Re: SSLCertificateChain file for Intermediate CA
Hi Damon,
Could you please put in the corrected part of your httpd.conf file - all
the directives that are relavant to SSL connections.
I am interested in looking at the corrected piece ( and commented pieces as
well).
Rajaram.
To: [EMAIL PROTECTED]
cc:
Subject:Re: SSLCertificateChain
file for Intermediate CA
Damon Maria [EMAIL PROTECTED]
05/22/01 08:42 PM
Please respond to modssl-users
--+
I think I've solved my problem and would just like to post the answer
for someone else's reference.
The offending line is:
SSLProtocol -all +SSLv2
If I take that line out mod_ssl can load the certificate chain. I
presume there's a good reason for this (chains require SSLv3 at a
guess)?
SSLProtocol was originally added because we just couldn't get around
problems with MSIE 4.x connecting with SSL. Although it is a big hack,
the suggested SSL changes in the mod_ssl FAQ just didn't work for us.
I've since removed the SSLProtocol, added a SSL session cache and added
+eNULL to the end of the SSLCipherSuite. Now I'm just waiting to see if
MSIE 4.x users can still connect.
I've also recently seen talk of
SSLRequire %{SSL_CIPHER} = 128
solving the MSIE SGC bug. Has someone confirmed this to be true?
thanks for the help,
Damon.
-- VirtualHost
ServerName www.motorweb.co.nz
SSLEngine on
# The following hopefully get around the MSIE 4.x and 5.0 SGC bug
# SSLCipherSuite
ALL:!ADH:!EXPORT56:!SSLv3+EXP:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
# The following defintely gets around the MSIE 4.x and 5.0 SGC bug but
SSLProtocol -all +SSLv2
SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
# SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt
# SSLLog /var/log/httpd/ssl_engine_log
# SSLLogLevel debug
SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
[EMAIL PROTECTED] wrote:
Hi Damon,
Could you please put in the corrected part of your httpd.conf file - all
the directives that are relavant to SSL connections.
OK, this is for the site https://www.motorweb.co.nz.. Try it and you may
I say.
First off, I'm using a Verisign Global ID certificate (ie. SGC).
What I have currently works with MSIE 5+ and NS 4.7 (haven't tried other
NS's).
It does work with MSIE 4 but this version of IE doesn't like the Versign
Global certificate (it can't complete the chain) and therefore says it
doesn't trust our site. This is despite the fact that Verisign says the
Global ID's work with MSIE 4+, so I must still have something wrong. At
the bottom of this message is the ssl_engine_log of the server starting
up and MSIE 4.7 trying to connect. Can someone point out why the
intermediate_ca doesn't seem to get to IE? Is it because IE is
connecting with SSLv2?
Anyway, here's the relevant lines from my httpd.conf
--- httpd.conf ---
Listen 443
# SSL session cache is required to get around MSIE bugs
SSLSessionCache dbm:/var/log/httpd/ssl_cache
SSLSessionCacheTimeout 300
VirtualHost 210.55.172.141:443
ServerName www.motorweb.co.nz
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate-ca.crt
SSLLog /var/log/httpd/ssl_engine_log
SSLLogLevel trace
SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
/VirtualHost
--- ssl_engine_log ---
Init: Loading certificate private key of SSL-aware server
www.motorweb.co.nz:443
Init: (www.motorweb.co.nz:443) unencrypted RSA private key - pass phrase
not required
Init: Configuring server www.motorweb.co.nz:443 for SSL protocol
Init: (www.motorweb.co.nz:443) Creating new SSL context (protocols:
SSLv2, SSLv3, TLSv1)
Init: (www.motorweb.co.nz:443) Configuring permitted SSL ciphers
[ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
Init: (www.motorweb.co.nz:443) Configuring RSA server certificate
Init: (www.motorweb.co.nz:443) RSA server certificate enables Server
Gated Cryptography (SGC)
Init: (www.motorweb.co.nz:443) Configuring RSA server private key
Init: (www.motorweb.co.nz:443) Configuring server certificate chain (1
CA certificate)
Connection to child 2 established (server www.motorweb.co.nz:443, client
210.55.82.41)
Seeding PRNG with 0 bytes of entropy
OpenSSL: Handshake: start
OpenSSL: Loop: before/accept initialization
OpenSSL: Loop: SSLv2 read client hello A
OpenSSL: Loop: SSLv2 write server hello A
OpenSSL: Loop: SSLv2 read client master key A
OpenSSL: Loop: SSLv2 server start encryption
OpenSSL: Loop: SSLv2 write server verify A
OpenSSL: Loop: SSLv2 read client finished A
OpenSSL: Loop: SSLv2 write request certificate A
OpenSSL: Loop: SSLv2 write server finished A
Inter-Process Session Cache: request=SET status=OK
id=82EBC78C51D8403F32DA3EA9C62507DC timeout=299s (session caching)
OpenSSL: Handshake: done
Connection: Client IP: 210.55.82.41, Protocol: SSLv2, Cipher:
EXP-RC4-MD5 (40/128 bits)
Connection to child 2 closed with standard shutdown (server
www.motorweb.co.nz:443, client 210.55.82.41)
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Without going through mod_ssl's source: did you try to put the complete chain into the ChainFile? Tried this, but it didn't make any difference. With respect to the error message, mod_ssl can write more messages than that into e.g. an ssl_engine_log. Did you check all possible logfiles? I've checked, even with SSLLogLevel debug I couldn't get anymore out of it. I've since looked through the mod_ssl source and if there is any kind of error while trying to load the ChainFile then the generic Failed to configure CA certificate chain! messge is produced. Not very helpful really since there are many possibilities. I have also tried using SSLCACertificateFile instead of and in conjunction with SSLCertificateChainFile. This was described at http://www.verisign.com/support/tlc/class3_install_docs/ssleay/v00g.html as the instructions for ApacheSSL rather than mod_ssl. If used instead of SSLCertificateChainFile no init errors happen and the following is reported in ssl_engine_log: [20/May/2001 15:10:19 11541] [trace] Init: (www.motorweb.co.nz:443) Configuring client authentication [20/May/2001 15:10:19 11541] [trace] CA certificate: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign So it appears there is nothing wrong with my Intermediate Certificate (since that's what the trace is outputing) or Apache's ability to read it. Why oh why then doesn't it work with SSLCertificateChainFile, agh! Thanks for the help and suggestions, but I'm still stuck. One thing I haven't mentioned previously is that I'm running Apache 1.3.12 and mod_ssl 2.6. But I presume there shouldn't be a problem with either of these versions. regards, Damon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
On Sun, 20 May 2001, Damon Maria wrote: One thing I haven't mentioned previously is that I'm running Apache 1.3.12 and mod_ssl 2.6. But I presume there shouldn't be a problem with either of these versions. Well... Can't hurt to upgrade, can it? I'm running Apache 1.3.19 with mod_ssl 2.8.1-1.6.0 (weird versioning courtesy of the RPM packager), and it uses the SSLCertificateChain thang without problems. -- Regards, Juha PGP fingerprint: B7E1 CC52 5FCA 9756 B502 10C8 4CD8 B066 12F3 9544 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Juha Saarinen wrote: On Sun, 20 May 2001, Damon Maria wrote: One thing I haven't mentioned previously is that I'm running Apache 1.3.12 and mod_ssl 2.6. But I presume there shouldn't be a problem with either of these versions. Well... Can't hurt to upgrade, can it? I'm running Apache 1.3.19 with mod_ssl 2.8.1-1.6.0 (weird versioning courtesy of the RPM packager), and it uses the SSLCertificateChain thang without problems. I may as well, I'm running out of other options. thanks again for the help, Damon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
On Fri, May 18, 2001 at 11:58:02AM +1200, Damon Maria wrote: Since I haven't gotten too much of a response yet (expect for thanks to Juha) I'll post my VirtualHost in httpd.conf, which I probably should have done in the first place. If I uncomment the SSLCertificateChainFile line then the following appears in the log and apache won't start... [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA certificate chain! I've copied my original message at the bottom of this one which contains the contents of /etc/httpd/conf/ssl.crt/intermediate_ca.crt (as I got it from Verisign's site). Without going through mod_ssl's source: did you try to put the complete chain into the ChainFile? The server cert is in its own file. For my server (www.aet.tu-cottbus.de) I have an intermediate and a root CA certificate. Both are concatenated together into the chain file. With respect to the error message, mod_ssl can write more messages than that into e.g. an ssl_engine_log. Did you check all possible logfiles? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
AW: SSLCertificateChain file for Intermediate CA
Lutz, when I try to access your site with Internet Explorer 5.5, IE tells me that it cannot verify the certificate. German error message is: Das Zertifikat wurde von einer Firma ausgestellt, die Sie nicht als vertrauenswürdig eingestuft haben. Untersuchen Sie das Zertifikat um festzustellen, ob Sie der ausstellenden Institution vertrauen möchten. -Ursprüngliche Nachricht- Von: Lutz Jaenicke [SMTP:[EMAIL PROTECTED]] Gesendet am: Freitag, 18. Mai 2001 10:50 An: [EMAIL PROTECTED] Betreff: Re: SSLCertificateChain file for Intermediate CA On Fri, May 18, 2001 at 11:58:02AM +1200, Damon Maria wrote: Since I haven't gotten too much of a response yet (expect for thanks to Juha) I'll post my VirtualHost in httpd.conf, which I probably should have done in the first place. If I uncomment the SSLCertificateChainFile line then the following appears in the log and apache won't start... [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA certificate chain! I've copied my original message at the bottom of this one which contains the contents of /etc/httpd/conf/ssl.crt/intermediate_ca.crt (as I got it from Verisign's site). Without going through mod_ssl's source: did you try to put the complete chain into the ChainFile? The server cert is in its own file. For my server (www.aet.tu-cottbus.de) I have an intermediate and a root CA certificate. Both are concatenated together into the chain file. With respect to the error message, mod_ssl can write more messages than that into e.g. an ssl_engine_log. Did you check all possible logfiles? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
On Fri, May 18, 2001 at 01:21:31PM +0200, Henning von Bargen wrote: Lutz, when I try to access your site with Internet Explorer 5.5, IE tells me that it cannot verify the certificate. German error message is: Das Zertifikat wurde von einer Firma ausgestellt, die Sie nicht als vertrauenswürdig eingestuft haben. Untersuchen Sie das Zertifikat um festzustellen, ob Sie der ausstellenden Institution vertrauen möchten. Yes, that is true. Our certificate was issued by our university's computer center (intermediate CA) and the root CA is the DFN (german research network, the provider for the german universities and scientific institutions). emws1 26: openssl s_client -connect www.aet.tu-cottbus.de:443 CONNECTED(0003) depth=2 /C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet Cottbus/OU=Allgemeine Elektrotechnik und Numerische [EMAIL PROTECTED] i:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet [EMAIL PROTECTED] 1 s:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet [EMAIL PROTECTED] i:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] 2 s:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] i:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] The message IE shows is due to the fact, that DFN-PCA is not part of the standard CA bundle. When you import the DFN-PCA certificate, the problem will go away: http://www.pca.dfn.de/dfnpca/certify/ssl/pca-key.html (I also have not initialized the trusted CA storage for openssl s_client, which correspondingly complains about self signed certificate in certificate chain). Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
I presume you're not trying to explicitly construct the server certificate chain that is being sent to the browser, together with the actual server cert? This is what I'm trying to do. I'm trying to send all the certificates in the chain (expect the root) to the browser. This includes my server certificate and the intermediate certificate. If you try https://www.motorweb.co.nz/ in IE (I'm using 5.0) and click on the padlock, look at the Certification Path. You'll see there is the Primary CA, the www.verisign.com Intermediate CA and then the www.motorweb.co.nz certificate. IE contains the Primary and Intermediate CA and so works fine. Other browsers don't contain the Intermediate CA and so can't complete the chain. I need to get mod_ssl to serve up the Intermediate CA, and that's what SSLCertificateChainFile is supposed to do. But adding that into httpd.conf causes mod_ssl to die on startup: Failed to configure CA certificate chain! regards, Damon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Since I haven't gotten too much of a response yet (expect for thanks to
Juha) I'll post my VirtualHost in httpd.conf, which I probably should
have done in the first place.
If I uncomment the SSLCertificateChainFile line then the following
appears in the log and apache won't start...
[error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA
certificate chain!
I've copied my original message at the bottom of this one which contains
the contents of /etc/httpd/conf/ssl.crt/intermediate_ca.crt (as I got it
from Verisign's site).
I've seen this solution to the Global ID Intermediate CA problem
documented all over the web, but can't get it to work. There must be
somethng obviously wrong with what I've done.
yours in desperation,
Damon.
-- VirtualHost
ServerName www.motorweb.co.nz
SSLEngine on
# The following hopefully get around the MSIE 4.x and 5.0 SGC bug
# SSLCipherSuite
ALL:!ADH:!EXPORT56:!SSLv3+EXP:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
# The following defintely gets around the MSIE 4.x and 5.0 SGC bug but
SSLProtocol -all +SSLv2
SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
# SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt
# SSLLog /var/log/httpd/ssl_engine_log
# SSLLogLevel debug
SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
Original Message
Subject: SSLCertificateChain file for Intermediate CA
Date: Thu, 17 May 2001 15:47:46 +1200
From: Damon Maria [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
I'm using a Verisign Global ID and therefore need to configure modssl to
serve up the Intermediate CA. I've followed the various instructions
I've found for this but with no success.
I downloaded the Intermediate CA and saved it under intermediate_ca.crt
(I've listed it at the bottom of this message). I then added...
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt
into my VirtualHost next to all the other SSL* settings. But if I start
Apache with this setting it reports...
[error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA
certificate chain!
I've tried SSLLogLevel debug but this doesn't produce any more
information.
I've been trying for ages and am getting desperate, can someone help me
out.
thanks in advance,
Damon Maria.
-BEGIN CERTIFICATE-
MIIEMTCCA5qgAwIBAgIQI2yXHivGDQv5dGDe8QjDwzANBgkqhkiG9w0BAQIFADBfMQswCQYD
VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVi
bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTcwNDE3MDAwMDAwWhcN
MDQwMTA3MjM1OTU5WjCBujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUG
A1UECxMOVmVyaVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwg
U2VydmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5j
b3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx
veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01OOfdcSVq4
wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOCAZAwggGMMA8GA1Ud
EwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAgBgNVHSUEGTAX
BgpghkgBhvhFAQgBBglghkgBhvhCBAEwggE1BgNVHSAEggEsMIIBKDCCASQGC2CGSAGG+EUB
BwEBMIIBEzAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzCB5gYI
KwYBBQUHAgIwgdkwFRYOVmVyaVNpZ24sIEluYy4wAwIBARqBv1ZlcmlTaWduJ3MgQ2VydGlm
aWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQsIHd3dy52ZXJpc2lnbi5jb20vQ1BTLCBnb3Zl
cm5zIHRoaXMgY2VydGlmaWNhdGUgJiBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlIGhl
cmVpbi4gU09NRSBXQVJSQU5USUVTIERJU0NMQUlNRUQgJiBMSUFCSUxJVFkgTFRELiAoYykx
OTk3IFZlcmlTaWduMA0GCSqGSIb3DQEBAgUAA4GBALiMmMMrSPVyzWgNGrN0Y7uxWLaYRSLs
EY3HTjOLYlohJGyawEK0Rak6+2fwkb4YH9VIGZNrjcs3S4bmfZv9jHiZ/4PC/NlVBp4xZkZ9
G3hg9FXUbFXIaWJwfE22iQYFm8hDjswMKNXRjM1GUOMxlmaSESQeSltLZl5lVR5fN5qu
-END CERTIFICATE-
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
RE: SSLCertificateChain file for Intermediate CA
:: Since I haven't gotten too much of a response yet (expect for thanks to :: Juha) I'll post my VirtualHost in httpd.conf, which I probably should :: have done in the first place. :: :: If I uncomment the SSLCertificateChainFile line then the following :: appears in the log and apache won't start... :: :: [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA :: certificate chain! Stupid suggestion, perhaps, but can Apache read the CA file? Are the permissions OK? -- Juha __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Juha Saarinen wrote: Stupid suggestion, perhaps, but can Apache read the CA file? Are the permissions OK? Good suggestion, but the permissions are OK (identical to server.crt). thanks again, Damon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSLCertificateChain file for Intermediate CA
I'm using a Verisign Global ID and therefore need to configure modssl to serve up the Intermediate CA. I've followed the various instructions I've found for this but with no success. I downloaded the Intermediate CA and saved it under intermediate_ca.crt (I've listed it at the bottom of this message). I then added... SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt into my VirtualHost next to all the other SSL* settings. But if I start Apache with this setting it reports... [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA certificate chain! I've tried SSLLogLevel debug but this doesn't produce any more information. I've been trying for ages and am getting desperate, can someone help me out. thanks in advance, Damon Maria. -BEGIN CERTIFICATE- MIIEMTCCA5qgAwIBAgIQI2yXHivGDQv5dGDe8QjDwzANBgkqhkiG9w0BAQIFADBfMQswCQYD VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVi bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTcwNDE3MDAwMDAwWhcN MDQwMTA3MjM1OTU5WjCBujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUG A1UECxMOVmVyaVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwg U2VydmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5j b3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01OOfdcSVq4 wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOCAZAwggGMMA8GA1Ud EwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAgBgNVHSUEGTAX BgpghkgBhvhFAQgBBglghkgBhvhCBAEwggE1BgNVHSAEggEsMIIBKDCCASQGC2CGSAGG+EUB BwEBMIIBEzAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzCB5gYI KwYBBQUHAgIwgdkwFRYOVmVyaVNpZ24sIEluYy4wAwIBARqBv1ZlcmlTaWduJ3MgQ2VydGlm aWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQsIHd3dy52ZXJpc2lnbi5jb20vQ1BTLCBnb3Zl cm5zIHRoaXMgY2VydGlmaWNhdGUgJiBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlIGhl cmVpbi4gU09NRSBXQVJSQU5USUVTIERJU0NMQUlNRUQgJiBMSUFCSUxJVFkgTFRELiAoYykx OTk3IFZlcmlTaWduMA0GCSqGSIb3DQEBAgUAA4GBALiMmMMrSPVyzWgNGrN0Y7uxWLaYRSLs EY3HTjOLYlohJGyawEK0Rak6+2fwkb4YH9VIGZNrjcs3S4bmfZv9jHiZ/4PC/NlVBp4xZkZ9 G3hg9FXUbFXIaWJwfE22iQYFm8hDjswMKNXRjM1GUOMxlmaSESQeSltLZl5lVR5fN5qu -END CERTIFICATE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSLCertificateChain file for Intermediate CA
Gidday Damon, Seems to work OK... https://www.motorweb.co.nz loads fine, and if I look at the cert, I see: Issued to: www.motorweb.co.nz Issued by: www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign [sic] Valid from: 05/02/01 to 06/02/02 Cert serial is: 74EB B7E7 DB06 D3A7 5401 3B94 4C7B B1FE Thumbprint: D0EA 585F DD9A E330 10DB A820 F2B1 327B FB15 48CD -- Juha PS. I'm gunna tell Nic what a l4m3r you are. ; :: -Original Message- :: From: [EMAIL PROTECTED] :: [mailto:[EMAIL PROTECTED]]On Behalf Of Damon Maria :: Sent: Thursday, 17 May 2001 15:48 :: To: [EMAIL PROTECTED] :: Subject: SSLCertificateChain file for Intermediate CA :: :: :: I'm using a Verisign Global ID and therefore need to configure modssl to :: serve up the Intermediate CA. I've followed the various instructions :: I've found for this but with no success. :: :: I downloaded the Intermediate CA and saved it under intermediate_ca.crt :: (I've listed it at the bottom of this message). I then added... :: :: SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt :: :: into my VirtualHost next to all the other SSL* settings. But if I start :: Apache with this setting it reports... :: :: [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA :: certificate chain! :: :: I've tried SSLLogLevel debug but this doesn't produce any more :: information. :: :: I've been trying for ages and am getting desperate, can someone help me :: out. :: :: thanks in advance, :: Damon Maria. :: __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Seems to work OK... Did you use IE? That seems to work fine (I guess it comes with the Intermediate CA), Netscape and Opera both barf on it tho'. https://www.motorweb.co.nz loads fine, and if I look at the cert, I see: Issued to: www.motorweb.co.nz Issued by: www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign [sic] Valid from: 05/02/01 to 06/02/02 Cert serial is: 74EB B7E7 DB06 D3A7 5401 3B94 4C7B B1FE Thumbprint: D0EA 585F DD9A E330 10DB A820 F2B1 327B FB15 48CD -- Juha PS. I'm gunna tell Nic what a l4m3r you are. ; Wait until you try it in NS first :) :: -Original Message- :: From: [EMAIL PROTECTED] :: [mailto:[EMAIL PROTECTED]]On Behalf Of Damon Maria :: Sent: Thursday, 17 May 2001 15:48 :: To: [EMAIL PROTECTED] :: Subject: SSLCertificateChain file for Intermediate CA :: :: :: I'm using a Verisign Global ID and therefore need to configure modssl to :: serve up the Intermediate CA. I've followed the various instructions :: I've found for this but with no success. :: :: I downloaded the Intermediate CA and saved it under intermediate_ca.crt :: (I've listed it at the bottom of this message). I then added... :: :: SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt :: :: into my VirtualHost next to all the other SSL* settings. But if I start :: Apache with this setting it reports... :: :: [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA :: certificate chain! :: :: I've tried SSLLogLevel debug but this doesn't produce any more :: information. :: :: I've been trying for ages and am getting desperate, can someone help me :: out. :: :: thanks in advance, :: Damon Maria. :: __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSLCertificateChain file for Intermediate CA
:: Did you use IE? That seems to work fine (I guess it comes with the :: Intermediate CA), Netscape and Opera both barf on it tho'. Yes, IE 5.5; Konqueror 2.1.1 works too. :: Wait until you try it in NS first :) Nutscrape 4.76 says it does not recognize the authority who [sic] signed its [sic] certificate. It gets the right info (ie. who it belongs to and who issued it). Opera 5 says that the certificate chain is incomplete, and the signer is not registered. So that kind of sucks... but you can accept the cert. Are you using the right command though? This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of of the server certificate and can range up to the root CA certificate. Such a file is simply the concatenation of the various PEM-encoded CA Certificate files, usually in certificate chain order. This should be used alternatively and/or additionally to SSLCACertificatePath for explicitly constructing the server certificate chain which is sent to the browser in addition to the server certificate. It is especially useful to avoid conflicts with CA certificates when using client authentication. Because although placing a CA certificate of the server certificate chain into SSLCACertificatePath has the same effect for the certificate chain construction, it has the side-effect that client certificates issued by this same CA certificate are also accepted on client authentication. That's usually not one expect. I presume you're not trying to explicitly construct the server certificate chain that is being sent to the browser, together with the actual server cert? -- Juha __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
