You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/06/28 05:04:01 UTC

DO NOT REPLY [Bug 21160] New: - SSL certificate chain handling suddenly fails to work properly

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21160>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21160

SSL certificate chain handling suddenly fails to work properly

           Summary: SSL certificate chain handling suddenly fails to work
                    properly
           Product: Apache httpd-2.0
           Version: 2.0.45
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: d.tonhofer@m-plify.com


There is as yet not much information here, I will have to try a few things
first (next week, not today it's about 05:00). But here is what happens:

Apache has been configured with three IP-based virtual servers on three
different IP addresses. On each of these addresses, we have an SSL server, thus
three SSL servers in total. 

One with a self-signed root CA certificate   ROOT->C1->SSL virtual host
Two with an 'official' CA certificate        ROOT->C1->C2->SSL virtual host

Everything has been configured, Apache has been happily chugging along...

But then...

After a restart, Apache goes through the SSL virtual servers and asks the
password for each of the three private keys (good). After this, it fails (bad)
with the following error in the error log:

"Failed to configure CA certificate chain!"

(Some additional info would have been of use, too)

The weird thing is that the configuration for SSL had not changed at all. Thus
the production server was suddenly dead in the water w/o reason.

Also, each of the SSL virtual servers work if they are the only ones in the
config file. Certain pairs also work, but not all.

Finally, 'openssl verify' does not find anything amiss with the CA chains.

So, that's all for now. More to follow (hopefully)

What is this server:

Apache/2.0.45 + mod_ssl/2.0.45 + OpenSSL/0.9.7b 

on a RH7.3 OS with gcc-2.96-110 and glibc-2.2.5-39

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org