile
/usr/local/apache2/conf/ssl.key/verisign-intermediate.crt

The certificate contained in verisign-intermediate.crt is the certificate
from this URL: http://www.verisign.com/support/install/intermediate.html as
specified in the installation instructions.

My Problem: browsing to my domain with IE 6 sets up a successful SSL
connection without errors or other alerts.  However, using Mozilla as well
as "openssl s_client -connect domain.com:443" generates errors about not
being able to verify the certificate.

The specific messages returned by openssl are: "num=20:unable to get local
issuer certificate" and "num=21:unable to verify the first certificate".

I'm pretty stumped, and a morning spent searching Google and reading all
sorts of archived posts hasn't led me any closer to a solution. 

Is IE broken (please no rants, flames, or sarcasm) and its just assuming the
certificate is valid because Apache is not sending the intermediate cert?
How do I verify Apache is sending the certs, including the intermediate
cert?

If openssl isn't happy, it seems Apache isn't sending the intermediate cert,
if this is true, and my configuration is wrong, how do I fix it?  I did see
one post
(http://forums.devshed.com/t104136/sadcf52b12ec7564e45b1036a7005d2ee.html)
where the poster upgraded his Apache installation to 2.0.48 and got rid of
the same problem...is this the only solution?  

- John

============================================
John Turner
jturner@aas.com | 248-488-3466
Advertising Audit Service
http://www.aas.com

Re: [users@httpd] Intermediate SSL cert problem with Apache 2.0.43

[Chip Cuccio <ch...@norlug.org>]

* Turner, John wrote:
> >My Problem: browsing to my domain with IE 6 sets up a successful SSL
> >connection without errors or other alerts.  However, using Mozilla as well
> >as "openssl s_client -connect domain.com:443" generates errors about not
> >being able to verify the certificate.

IIRC, That error usually means that the user-agent's root-cert DB has an
expired cert. Check your Mozilla root-certs for any expirations
File > Prefs > Privacy & Sec. > Certs.

-- 
Chip Cuccio                    |  chipster[at]norlug[.]org
NORLUG VP and Sysadmin         |  <http://norlug.org/~chipster/>
Northfield Linux Users' Group  |  Northfield, Minnesota USA

Re: [users@httpd] Intermediate SSL cert problem with Apache 2.0.43

[Aaron W Morris <aa...@mindspring.com>]

Turner, John wrote:

> Hi -
> 
> I have a running installation of Apache 2.0.43, with SSL.  I have a Verisign
> certificate that expires in Aug 2004.  I've followed the installation
> description at Verisign (found here:
> http://www.verisign.com/support/install/apache/v00Mod.html#global) exactly.
> 
> My SSL configuration in httpd.conf looks like this, for a single virtual
> host (no other hosts are currently running, HTTP or HTTPS):
> 
> SSLEngine on
> SSLCertificateFile /usr/local/apache2/conf/ssl.key/domain.crt
> SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/domain.key
> SSLCertificateChainFile
> /usr/local/apache2/conf/ssl.key/verisign-intermediate.crt
> 
> The certificate contained in verisign-intermediate.crt is the certificate
> from this URL: http://www.verisign.com/support/install/intermediate.html as
> specified in the installation instructions.
> 
> My Problem: browsing to my domain with IE 6 sets up a successful SSL
> connection without errors or other alerts.  However, using Mozilla as well
> as "openssl s_client -connect domain.com:443" generates errors about not
> being able to verify the certificate.
> 
> The specific messages returned by openssl are: "num=20:unable to get local
> issuer certificate" and "num=21:unable to verify the first certificate".
> 
> I'm pretty stumped, and a morning spent searching Google and reading all
> sorts of archived posts hasn't led me any closer to a solution. 
> 
> Is IE broken (please no rants, flames, or sarcasm) and its just assuming the
> certificate is valid because Apache is not sending the intermediate cert?
> How do I verify Apache is sending the certs, including the intermediate
> cert?
> 
> If openssl isn't happy, it seems Apache isn't sending the intermediate cert,
> if this is true, and my configuration is wrong, how do I fix it?  I did see
> one post
> (http://forums.devshed.com/t104136/sadcf52b12ec7564e45b1036a7005d2ee.html)
> where the poster upgraded his Apache installation to 2.0.48 and got rid of
> the same problem...is this the only solution?  
> 
> - John
> 
> ============================================
> John Turner
> jturner@aas.com | 248-488-3466
> Advertising Audit Service
> http://www.aas.com
> 
> 

This might have something to do with the recently expired Verisign CA 
certificate.  Check the expiration of your public CA signing certificate.

-- 
Aaron W Morris <aa...@mindspring.com> (decep)




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org