httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Crypto Sal <crypto....@gmail.com>
Subject Re: [users@httpd] Apache Doesn't See My SSLCACertificateFile
Date Wed, 07 Apr 2010 23:57:01 GMT
  On 04/07/2010 10:47 AM, Carlos Mennens wrote:
> I have Apache running on my RHEL 5.4 web server and when someone goes
> to my website, they get a scary warning that tells them my secure site
> isn't safe because it can't be validated by a CA. I contacted my CA
> (Verisign) today and was told that my web server (Apache) isn't
> properly rendering my 'intermediate' certificate. I clearly show
> Apache is properly displaying my public certificate and can read my
> private SSL key so I don't know why it's missing the
> SSLCACertificateFile entry from my httpd.conf file: My entry looks as
> follows in 'httpd.conf':
>
> <VirtualHost *:443>
>          DocumentRoot /var/www/html/int/main
>          ServerName www.mydomain.tld:443
>          ServerAdmin webmaster@mydomain.tld
>          ErrorLog /var/log/httpd/www.mydomain.tld-int-error_log
>          TransferLog /var/log/httpd/www.mydomain.tld-int-access_log
>          #   SSL Engine Switch:
>          #   Enable/Disable SSL for this virtual host.
>          SSLEngine on
>          #SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>          SSLCertificateFile /etc/httpd/conf/ssl/www.crt
>          SSLCertificateKeyFile /etc/httpd/conf/ssl/www.key
>          SSLCACertificateFile /etc/httpd/conf/ssl/intermediate.crt
>
> Now I starting to look around and noticed I also have a
> /etc/httpd/conf.d/ssl.conf file and it too has a section to list SSL
> parameter/path. I am wondering if I need to also add my SSL www.crt,
> www.key, and intermediate.crt in the 'ssl.con' file also? Or could it
> be that simply that Apache doesn't have permissions to properly render
> the 'intermediate.crt' which makes no sense to me since it can see the
> www.crt&  www.key fine and they all have the same permissions:
>
> [root@ideweb1 ssl]# ls -la
> total 24
> dr-------- 2 root root 4096 Mar 26 14:36 .
> drwxr-xr-x 3 root root 4096 Apr  7 10:46 ..
> -r-------- 1 root root 1659 Jul 21  2009 intermediate.crt
> -r-------- 1 root root 1936 Mar 26 14:36 www.crt
> -r-------- 1 root root  887 Feb 11  2009 www.key
> -r-------- 1 root root 1931 Mar 26 14:36 www.orig
>
> Please help me understand this...
>
> -Carlos


Carlos,

Word of advice... Use SSLCertificateChainFile vs. using 
SSLCACertificateFile in Apache 2.x. SSLCACertificateFile is used for 
CLIENT Authentication and may not work 100% of the time.

http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcacertificatefile

http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcertificatechainfile


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message