SSLCACertificateFile crashes Apache

SSLCACertificateFile crashes Apache

am 07.02.2006 20:48:51 von Liam Kirsher

Hi --

I'm experiencing a problem setting up SSL using mod_ssl.

I'm trying to get ssl running on my client's ISP-hosted virtual server:
Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b PHP/4.4.1

I have a cert from Comodo.

SSL works properly for my recent browsers (Firefox 1.07, IE 6.0) but an
older version of Opera doesn't recognize the cert and prompts the user to
accept it.

That situation should be fixed by installing the ca-bundle file supplied by
Comodo, and setting the SSLCACertificateFile parameter in httpd.conf.

However, when I add the line
SSLCACertificateFile /path/to/comodo-ca-bundle

Apache dies when restarting, and logs the following OpenSSL errors:

>[07/Feb/2006 11:57:08 25653] [error] Init: (www.domain.com:443) Unable to
>configure verify locations for client authentication (OpenSSL library
>error follows)
>[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:02001002:system
>library:fopen:No such file or directory
>[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:2006D002:BIO
>routines:BIO_new_file:system lib
>[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:0E064002:configuration
>file routines:CONF_load:system lib
>[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:0906D06C:PEM
>routines:PEM_read_bio:no start line [Hint: Bad file contents or format -
>or even just a forgotten SSLCertificateKeyFile?]
>[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:0B084009:x509
>certificate routines:X509_load_cert_crl_file:missing asn1 eos

I'm not sure what all that means. The SSLCertificateKeyFile is there, and
it works fine as long as there is no mention of SSLCACertificateFile.

Note that openssl itself is not installed on the server. The ISP has an
interface for generating the csr and creating the key. The second time I
generated the files on another similar server, but the end result is the same.
I'm wondering if possibly openssl is looking for its configuration file
openssl.cnf, and that is what is not being found.

Any ideas?

Liam



Liam Kirsher
415-456-4420
415-438-0384 (cell)
PGP: http://liam.numenet.com/pgp/


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLCACertificateFile crashes Apache

am 08.02.2006 03:33:09 von BJ Swope

------=_Part_1179_21668694.1139365989305
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On 2/7/06, Liam Kirsher wrote:
>
>
>
>
> >[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:02001002:system
> library:fopen:No such file or directory



Are you sure the path is correct? Is the path relative or absolute as you
indicated in your post?


--
"But we also know the dangers of a religion that severs its links with
reason and becomes prey to fundamentalism" -- Cardinal Paul Poupard
"It morphs into the Republican party!" -- BJ

------=_Part_1179_21668694.1139365989305
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline



On 2/7/06, rname">Liam Kirsher <liamk@nume=
net.com> wrote:
der-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-=
left: 1ex;">



>[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:0200100=
2:system library:fopen:No such file or directory




Are you sure the path is correct?  Is the path relative or absolute as=
you indicated in your post?



--
"But we also know the dangers of a religion
that severs its links with reason and becomes prey to fundamentalism"
--  Cardinal Paul Poupard
"It morphs into the Republican =
party!"  -- BJ

------=_Part_1179_21668694.1139365989305--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLCACertificateFile crashes Apache

am 08.02.2006 19:17:11 von Liam Kirsher

Yes, the path is correct -- I triple checked it!
Possible issues -- this is running on a virtual server, so I guess the
given root isn't the real root, and maybe it's getting confused.
Or maybe... it's not clear which file it's not finding. In my google
search I found some semi-related posts that seemed to indicate it might
need to have access to the openssl.cnf file, which is not on this virtual
server.

I've already spent too much time on this issue, so I'm going to have to use
a different certificate authority.

Thanks for taking a look, though.

Liam

At 09:33 PM 2/7/2006 -0500, you wrote:


>On 2/7/06, Liam Kirsher <liamk@numenet.com> wrote:
>>
>>
>>
>> >[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:02001002:system
>> library:fopen:No such file or directory
>
>
>Are you sure the path is correct? Is the path relative or absolute as you
>indicated in your post?
>
>
>--
>"But we also know the dangers of a religion that severs its links with
>reason and becomes prey to fundamentalism" -- Cardinal Paul Poupard
>"It morphs into the Republican party!" -- BJ

Liam Kirsher
415-456-4420
415-438-0384 (cell)
PGP: http://liam.numenet.com/pgp/


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org