SSLCACertificateFile is only for client certificate authentication. Are you trying to use that? If not, removing that line should solve that particular error.
If you do want to use client certificate auth, then there is probably some other problem with your certificate. - Y On Fri, Jan 17, 2014 at 3:22 AM, David Benfell <dbenf...@gmail.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 01/16/2014 11:46 PM, Mathijs Schmittmann wrote: > > ----- Original Message ----- Hi all, > > > > Ack! > > > > This is apache 2.2.25 compiled from source but on a CentOS 6.5 > > system. Notably, I included all modules in the build. > > > >> You might want to start to build with a minimal set of modules, > >> to exclude any of them from being the cause. Why did you compile > >> with all modules to start with? > > > This is a build that *was* working. I've been using it--I see (see > below) since December. > > > > I was trying to add a subdomain, ran into memory allocation > > problems and so tweaked the settings accordingly. Here are the > > current settings and I have no idea how sensible they are: > > > > <IfModule prefork.c> StartServers 4 MinSpareServers 4 > > MaxSpareServers 64 ServerLimit 512 MaxClients 512 > > MaxRequestsPerChild 512 </IfModule> <IfModule worker.c> > > StartServers 4 MaxClients 512 MinSpareThreads 32 > > MaxSpareThreads 64 ThreadsPerChild 16 MaxRequestsPerChild > > 0 </IfModule> > > > >> This depends on which MPM you are currently running, see your > >> httpd -V output for this information. Obviously the specific > >> settings will be different in each usecase, depending on load > >> and resources available. > > > This returns: > > Server version: Apache/2.2.25 (Unix) > Server built: Dec 2 2013 08:47:03 > Server's Module Magic Number: 20051115:33 > Server loaded: APR 1.4.8, APR-Util 1.5.2 > Compiled using: APR 1.4.8, APR-Util 1.5.2 > Architecture: 64-bit > Server MPM: Prefork > threaded: no > forked: yes (variable process count) > Server compiled with.... > -D APACHE_MPM_DIR="server/mpm/prefork" > -D APR_HAS_SENDFILE > -D APR_HAS_MMAP > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > -D APR_USE_SYSVSEM_SERIALIZE > -D APR_USE_PTHREAD_SERIALIZE > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D APR_HAS_OTHER_CHILD > -D AP_HAVE_RELIABLE_PIPED_LOGS > -D DYNAMIC_MODULE_LIMIT=128 > -D HTTPD_ROOT="/usr/local/apache2" > -D SUEXEC_BIN="/usr/local/apache2/bin/suexec" > -D DEFAULT_PIDLOG="logs/httpd.pid" > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > -D DEFAULT_LOCKFILE="logs/accept.lock" > -D DEFAULT_ERRORLOG="logs/error_log" > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > So I can ditch the worker section? > > > > >> The last write call shows that its logging an error to the > >> errorlog, are you sure you have looked at the right errorlog? > >> You might want to try to 'strace -s 4096 ...' so the entire > >> message is captured in the trace. > > > Thanks for the strace trick: > = 0 > munmap(0x7fbfdc208000, 4096) = 0 > write(43, "[Thu Jan 16 23:57:11 2014] [error] Unable to configure > verify locations for client authentication\n", 98) = 98 > exit_group(1) = ? > > I gather this is an SSL problem. Here is the section of that > configuration that is changed. It is a new certificate (that includes > the new subdomain): > > Include /etc/httpd/conf/sites-available/all-ssl-common > SSLCertificateFile > /big/www/ssl/parts-unknown.org/munich/parts-unknown.org.crt > SSLCertificateKeyFile > /big/www/ssl/parts-unknown.org/munich/parts-unknown.org.key > SSLCertificateChainFile > /big/www/ssl/parts-unknown.org/munich/sub.class2.server.ca.pem > SSLCACertificateFile /big/www/ssl/parts-unknown.org/munich/ca.pem > > These files all exist. all-ssl-common is unchanged. It contains: > > SSLEngine on > > SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2 > SSLCipherSuite > ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; > SSLHonorCipherOrder on > SSLCompression Off > #SSLCipherSuite RC4-SHA:HIGH:!ADH > SSLInsecureRenegotiation off > SSLOptions StdEnvVars > > BrowserMatch "MSIE [2-6]" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown > > Thanks! > - -- > David Benfell > see https://parts-unknown.org/node/2 if you don't understand the > attachment > > - -- > David Benfell > see https://parts-unknown.org/node/2 if you don't understand the > attachment > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.1.0-ecc (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCgAGBQJS2OhYAAoJEKrN0Ha7pkCOK1QP/RdU5wyvOeyjOzhDWUoMvnZP > VrDdNQuMViND5h85q6emi2EfjRjpogWyzXSSA9KL0vagXHen3HWppqUMzkZTv6xf > t1ZnAFGoe+a4YRUNX/f7VaQzBgAnnFeazKnsqfTy8l55yk1G/y4DzlW1Q2MPKG10 > vzTz0s/dtUWmB1+DVeCDMypymp22Ttekn0v+XhtB28a8Us8hOCSWsOEmzR48PAad > OucOYHZm/NY/kvjVu/y5dLnxEX2XRWpqQ/gjownFOpeQInSIXZS/LnGdpJgjFlYW > Cu2mV8op1trrvbz2XtHMDARIfnIeUrxV76lUqbxMraSyA4jTrD/8jr+oNqvypKEE > Oh2sRW7sbWPXBgsNbaa4UTugrLyF7xtlWctLw/ll3e328iJXX40/v6/B7jTNoGJS > cwelFYEiONFZEsWq09+Iny+sQA/sEWvT1SkTDEsdQ389pqQQt8jjXCIfwSs0n3Us > IkFyXuXhvOJf5T3BnOuALrol006VZL/3VLka8VXudJFuBeAfCAG/2Pxuq6KKThBE > qgEvGthK/48eTxGEFaRJHdiqCeeNVGrv4c483QfbVwVjDsPLXpI6gXKq+2qyOrks > oNKJiMmleFwl+P9BdtfS6cwDIaIwsUvLZm7kKxqsdz15BjPlcP6NRaSIr+uXTJik > IMiw/mH/WtOil8LXZYKp > =cSla > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
