httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Turner" <j...@johnturner.com>
Subject [users@httpd] [report - no HTML] Intermediate SSL cert problem with Apache 2.0.43
Date Thu, 08 Jan 2004 22:43:53 GMT
Hi -

I have a running installation of Apache 2.0.43, with SSL.  I have a
Verisign certificate that expires in Aug 2004.  I've followed the
installation description at Verisign (found here:
http://www.verisign.com/support/install/apache/v00Mod.html#global)
exactly.

My SSL configuration in httpd.conf looks like this, for a single virtual
host (no other hosts are currently running, HTTP or HTTPS):

SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/ssl.key/domain.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/domain.key
SSLCertificateChainFile
/usr/local/apache2/conf/ssl.key/verisign-intermediate.crt

The certificate contained in verisign-intermediate.crt is the certificate
from this URL: http://www.verisign.com/support/install/intermediate.html
as specified in the installation instructions.

My Problem: browsing to my domain with IE 6 sets up a successful SSL
connection without errors or other alerts.  However, using Mozilla as well
as "openssl s_client -connect domain.com:443" generates errors about not
being able to verify the certificate.

The specific messages returned by openssl are: "num=20:unable to get local
issuer certificate" and "num=21:unable to verify the first certificate".

I'm pretty stumped, and a morning spent searching Google and reading all
sorts of archived posts hasn't led me any closer to a solution.

Is IE broken (please no rants, flames, or sarcasm) and its just assuming
the certificate is valid because Apache is not sending the intermediate
cert? How do I verify Apache is sending the certs, including the
intermediate cert?

If openssl isn't happy, it seems Apache isn't sending the intermediate
cert, if this is true, and my configuration is wrong, how do I fix it?  I
did see one post
(http://forums.devshed.com/t104136/sadcf52b12ec7564e45b1036a7005d2ee.html)
where the poster upgraded his Apache installation to 2.0.48 and got rid of
the same problem...is this the only solution?

John





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message