Stefan Fritsch wrote: > On Thursday 20 December 2007, Jeff Green wrote: >> The SSLCertificateChainFile does not work, but the >> SSLCACertificatePath does in a reverse proxy topology. The error >> reported here is in the actual server, i.e. not the proxy. The path >> used is /etc/ssl/certs, and the chain file is >> /etc/ssl/certs/ca-certificates.crt. >> >> However, the proxy also uses SSLCACertificatePath and it works. > > I don't understand your configuration. Do you get an error message? > Can you be more verbose, e.g. provide the output of > > cd /etc/apache2 ; egrep -ir '(<|name)virtualhost|SSL(CA)?Certificate' > *enabled conf.d *conf > > on both systems?
On the proxy machine the output is: pd.conf ports.conf ssl/ [EMAIL PROTECTED]:/etc/apache2[1041] tificate' *enabled conf.d *conf < sites-enabled/root:<VirtualHost 192.168.2.50:80> sites-enabled/root:<VirtualHost 192.168.2.52:80> sites-enabled/root:NameVirtualHost 192.168.2.7:80 sites-enabled/root:<VirtualHost 192.168.2.7:80> sites-enabled/root:<VirtualHost 192.168.2.7:80> sites-enabled/root:<VirtualHost 192.168.2.7:80> sites-enabled/root:<VirtualHost 192.168.2.7:80> sites-enabled/root:<VirtualHost 192.168.2.7:80> sites-enabled/root:<VirtualHost 192.168.2.7:80> sites-enabled/root:<VirtualHost 192.168.2.7:80> sites-enabled/root:<VirtualHost 192.168.2.7:80> sites-enabled/root:<VirtualHost 192.168.2.7:80> sites-enabled/root:<VirtualHost 192.168.2.7:80> sites-enabled/root:<VirtualHost 192.168.2.7:443> sites-enabled/root: SSLCertificateFile /etc/apache2/ssl/secure_karmecholing_org.crt sites-enabled/root: SSLCertificateKeyFile /etc/apache2/ssl/secure.karmecholing.org-key.pem sites-enabled/root: SSLCACertificatePath /etc/ssl/certs sites-enabled/root:#NameVirtualHost 192.168.2.7:10445 sites-enabled/root:<VirtualHost 192.168.2.7:10445> sites-enabled/root: SSLCertificateFile /etc/apache2/ssl/lists.kikisoso.org.cert.pem sites-enabled/root: SSLCertificateKeyFile /etc/apache2/ssl/lists.kikisoso.org.key.pem sites-enabled/root: SSLCACertificatePath /etc/ssl/certs sites-enabled/root:<VirtualHost 192.168.2.7:10443> sites-enabled/root: SSLCertificateFile /etc/apache2/ssl/webmail.kikisoso.org.cert.pem sites-enabled/root: SSLCertificateKeyFile /etc/apache2/ssl/webmail.kikisoso.org.key.pem sites-enabled/root: SSLCACertificatePath /etc/ssl/certs sites-enabled/root:<VirtualHost 192.168.2.7:10444> sites-enabled/root: SSLCertificateFile /etc/apache2/ssl/webmail.tailofthetiger.org-cert.pem sites-enabled/root: SSLCertificateKeyFile /etc/apache2/ssl/webmail.tailofthetiger.org-key.pem sites-enabled/root: SSLCACertificatePath /etc/ssl/certs sites-enabled/root:<VirtualHost 192.168.2.7:10446> sites-enabled/root: SSLCertificateFile /etc/apache2/ssl/www.kikisoso.org.cert.pem sites-enabled/root: SSLCertificateKeyFile /etc/apache2/ssl/www.kikisoso.org.key.pem sites-enabled/root: SSLCACertificatePath /etc/ssl/certs sites-enabled/sympa:<VirtualHost 192.168.2.50:10445> sites-enabled/sympa: SSLCertificateFile /etc/apache2/ssl/lists.kikisoso.org.cert.pem sites-enabled/sympa: SSLCertificateKeyFile /etc/apache2/ssl/lists.kikisoso.org.key.pem sites-enabled/sympa: SSLCACertificatePath /etc/ssl/certs sites-enabled/squirrelmail:<VirtualHost 192.168.2.52:443> sites-enabled/squirrelmail:#<VirtualHost webmail.kikisoso.org:443> sites-enabled/squirrelmail: SSLCertificateFile /etc/apache2/ssl/webmail.kikisoso.org.cert.pem sites-enabled/squirrelmail: SSLCertificateKeyFile /etc/apache2/ssl/webmail.kikisoso.org.key.pem sites-enabled/squirrelmail: SSLCACertificatePath /etc/ssl/certs sites-enabled/squirrelmail:#<VirtualHost 1.2.3.4> sites-enabled/000-default:NameVirtualHost * sites-enabled/000-default:<VirtualHost *> apache2.conf:# If you do not specify an ErrorLog directive within a <VirtualHost> apache2.conf:# logged here. If you *do* define an error logfile for a <VirtualHost> ssl.conf:<VirtualHost _default_:443> ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If ssl.conf:SSLCertificateFile /etc/apache2/ssl/www.kikisoso.org.cert.pem ssl.conf:#SSLCertificateFile /etc/apache2/ssl.crt/server.crt ssl.conf:#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt ssl.conf:SSLCertificateKeyFile /etc/apache2/ssl/www.kikisoso.org.key.pem ssl.conf:#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key ssl.conf:# Point SSLCertificateChainFile at a file containing the ssl.conf:# the referenced file can be the same as SSLCertificateFile ssl.conf:#SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt ssl.conf:# Note: Inside SSLCACertificatePath you need hash symlinks ssl.conf:SSLCACertificatePath /var/www/CA ssl.conf:#SSLCACertificatePath /etc/apache2/ssl.crt ssl.conf:#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt ------------------------------------------------------------------------------- On the real server, the output is: sites-enabled/000-default:NameVirtualHost * sites-enabled/000-default:<VirtualHost *> sites-enabled/tott.org:<VirtualHost 192.168.2.54:80> sites-enabled/root:#NameVirtualHost 192.168.2.5 sites-enabled/root:#<VirtualHost 192.168.2.5:80> sites-enabled/root:<VirtualHost 192.168.2.55:80> sites-enabled/squirrelmail:<VirtualHost 192.168.2.55:443> sites-enabled/squirrelmail: SSLCertificateFile /etc/apache2/ssl/webmail.tailofthetiger.org-cert.pem sites-enabled/squirrelmail: SSLCertificateKeyFile /etc/apache2/ssl/webmail.tailofthetiger.org-key.pem sites-enabled/squirrelmail: SSLCACertificatePath /etc/ssl/certs sites-enabled/www.karmecholing.org:NameVirtualHost 192.168.2.5:80 sites-enabled/www.karmecholing.org:<VirtualHost 192.168.2.5:80> sites-enabled/secure.karmecholing.org:<VirtualHost 192.168.2.53:443> sites-enabled/secure.karmecholing.org:# Point SSLCertificateFile at a PEM encoded certificate. If sites-enabled/secure.karmecholing.org:SSLCertificateFile /etc/apache2/ssl/secure_karmecholing_org.crt sites-enabled/secure.karmecholing.org:SSLCertificateKeyFile /etc/apache2/ssl/secure.karmecholing.org-key.pem sites-enabled/secure.karmecholing.org:# Point SSLCertificateChainFile at a file containing the sites-enabled/secure.karmecholing.org:# the referenced file can be the same as SSLCertificateFile sites-enabled/secure.karmecholing.org:#SSLCertificateChainFile /etc/ssl/certs/ca-certificates.crt sites-enabled/secure.karmecholing.org:# Note: Inside SSLCACertificatePath you need hash symlinks sites-enabled/secure.karmecholing.org:SSLCACertificatePath /etc/ssl/certs apache2.conf:# If you do not specify an ErrorLog directive within a <VirtualHost> apache2.conf:# logged here. If you *do* define an error logfile for a <VirtualHost> ----------------------------------------------------------------------------- As you can see, we have several sites. Some served directly on the proxy server mentioned above, several on other machines. One thing that I didn't think of before is... do the servers have to be exclusively one way or another, i.e. using the CAcert path or using the CAcert file? I wouldn't have thought so, but .... maybe so. When I was trying the CAcert file, (I believe) I still had settings for other virtual hosts set for the CAcert path. Happy New Year, -jeff > > Cheers, > Stefan > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
