At 01:17 PM 2/28/00 -0500, Osvaldo Brito wrote:
>At the some time i got this on the error_log file:
>
>[error] mod_ssl: Certificate Verification: Error (20):unable to get local
>issuer certificate
>
>[error] mod_ssl: SSL handshake failed (server www.laplace.inesc.pt:443,
>client 146.193.24.118) (OpenSSL library error follows)
>
>[error] OpenSSL: error: 14089B2:SSL routines:SSL_GET_CLIENT_CERTIFICATE:
>no certificate returned
>
>
>Any help?
Sounds like the same problem I reported over the weekend. Didn't
get any answers from the list, but did get a lead from somebody I
work with yesterday afternoon. I haven't tried this out yet, but
here is how the situation was explained to me. I don't claim accuracy
on this, and I may have misunderstood aspects of what I was told.
Mea culpa. :-)
- The web server needs two kinds of CA files:
(a) one for certifying clients to the server
(b) one certifying the server to the clients.
It may be that you get your server certificates and users certificates
from the same place, but that doesn't mean the CA file for (a) is the
same as the CA file for (b). There may be more to the story than that,
but somebody more up on the issues than I am would have to comment on it.
I think the filename for (b) is arbitrary (or at least the name tends to
be something meaningful to a human being); that name will end up in your
httpd.conf file. The filename for (a) is *not* arbitrary and its name
does *not* end up in httpd.conf (but maybe its directory location does?)
It is derived from the contents of (a) and will vary with the SSL
version/implementation you have. A hash code is computed and the file
gets renamed to $hash.0 (or, in Unix installations, an appropriately-named
symbolic link created). I was shown the steps for generating that hash code
on Unix with an Apache-SSL (i.e. non-modssl) installation; I haven't yet had
a chance to see if I can do the same things for modssl under NT.
If there are any mistakes in what I've described, I invite comment from
the modssl savants. Be verbose; we the masses-without-a-clue will make
appropriate sacrifices in your names! I would also suggest that this
aspect of installation and configuration would be great to put in the
user manual (as it is most of steps I had to follow for Win32 installation
weren't in the user manual at all; they were in an HTML file in the contrib
area). According to the staff member I was talking to yesterday, CA and
server cert problems account for almost half of the support questions she
gets from developers. SSL version (2 vs 3) configuration accounts for
almost another half.
====================================================
= Reid M. Pinchback =
= I/T Delivery, MIT =
= =
= Email: [EMAIL PROTECTED] =
= URL: http://mit.edu/reidmp/www/home.html =
====================================================
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
