Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Message-ID: <4001BC4D.1090805@mindspring.com>
Date: Sun, 11 Jan 2004 16:12:45 -0500
From: Aaron W Morris <aaronmorris@mindspring.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
 rv:1.5) Gecko/20031007
MIME-Version: 1.0
To: users@httpd.apache.org
References: <2A6E01DDBAE1FD4082FE2041C43DA64A02BA52@mail.aas.com>
In-Reply-To: <2A6E01DDBAE1FD4082FE2041C43DA64A02BA52@mail.aas.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [users@httpd] Intermediate SSL cert problem with Apache 2.0.43

Turner, John wrote:

> Hi -
> 
> I have a running installation of Apache 2.0.43, with SSL.  I have a Verisign
> certificate that expires in Aug 2004.  I've followed the installation
> description at Verisign (found here:
> http://www.verisign.com/support/install/apache/v00Mod.html#global) exactly.
> 
> My SSL configuration in httpd.conf looks like this, for a single virtual
> host (no other hosts are currently running, HTTP or HTTPS):
> 
> SSLEngine on
> SSLCertificateFile /usr/local/apache2/conf/ssl.key/domain.crt
> SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/domain.key
> SSLCertificateChainFile
> /usr/local/apache2/conf/ssl.key/verisign-intermediate.crt
> 
> The certificate contained in verisign-intermediate.crt is the certificate
> from this URL: http://www.verisign.com/support/install/intermediate.html as
> specified in the installation instructions.
> 
> My Problem: browsing to my domain with IE 6 sets up a successful SSL
> connection without errors or other alerts.  However, using Mozilla as well
> as "openssl s_client -connect domain.com:443" generates errors about not
> being able to verify the certificate.
> 
> The specific messages returned by openssl are: "num=20:unable to get local
> issuer certificate" and "num=21:unable to verify the first certificate".
> 
> I'm pretty stumped, and a morning spent searching Google and reading all
> sorts of archived posts hasn't led me any closer to a solution. 
> 
> Is IE broken (please no rants, flames, or sarcasm) and its just assuming the
> certificate is valid because Apache is not sending the intermediate cert?
> How do I verify Apache is sending the certs, including the intermediate
> cert?
> 
> If openssl isn't happy, it seems Apache isn't sending the intermediate cert,
> if this is true, and my configuration is wrong, how do I fix it?  I did see
> one post
> (http://forums.devshed.com/t104136/sadcf52b12ec7564e45b1036a7005d2ee.html)
> where the poster upgraded his Apache installation to 2.0.48 and got rid of
> the same problem...is this the only solution?  
> 
> - John
> 
> ============================================
> John Turner
> jturner@aas.com | 248-488-3466
> Advertising Audit Service
> http://www.aas.com
> 
> 

This might have something to do with the recently expired Verisign CA 
certificate.  Check the expiration of your public CA signing certificate.

-- 
Aaron W Morris <aaronmorris@mindspring.com> (decep)


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org