You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Aaron Turner <sy...@gmail.com> on 2008/04/08 21:35:48 UTC
[users@httpd] 2.2.8 and SSLCertificateChainFile not working
So I've been using a GoDaddy ssl certificate for my site for a couple
of years and it's stopped working ever since upgrading to 2.2.8 (I
think I was 2.2.6 before). The issue seems to be that Apache doesn't
send the intermediate signing certificate to the client.
Basically my config looks like:
<VirtualHost *:443>
ServerName www.synfin.net
DocumentRoot /var/www
SSLEngine On
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /opt/local/etc/www.synfin.net/www.synfin.net.crt
SSLCertificateKeyFile /opt/local/etc/www.synfin.net/www.synfin.net.key
SSLCertificateChainFile /opt/local/etc/www.synfin.net/sf_issuing.crt
</VirtualHost>
I've debugged with wireshark & openssl s_client -showcerts and it's
correctly sending the ServerCertificate, but the certificate stored in
sf_issuing.crt is not sent, hence there's no trusted signing path.
Turning on debug logging, I do see:
[Tue Apr 08 12:33:30 2008] [debug] ssl_engine_init.c(664): Configuring
server certificate chain (1 CA certificate)
Which seems to indicate that it's loading he sf_issuing.crt file, but
I'm at a loss beyond that. Any ideas/suggestions?
Thanks.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org