On Mon, May 18, 2015 at 10:04:03AM -0400, John Merriam wrote: > I get the following error in the error_log when I try to start Apache2: > > [Mon May 18 09:51:43 2015] [error] Failed to configure CA certificate > chain! > > The certificate is a wildcard certificate from RapidSSL. > > I have their 'intermediate CA bundle' from here: > > https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26459 > > in a file that is pointed to with the SSLCertificateChainFile directive in > my Apache2 config.
What does this file contain exactly? I believe mod_ssl expects the server certificate followed by any intermediate CA certificates up to the root CA cert, all in PEM format, in one file. It's very odd that the behaviour between 5.6 and 5.7 changed. None of the upstream changes between 2.2.27 and 2.2.29 seem to apply. http://www.apache.org/dist/httpd/CHANGES_2.2 Given your error message, the point of failure in mod_ssl is a call to SSL_CTX_use_certificate_chain(), a function name which exists in mod_ssl and also existed in LibreSSL for a brief period before 5.7. During which time mod_ssl's version was renamed in our ports tree. Before release, LibreSSL's function was renamed and mod_ssl's version renamed back to its original name. This should not matter at all unless something unexpected happened during release package builds (unlikely). Can you make it work by using alternative configuration options, such as SSLCertificateFile and SSLCACertificateFile or SSLCACertificatePath?
