On 04/07/2010 10:47 AM, Carlos Mennens wrote:
I have Apache running on my RHEL 5.4 web server and when someone goes
to my website, they get a scary warning that tells them my secure site
isn't safe because it can't be validated by a CA. I contacted my CA
(Verisign) today and was told that my web server (Apache) isn't
properly rendering my 'intermediate' certificate. I clearly show
Apache is properly displaying my public certificate and can read my
private SSL key so I don't know why it's missing the
SSLCACertificateFile entry from my httpd.conf file: My entry looks as
follows in 'httpd.conf':
<VirtualHost *:443>
DocumentRoot /var/www/html/int/main
ServerName www.mydomain.tld:443
ServerAdmin webmas...@mydomain.tld
ErrorLog /var/log/httpd/www.mydomain.tld-int-error_log
TransferLog /var/log/httpd/www.mydomain.tld-int-access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
#SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl/www.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/www.key
SSLCACertificateFile /etc/httpd/conf/ssl/intermediate.crt
Now I starting to look around and noticed I also have a
/etc/httpd/conf.d/ssl.conf file and it too has a section to list SSL
parameter/path. I am wondering if I need to also add my SSL www.crt,
www.key, and intermediate.crt in the 'ssl.con' file also? Or could it
be that simply that Apache doesn't have permissions to properly render
the 'intermediate.crt' which makes no sense to me since it can see the
www.crt& www.key fine and they all have the same permissions:
[r...@ideweb1 ssl]# ls -la
total 24
dr-------- 2 root root 4096 Mar 26 14:36 .
drwxr-xr-x 3 root root 4096 Apr 7 10:46 ..
-r-------- 1 root root 1659 Jul 21 2009 intermediate.crt
-r-------- 1 root root 1936 Mar 26 14:36 www.crt
-r-------- 1 root root 887 Feb 11 2009 www.key
-r-------- 1 root root 1931 Mar 26 14:36 www.orig
Please help me understand this...
-Carlos
Carlos,
Word of advice... Use SSLCertificateChainFile vs. using
SSLCACertificateFile in Apache 2.x. SSLCACertificateFile is used for
CLIENT Authentication and may not work 100% of the time.
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcacertificatefile
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcertificatechainfile
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
