httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From o haya <>
Subject Re: [users@httpd] SSL/CRL Problem - Error 12 (Expired)
Date Tue, 08 Mar 2016 13:16:43 GMT

BTW, one other piece of possible information:  We found that if we put all the PEMs for the
CRLs into one big file and then used the SSLCACertificateRevocationFile directive instead
of the SSLCACertificateRevocationPath directive and the hashes in the directory, then we don't
get the Error 12/Expired CRL errors.


On Mon, 3/7/16, o haya <> wrote:

 Subject: [users@httpd] SSL/CRL Problem - Error 12 (Expired)
 Date: Monday, March 7, 2016, 8:43 PM
 I'm not sure if I should post this to the openssl mailing
 list or here, but thought that it'd make sense to start
 here.  If that is not appropriate, please let me know?
 Anyway, we are upgrading some of our Apache instance to
 2.4.16 (on Redhat), and we are encountering a strange
 problem with SSL and CRLs.
 Our websites are configured for SSL client authentication
 with CRLs in a directory pointed to by
 SSLCACertificateRevocationPath and SSLCARevocationCheck set
 to "chain".  We then place our CRLs in the directory
 and create the hashes for them.
 However, when we tried to upgrade one of our production
 instances the requests are failing and, in the error logs,
 we are seeing the following messages:
 [ssl.debug] [pid 4866] ssl_engine_kernel.c: [client] Certificate Verification, depth 1, CRL
 checking mode: chain [subject: CN=CA4,OU=branch,.... /
 issuer: CN=Root 3,OU=branch,... / serial: 86 / notbefore:
 Aug 1 00:00:00 2013 GMT / notafter: Aug 1 00:00:00 2021 GMT]
 [] [pid 4866] [client] Certificate
 Verification: Error (12): CRL has expired [subject:
 CN=CA4,OU=branch,... / issuer: CN=Root 3,... / serial: 86 /
 notbefore: Aug 1 00:00:00 2013 GMT / notafter: Aug 1
 00:00:00 2021 GMT] 
 We checked all of the CRL files and they are all within
 their validity periods.
 The thing is that we have not been able to replicate this
 problem in our test environment, when we try to re-create a
 similar PKI heirarchy, so we (or I) suspect that there may
 be something going on with either the CRLs or cert files
 that we are getting from the CAs (but recall that these same
 CRLs worked with older Apache.  So I was wondering: If
 there is any known situations where that "Error 12" would be
 logged, but where the problem was being cause by something
 other than the CRL files actually being expired?
 As I said, this might be more of an openssl question?
 Thanks in advance,
 To unsubscribe, e-mail:
 For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message