Bug#441404: apache2: SSLCertificateChainFile also does not work with reverse proxy
Stefan Fritsch wrote:
> On Thursday 20 December 2007, Jeff Green wrote:
>> The SSLCertificateChainFile does not work, but the
>> SSLCACertificatePath does in a reverse proxy topology. The error
>> reported here is in the actual server, i.e. not the proxy. The path
>> used is /etc/ssl/certs, and the chain file is
>> /etc/ssl/certs/ca-certificates.crt.
>>
>> However, the proxy also uses SSLCACertificatePath and it works.
>
> I don't understand your configuration. Do you get an error message?
> Can you be more verbose, e.g. provide the output of
>
> cd /etc/apache2 ; egrep -ir '(<|name)virtualhost|SSL(CA)?Certificate' *enabled conf.d *conf
>
> on both systems?
On the proxy machine the output is:
pd.conf ports.conf ssl/
root@noisy:/etc/apache2[1041] tificate' *enabled conf.d *conf <
sites-enabled/root:<VirtualHost 192.168.2.50:80>
sites-enabled/root:<VirtualHost 192.168.2.52:80>
sites-enabled/root:NameVirtualHost 192.168.2.7:80
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:443>
sites-enabled/root: SSLCertificateFile
/etc/apache2/ssl/secure_karmecholing_org.crt
sites-enabled/root: SSLCertificateKeyFile
/etc/apache2/ssl/secure.karmecholing.org-key.pem
sites-enabled/root: SSLCACertificatePath /etc/ssl/certs
sites-enabled/root:#NameVirtualHost 192.168.2.7:10445
sites-enabled/root:<VirtualHost 192.168.2.7:10445>
sites-enabled/root: SSLCertificateFile
/etc/apache2/ssl/lists.kikisoso.org.cert.pem
sites-enabled/root: SSLCertificateKeyFile
/etc/apache2/ssl/lists.kikisoso.org.key.pem
sites-enabled/root: SSLCACertificatePath /etc/ssl/certs
sites-enabled/root:<VirtualHost 192.168.2.7:10443>
sites-enabled/root: SSLCertificateFile
/etc/apache2/ssl/webmail.kikisoso.org.cert.pem
sites-enabled/root: SSLCertificateKeyFile
/etc/apache2/ssl/webmail.kikisoso.org.key.pem
sites-enabled/root: SSLCACertificatePath /etc/ssl/certs
sites-enabled/root:<VirtualHost 192.168.2.7:10444>
sites-enabled/root: SSLCertificateFile
/etc/apache2/ssl/webmail.tailofthetiger.org-cert.pem
sites-enabled/root: SSLCertificateKeyFile
/etc/apache2/ssl/webmail.tailofthetiger.org-key.pem
sites-enabled/root: SSLCACertificatePath /etc/ssl/certs
sites-enabled/root:<VirtualHost 192.168.2.7:10446>
sites-enabled/root: SSLCertificateFile
/etc/apache2/ssl/www.kikisoso.org.cert.pem
sites-enabled/root: SSLCertificateKeyFile
/etc/apache2/ssl/www.kikisoso.org.key.pem
sites-enabled/root: SSLCACertificatePath /etc/ssl/certs
sites-enabled/sympa:<VirtualHost 192.168.2.50:10445>
sites-enabled/sympa: SSLCertificateFile
/etc/apache2/ssl/lists.kikisoso.org.cert.pem
sites-enabled/sympa: SSLCertificateKeyFile
/etc/apache2/ssl/lists.kikisoso.org.key.pem
sites-enabled/sympa: SSLCACertificatePath /etc/ssl/certs
sites-enabled/squirrelmail:<VirtualHost 192.168.2.52:443>
sites-enabled/squirrelmail:#<VirtualHost webmail.kikisoso.org:443>
sites-enabled/squirrelmail: SSLCertificateFile
/etc/apache2/ssl/webmail.kikisoso.org.cert.pem
sites-enabled/squirrelmail: SSLCertificateKeyFile
/etc/apache2/ssl/webmail.kikisoso.org.key.pem
sites-enabled/squirrelmail: SSLCACertificatePath /etc/ssl/certs
sites-enabled/squirrelmail:#<VirtualHost 1.2.3.4>
sites-enabled/000-default:NameVirtualHost *
sites-enabled/000-default:<VirtualHost *>
apache2.conf:# If you do not specify an ErrorLog directive within a
<VirtualHost>
apache2.conf:# logged here. If you *do* define an error logfile for a
<VirtualHost>
ssl.conf:<VirtualHost _default_:443>
ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
ssl.conf:SSLCertificateFile /etc/apache2/ssl/www.kikisoso.org.cert.pem
ssl.conf:#SSLCertificateFile /etc/apache2/ssl.crt/server.crt
ssl.conf:#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
ssl.conf:SSLCertificateKeyFile /etc/apache2/ssl/www.kikisoso.org.key.pem
ssl.conf:#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
ssl.conf:# Point SSLCertificateChainFile at a file containing the
ssl.conf:# the referenced file can be the same as SSLCertificateFile
ssl.conf:#SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
ssl.conf:# Note: Inside SSLCACertificatePath you need hash symlinks
ssl.conf:SSLCACertificatePath /var/www/CA
ssl.conf:#SSLCACertificatePath /etc/apache2/ssl.crt
ssl.conf:#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
-------------------------------------------------------------------------------
On the real server, the output is:
sites-enabled/000-default:NameVirtualHost *
sites-enabled/000-default:<VirtualHost *>
sites-enabled/tott.org:<VirtualHost 192.168.2.54:80>
sites-enabled/root:#NameVirtualHost 192.168.2.5
sites-enabled/root:#<VirtualHost 192.168.2.5:80>
sites-enabled/root:<VirtualHost 192.168.2.55:80>
sites-enabled/squirrelmail:<VirtualHost 192.168.2.55:443>
sites-enabled/squirrelmail: SSLCertificateFile
/etc/apache2/ssl/webmail.tailofthetiger.org-cert.pem
sites-enabled/squirrelmail: SSLCertificateKeyFile
/etc/apache2/ssl/webmail.tailofthetiger.org-key.pem
sites-enabled/squirrelmail: SSLCACertificatePath /etc/ssl/certs
sites-enabled/www.karmecholing.org:NameVirtualHost 192.168.2.5:80
sites-enabled/www.karmecholing.org:<VirtualHost 192.168.2.5:80>
sites-enabled/secure.karmecholing.org:<VirtualHost 192.168.2.53:443>
sites-enabled/secure.karmecholing.org:# Point SSLCertificateFile at a
PEM encoded certificate. If
sites-enabled/secure.karmecholing.org:SSLCertificateFile
/etc/apache2/ssl/secure_karmecholing_org.crt
sites-enabled/secure.karmecholing.org:SSLCertificateKeyFile
/etc/apache2/ssl/secure.karmecholing.org-key.pem
sites-enabled/secure.karmecholing.org:# Point SSLCertificateChainFile
at a file containing the
sites-enabled/secure.karmecholing.org:# the referenced file can be the
same as SSLCertificateFile
sites-enabled/secure.karmecholing.org:#SSLCertificateChainFile
/etc/ssl/certs/ca-certificates.crt
sites-enabled/secure.karmecholing.org:# Note: Inside
SSLCACertificatePath you need hash symlinks
sites-enabled/secure.karmecholing.org:SSLCACertificatePath /etc/ssl/certs
apache2.conf:# If you do not specify an ErrorLog directive within a
<VirtualHost>
apache2.conf:# logged here. If you *do* define an error logfile for a
<VirtualHost>
-----------------------------------------------------------------------------
As you can see, we have several sites. Some served directly on the proxy
server mentioned above, several on other machines.
One thing that I didn't think of before is... do the servers have to be
exclusively one way or another, i.e. using the CAcert path or using the
CAcert file? I wouldn't have thought so, but .... maybe so. When I was
trying the CAcert file, (I believe) I still had settings for other
virtual hosts set for the CAcert path.
Happy New Year,
-jeff
>
> Cheers,
> Stefan
>
Reply to: