> Without going through mod_ssl's source: did you try to put the complete
> chain into the ChainFile?
Tried this, but it didn't make any difference.
> With respect to the error message, mod_ssl can write more messages
> than that into e.g. an ssl_engine_log. Did you check all possible
> logfiles?
I've checked, even with SSLLogLevel debug I couldn't get anymore out of
it.
I've since looked through the mod_ssl source and if there is any kind of
error while trying to load the ChainFile then the generic "Failed to
configure CA certificate chain!" messge is produced. Not very helpful
really since there are many possibilities.
I have also tried using SSLCACertificateFile instead of and in
conjunction with SSLCertificateChainFile. This was described at
http://www.verisign.com/support/tlc/class3_install_docs/ssleay/v00g.html
as the instructions for ApacheSSL rather than mod_ssl. If used instead
of SSLCertificateChainFile no init errors happen and the following is
reported in ssl_engine_log:
[20/May/2001 15:10:19 11541] [trace] Init: (www.motorweb.co.nz:443)
Configuring client authentication
[20/May/2001 15:10:19 11541] [trace] CA certificate: /O=VeriSign Trust
Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class
3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
So it appears there is nothing wrong with my Intermediate Certificate
(since that's what the trace is outputing) or Apache's ability to read
it. Why oh why then doesn't it work with SSLCertificateChainFile,
arrrrgh!
Thanks for the help and suggestions, but I'm still stuck.
One thing I haven't mentioned previously is that I'm running Apache
1.3.12 and mod_ssl 2.6. But I presume there shouldn't be a problem with
either of these versions.
regards,
Damon.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
