RE: [users@httpd] Problem when mixing NameVirtualHost + non with SSL - "Oops, no RSA or DSA server certificate found?!"

Fri, 09 Dec 2005 09:24:59 -0800 

On Wed, 7 Dec 2005, Nick Burch wrote:
I'm also half tempted to try and make that error message more useful. Anyone know much about that area of code, or should I just dive in? 


I've done this. I still haven't quite figured out my problem, but I have 
narrowed it down quite a bit. Now to go investigate why my certificate 
isn't making it into mc->tPublicCert....



Anyway, this patch will make ssl_engine_init.c produce much more helpful 
debug when loading certificates: it will let you know what certificates it 
does load, and if it can't find a RSA or DSA certificate, it'll tell you 
what ones it does know about.



--- ssl_engine_init.c.sav       2005-12-09 16:36:21.026192705 +0000
+++ ssl_engine_init.c   2005-12-09 17:17:45.014684541 +0000
@@ -710,11 +710,13 @@
     X509 *cert;

     if (!(asn1 = ssl_asn1_table_get(mc->tPublicCert, id))) {
+               ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                                        "No %s server certificate exists for 
%s", type, id);
         return FALSE;
     }

     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-                 "Configuring %s server certificate", type);
+                 "Configuring %s server certificate for %s", type, id);

     ptr = asn1->cpData;
     if (!(cert = d2i_X509(NULL, &ptr, asn1->nData))) {
@@ -862,6 +864,10 @@
     int i;
     int have_rsa, have_dsa;

+    SSLModConfigRec *mc = myModConfig(s);
+       const void *key;
+       apr_hash_index_t *hi;
+
     rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
     dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);

@@ -871,6 +877,19 @@
     if (!(have_rsa || have_dsa)) {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                 "Oops, no RSA or DSA server certificate found?!");
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                "Unable to load certificate for vhost %s",
+                               vhost_id);
+
+               // Print out, at debug, what certificates are defined
+               for (hi = apr_hash_first(p, mc->tPublicCert); hi; hi = 
apr_hash_next(hi)) {
+                       apr_hash_this(hi, &key, NULL, NULL);
+                       ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                 "I know about certificate '%s'", key);
+               }
+               ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                        "No further certificates known about");
+
         ssl_die();
     }


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to