httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 52630] Firefox can't access SSL websites with client authentication and when using a symlink to a directory of CA certs
Date Sat, 11 Feb 2012 06:47:34 GMT

Kaspar Brand <> changed:

           What    |Removed                     |Added
             Status|NEW                         |RESOLVED
                URL|https://bugzilla.mozilla.or |
                   |g/show_bug.cgi?id=725652    |
            Version|2.2.22                      |2.2.16
         Resolution|                            |INVALID
           Severity|major                       |normal

--- Comment #5 from Kaspar Brand <> 2012-02-11 06:47:34 UTC ---
This is a configuration issue. From your httpd log on Mozilla's Bugzilla (which
is definitely the wrong place to post it to):

[Thu Feb 09 15:54:43 2012] [error] [client] Certificate
Verification: Error (20): unable to get local issuer certificate

Either your client/browser isn't sending any intermediate CAs in the handshake,
or mod_ssl can't locate them locally either. (Or third, if you're using a
single-tier CA hierarchy, mod_ssl can't locate the root cert itself.)

> I have basically this configuration for client auth:
>         SSLCACertificatePath
> pki/virtual-hosts/
>         SSLCADNRequestPath
> pki/virtual-hosts/
>         SSLCARevocationPath
> pki/virtual-hosts/
> All these three files are actually symbolic links to the directory
> /etc/grid-security/certificates

There's no point in setting SSLCACertificatePath and SSLCADNRequestPath to the
exact same directory (see

Looking at the directives quoted above, it should be noted that they specify
*relative* paths. Unless there's a "pki" subdirectory in your HTTPD_ROOT (see
httpd -V), mod_ssl won't be able to find the CA certs this way.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message