[users@httpd] Apache SSL certificate verification

[Milo Thurston <kn...@gmail.com>]

I've got a setup where I need to control https access to several Linux
servers, and so I've generated my own CA certificate and users have
certificates signed against this. I've set up Apache on these servers
to access my certificate:

<VirtualHost *:443>
        DocumentRoot /data

        # self-signed server certificate
        SSLCertificateFile /etc/ssl/server.crt
        SSLCertificateKeyFile /etc/ssl/private/server.key

        SSLVerifyClient require
        SSLVerifyDepth 1
        SSLCACertificatePath /etc/apache2/certs
        SSLCACertificateFile /etc/apache2/certs/cacert.pem
</VirtualHost>

Files are downloaded with:

curl -k --cert ./pass.pem https://server/file.zip -o file.zip

...for 4/6 servers this is fine, but for the other two I get:

curl: (60) Peer certificate cannot be authenticated with known CA certificates

But, on all servers...

openssl verify -CAfile /etc/apache2/certs/cacert.pem ./pass.pem

...verifies the certificate as expected. Setting SSLVerifyClient to
"none" allows downloads but defeats the point of having the
certificate. Has anyone any idea what the problem might be? Of the two
dodgy machines one is Debian 4.0 and the other is RHEL4.  The working
ones are Gentoo, OpenSuSE and Debian 3.1.
LogLevel is set to "debug" but I can't see any entries when I try to
download a file and the connection is refused.
Thanks.


-- 
"One of the greatest delusions in the world is the hope that the evils in this
world are to be cured by legislation." - Thomas B. Reed 1886

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org