We have an Apache 2.2.22/OpenSSL 1.0.1 CAC-enabled website running on Windows
(XP for development and 2003 for production). We have been experiencing issues
with users with Windows 7 being able to connect lately. In an effort to
understand what is going on, we added %{SSL_PROTOCOL}x %{SSL_CIPHER}x
%{SSL_CLIENT_S_DN_CN}x %{SSL_CLIENT_VERIFY}x to the CustomLog command.
When a Windows 7 user tried to access the site, we saw the following entry:
[25/Apr/2012:12:24:12 -0400] 172.16.10.94 TLSv1 - - FAILED:unable to get local
issuer certificate GET / HTTP/1.1 -
I have one certs file that contains these certificates
DOD Root CA
DOD Root CA 2
DOD EMAIL CA 15
.
.
DOD EMAIL CA 30
Furthermore running "openssl verify DOD_EMAILCerts.crt" returns:
DOD_EMAILCerts.crt: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD
Root CA 2
error 18 at 0 depth lookup:self signed certificate
OK
Apache is configured this way:
SSLCACertificatePath conf/certs/
SSLCACertificateFile conf/certs/DOD_EMAILCerts.crt
(which translates to c:\apache\conf\certs\DOD_EMAILCerts.crt)
Running openssl version -d returns:
OPENSSLDIR: "c:/openssl-1.0.1/ssl"
OpenSSL FAQs states this error occurs if OpenSSL cannot verify the root CA and
that the CA certificate must be placed in a directory or file and the relevant
program configured to read it.
Does the certs file need to be in both the conf/certs/ folder and the
c:/openssl-1.0.1/ssl folder?
What directory should it be in and how do I configure it to read it?
Thank you for your help!
Curtis N. Tammany
Lead Web Application Developer, National Security & Defense
Systems Engineering and Technology
URS
16156 Dahlgren Road
Dahlgren, Virginia, 22448
curtis.tamm...@urs.com
540.663.9507
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
