httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 56407] Incorrect info line for SSLCertificateChainFile directive
Date Mon, 14 Apr 2014 04:32:34 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=56407

Kaspar Brand <asfbugz@velox.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID
                 OS|Linux                       |All

--- Comment #1 from Kaspar Brand <asfbugz@velox.ch> ---
(In reply to Scott van Looy from comment #0)
> This helpful warning appeared to me when I was checking some config:
> AH02559: The SSLCertificateChainFile directive
> (/etc/httpd/conf.d/ssl.conf:133) is deprecated, SSLCertificateFile should be
> used instead
> It appears to be incorrect, it should say “SSLCACertificateFile should be
> used instead” shouldn’t it?

No, SSLCACertificateFile is about configuring CA certificates you trust for
client authentication, which is different from the (intermediate) CA
certificates you configure for the server's own certificate.

> I tried using SSLCertificateFile and nothing worked.

Note that the file pointed to by SSLCertificateFile needs to have both the
server certificate and the intermediate CA certificates. Quoting from
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile:

"This directive points to a file with certificate data in PEM format. At a
minimum, the file must include an end-entity (leaf) certificate. Beginning with
version 2.4.8, it may also include intermediate CA certificates, sorted from
leaf to root, and obsoletes SSLCertificateChainFile."

I.e., to update your configuration to no longer rely on
SSLCertificateChainFile, you need to append the contents of the chain file to
those already in SSLCertificateFile.

I'm closing this bug, as the warning message itself is correct. If there's
something in the documentation which could be improved, then let us know.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message