SSLCACertificateFile crashes Apache

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

SSLCACertificateFile crashes Apache

Liam Kirsher
Hi --

I'm experiencing a problem that appears to be due to an OpenSSL
error.  There was a related error reported last week, I didn't see a
response, and I hope someone can help!

I'm trying to get ssl running on my client's ISP-hosted virtual server:
Apache/1.3.27 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b PHP/4.4.1

I have a cert from Comodo.

SSL works properly for my recent browsers (Firefox 1.07, IE 6.0) but an
older version of Opera doesn't recognize the cert and prompts the user to
accept it.

That situation should be fixed by installing the ca-bundle file supplied by
Comodo, and setting the SSLCACertificateFile parameter in httpd.conf.

However, when I add the line
SSLCACertificateFile    /path/to/comodo-ca-bundle

Apache dies when restarting, and logs the following OpenSSL errors:

>[07/Feb/2006 11:57:08 25653] [error] Init: (www.domain.com:443) Unable to
>configure verify locations for client authentication (OpenSSL library
>error follows)
>[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:02001002:system
>library:fopen:No such file or directory
>[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:2006D002:BIO
>routines:BIO_new_file:system lib
>[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:0E064002:configuration
>file routines:CONF_load:system lib
>[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:0906D06C:PEM
>routines:PEM_read_bio:no start line [Hint: Bad file contents or format -
>or even just a forgotten SSLCertificateKeyFile?]
>[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:0B084009:x509
>certificate routines:X509_load_cert_crl_file:missing asn1 eos

I'm not sure what all that means. The SSLCertificateKeyFile is there, and
it works fine as long as there is no mention of SSLCACertificateFile.

Note that openssl itself is not installed on the server. The ISP has an
interface for generating the csr and creating the key. The second time I
generated the files on another similar server, but the end result is the same.
I'm wondering if possibly openssl is looking for its configuration file
openssl.cnf, and that is what is not being found.

Any ideas?

Liam



Liam Kirsher <liamk/AT/numenet/DOT/com>
415-456-4420
415-438-0384 (cell)
PGP: http://liam.numenet.com/pgp/


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]