Bug#441404: apache2: SSLCertificateChainFile also does not work with reverse proxy

From: Jeffrey B. Green <jeff(at)kikisoso.org>
Date: Mon Dec 31 2007 - 09:54:03 EST

Stefan Fritsch wrote:

> On Thursday 20 December 2007, Jeff Green wrote:
>> The SSLCertificateChainFile does not work, but the
>> SSLCACertificatePath does in a reverse proxy topology. The error
>> reported here is in the actual server, i.e. not the proxy. The path
>> used is /etc/ssl/certs, and the chain file is
>> /etc/ssl/certs/ca-certificates.crt.
>>
>> However, the proxy also uses SSLCACertificatePath and it works.
> 
> I don't understand your configuration. Do you get an error message?
> Can you be more verbose, e.g. provide the output of
> 
> cd /etc/apache2 ; egrep -ir '(<|name)virtualhost|SSL(CA)?Certificate' *enabled conf.d *conf
> 
> on both systems?

On the proxy machine the output is:

pd.conf             ports.conf       ssl/
root@noisy:/etc/apache2[1041] tificate' *enabled conf.d *conf           <
sites-enabled/root:
sites-enabled/root:
sites-enabled/root:NameVirtualHost 192.168.2.7:80
sites-enabled/root:
sites-enabled/root:
sites-enabled/root:
sites-enabled/root:
sites-enabled/root:
sites-enabled/root:
sites-enabled/root:
sites-enabled/root:
sites-enabled/root:
sites-enabled/root:
sites-enabled/root:
sites-enabled/root:     SSLCertificateFile

/etc/apache2/ssl/secure_karmecholing_org.crt

sites-enabled/root:     SSLCertificateKeyFile

/etc/apache2/ssl/secure.karmecholing.org-key.pem

sites-enabled/root:     SSLCACertificatePath /etc/ssl/certs
sites-enabled/root:#NameVirtualHost 192.168.2.7:10445
sites-enabled/root:
sites-enabled/root:     SSLCertificateFile

/etc/apache2/ssl/lists.kikisoso.org.cert.pem

sites-enabled/root:     SSLCertificateKeyFile
Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.debian.org Links
debian-announce
debian-apache
debian-arm-changes
debian-beowulf
debian-boot
debian-cd
debian-cd-vendors
debian-changes
debian-changes-digest
debian-isp
debian-kde
debian-laptop
debian-mirrors-announce
debian-news
debian-security
debian-security-announce
debian-testing
debian-user
debian-user-digest
Request more information about Pantek

/etc/apache2/ssl/lists.kikisoso.org.key.pem

sites-enabled/root:     SSLCACertificatePath /etc/ssl/certs
sites-enabled/root:
sites-enabled/root:     SSLCertificateFile

/etc/apache2/ssl/webmail.kikisoso.org.cert.pem

sites-enabled/root:     SSLCertificateKeyFile

/etc/apache2/ssl/webmail.kikisoso.org.key.pem

sites-enabled/root:     SSLCACertificatePath /etc/ssl/certs
sites-enabled/root:
sites-enabled/root:     SSLCertificateFile

/etc/apache2/ssl/webmail.tailofthetiger.org-cert.pem

sites-enabled/root:     SSLCertificateKeyFile

/etc/apache2/ssl/webmail.tailofthetiger.org-key.pem

sites-enabled/root:     SSLCACertificatePath /etc/ssl/certs
sites-enabled/root:
sites-enabled/root:     SSLCertificateFile

/etc/apache2/ssl/www.kikisoso.org.cert.pem

sites-enabled/root:     SSLCertificateKeyFile

/etc/apache2/ssl/www.kikisoso.org.key.pem

sites-enabled/root:     SSLCACertificatePath /etc/ssl/certs

sites-enabled/sympa:<VirtualHost 192.168.2.50:10445> sites-enabled/sympa: SSLCertificateFile
/etc/apache2/ssl/lists.kikisoso.org.cert.pem
sites-enabled/sympa: SSLCertificateKeyFile
/etc/apache2/ssl/lists.kikisoso.org.key.pem

sites-enabled/sympa:    SSLCACertificatePath /etc/ssl/certs
sites-enabled/squirrelmail:
sites-enabled/squirrelmail:#
sites-enabled/squirrelmail:  SSLCertificateFile

/etc/apache2/ssl/webmail.kikisoso.org.cert.pem
sites-enabled/squirrelmail: SSLCertificateKeyFile
/etc/apache2/ssl/webmail.kikisoso.org.key.pem

sites-enabled/squirrelmail:  SSLCACertificatePath /etc/ssl/certs
sites-enabled/squirrelmail:#
sites-enabled/000-default:NameVirtualHost *
sites-enabled/000-default:

apache2.conf:# If you do not specify an ErrorLog directive within a <VirtualHost>
apache2.conf:# logged here. If you *do* define an error logfile for a <VirtualHost>

ssl.conf:
ssl.conf:#   Point SSLCertificateFile at a PEM encoded certificate.  If
ssl.conf:SSLCertificateFile /etc/apache2/ssl/www.kikisoso.org.cert.pem
ssl.conf:#SSLCertificateFile /etc/apache2/ssl.crt/server.crt
ssl.conf:#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
ssl.conf:SSLCertificateKeyFile /etc/apache2/ssl/www.kikisoso.org.key.pem
ssl.conf:#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
ssl.conf:#   Point SSLCertificateChainFile at a file containing the
ssl.conf:#   the referenced file can be the same as SSLCertificateFile
ssl.conf:#SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
ssl.conf:#   Note: Inside SSLCACertificatePath you need hash symlinks
Do you need more help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.debian.org Links
debian-announce
debian-apache
debian-arm-changes
debian-beowulf
debian-boot
debian-cd
debian-cd-vendors
debian-changes
debian-changes-digest
debian-isp
debian-kde
debian-laptop
debian-mirrors-announce
debian-news
debian-security
debian-security-announce
debian-testing
debian-user
debian-user-digest
Request more information about Pantek
ssl.conf:SSLCACertificatePath /var/www/CA
ssl.conf:#SSLCACertificatePath /etc/apache2/ssl.crt
ssl.conf:#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
-------------------------------------------------------------------------------

On the real server, the output is:

sites-enabled/000-default:NameVirtualHost *
sites-enabled/000-default:
sites-enabled/tott.org:
sites-enabled/root:#NameVirtualHost 192.168.2.5
sites-enabled/root:#
sites-enabled/root:
sites-enabled/squirrelmail:
sites-enabled/squirrelmail:  SSLCertificateFile

/etc/apache2/ssl/webmail.tailofthetiger.org-cert.pem
sites-enabled/squirrelmail: SSLCertificateKeyFile
/etc/apache2/ssl/webmail.tailofthetiger.org-key.pem

sites-enabled/squirrelmail:  SSLCACertificatePath /etc/ssl/certs
sites-enabled/www.karmecholing.org:NameVirtualHost 192.168.2.5:80
sites-enabled/www.karmecholing.org:
sites-enabled/secure.karmecholing.org:
sites-enabled/secure.karmecholing.org:#   Point SSLCertificateFile at a

PEM encoded certificate. If
sites-enabled/secure.karmecholing.org:SSLCertificateFile
/etc/apache2/ssl/secure_karmecholing_org.crt
sites-enabled/secure.karmecholing.org:SSLCertificateKeyFile
/etc/apache2/ssl/secure.karmecholing.org-key.pem
sites-enabled/secure.karmecholing.org:# Point SSLCertificateChainFile at a file containing the
sites-enabled/secure.karmecholing.org:# the referenced file can be the same as SSLCertificateFile
sites-enabled/secure.karmecholing.org:#SSLCertificateChainFile
/etc/ssl/certs/ca-certificates.crt

sites-enabled/secure.karmecholing.org:# Note: Inside SSLCACertificatePath you need hash symlinks sites-enabled/secure.karmecholing.org:SSLCACertificatePath /etc/ssl/certs apache2.conf:# If you do not specify an ErrorLog directive within a <VirtualHost>
apache2.conf:# logged here. If you *do* define an error logfile for a <VirtualHost>

---

As you can see, we have several sites. Some served directly on the proxy server mentioned above, several on other machines.

One thing that I didn't think of before is... do the servers have to be exclusively one way or another, i.e. using the CAcert path or using the CAcert file? I wouldn't have thought so, but .... maybe so. When I was trying the CAcert file, (I believe) I still had settings for other virtual hosts set for the CAcert path.

Happy New Year,
-jeff

> 
> Cheers,
> Stefan
> 

-- 
To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Mon Dec 31 10:16:11 2007