Return-Path: 
 <bugs-return-39324-apmail-httpd-bugs-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-bugs-archive@www.apache.org
Delivered-To: apmail-httpd-bugs-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 2539898A3
	for <apmail-httpd-bugs-archive@www.apache.org>;
 Sat, 11 Feb 2012 06:48:14 +0000 (UTC)
Received: (qmail 6315 invoked by uid 500); 11 Feb 2012 06:48:12 -0000
Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org
Received: (qmail 5977 invoked by uid 500); 11 Feb 2012 06:48:04 -0000
Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:bugs@httpd.apache.org>
List-Help: <mailto:bugs-help@httpd.apache.org>
List-Unsubscribe: <mailto:bugs-unsubscribe@httpd.apache.org>
Reply-To: "Apache HTTPD Bugs Notification List" <bugs@httpd.apache.org>
List-Id: <bugs.httpd.apache.org>
Delivered-To: mailing list bugs@httpd.apache.org
Received: (qmail 5960 invoked by uid 99); 11 Feb 2012 06:48:00 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 11 Feb 2012 06:48:00 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.115] (HELO eir.zones.apache.org) (140.211.11.115)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 11 Feb 2012 06:47:58 +0000
Received: by eir.zones.apache.org (Postfix, from userid 80)
	id 11D244F24C; Sat, 11 Feb 2012 06:47:37 +0000 (UTC)
From: bugzilla@apache.org
To: bugs@httpd.apache.org
Subject: DO NOT REPLY [Bug 52630] Firefox can't access SSL websites with
 client authentication and when using a symlink to a directory of CA certs
Date: Sat, 11 Feb 2012 06:47:34 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Apache httpd-2
X-Bugzilla-Component: mod_ssl
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: asfbugz@velox.ch
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: bugs@httpd.apache.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Changed-Fields: Status URL Version Resolution Severity
Message-ID: <bug-52630-7868-cPUZJXMam4@https.issues.apache.org/bugzilla/>
In-Reply-To: <bug-52630-7868@https.issues.apache.org/bugzilla/>
References: <bug-52630-7868@https.issues.apache.org/bugzilla/>
X-Bugzilla-URL: https://issues.apache.org/bugzilla/
Auto-Submitted: auto-generated
Content-Type: text/plain; charset="UTF-8"
MIME-Version: 1.0
X-Virus-Checked: Checked by ClamAV on apache.org

https://issues.apache.org/bugzilla/show_bug.cgi?id=52630

Kaspar Brand <asfbugz@velox.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                URL|https://bugzilla.mozilla.or |
                   |g/show_bug.cgi?id=725652    |
            Version|2.2.22                      |2.2.16
         Resolution|                            |INVALID
           Severity|major                       |normal

--- Comment #5 from Kaspar Brand <asfbugz@velox.ch> 2012-02-11 06:47:34 UTC ---
This is a configuration issue. From your httpd log on Mozilla's Bugzilla (which
is definitely the wrong place to post it to):

[Thu Feb 09 15:54:43 2012] [error] [client 192.168.180.174] Certificate
Verification: Error (20): unable to get local issuer certificate

Either your client/browser isn't sending any intermediate CAs in the handshake,
or mod_ssl can't locate them locally either. (Or third, if you're using a
single-tier CA hierarchy, mod_ssl can't locate the root cert itself.)

> I have basically this configuration for client auth:
>         SSLCACertificatePath
> pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.crt.d
>         SSLCADNRequestPath
> pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d
>         SSLCARevocationPath
> pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.crl.d
> 
> All these three files are actually symbolic links to the directory
> /etc/grid-security/certificates

There's no point in setting SSLCACertificatePath and SSLCADNRequestPath to the
exact same directory (see
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcadnrequestfile).

Looking at the directives quoted above, it should be noted that they specify
*relative* paths. Unless there's a "pki" subdirectory in your HTTPD_ROOT (see
httpd -V), mod_ssl won't be able to find the CA certs this way.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org