retitle 912277 apache2: SSLCertificateChainFile silently ignored, causing AH01903 startup failure thanks
> 2.4.33-3+b1 is the oldest version I can downgrade to, and it > also exhibits the problem. WTF. This is a real WTF. I found https://serverfault.com/a/892300/189656 and thought “hey, Apache 2 still documents SSLCertificateChainFile, plus it’s the proper way to specify the chain given it’s normally separate from the certificates, and there’s no warning message about that directive, but let’s give it a shot”. So I did: # cat /etc/ssl/W_lan_tarent_de.cer /etc/ssl/W_lan_tarent_de.ca >/etc/ssl/combined-cer-chain.pem Then I edited /etc/apache2/sites-enabled/default-ssl.conf, commenting out SSLCertificateFile and SSLCertificateChainFile, and adding SSLCertificateFile /etc/ssl/combined-cer-chain.pem tglase@tglase:~ $ sudo cleanenv / /etc/init.d/apache2 stop Stopping Apache httpd web server: apache2. Server was not running ... (warning). tglase@tglase:~ $ sudo cleanenv / /etc/init.d/apache2 start Starting Apache httpd web server: apache2 .. .oO(wait, what?) tglase@tglase:~ $ curl --head https://$(hostname -f)/ HTTP/1.1 200 OK Date: Sun, 04 Nov 2018 17:34:29 GMT Server: Apache/2.4.35 (Debian) Content-Type: text/html;charset=UTF-8 .oO(what now?) So it turns out that, ever since some upgrade, the directive SSLCertificateChainFile is *silently* ignored, but this only becomes apparent when you stop+start instead of restart (so they are *still* not equivalent ☹). I don’t think this acceptable. Ideally, the option would be still supported; it does no harm and has worked for decades. If that’s not desired, it MUST yield a warning. bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg