Тема: Apache + SSL не иска да ми прочете certification authority-то (Прочетена 1322 пъти)

abadon · « -: Jun 11, 2011, 12:43 »

Здравейте,

Вчера ми изтече Rapid SSL сертификата на сайтчето, затова си взех нов Thawte 123 certificate. До тук добре. Обаче новия сертификат изисква и certification authority, което стария не изискваше. Сложих си новия сертификат и вече в браузърите на клиента не им излиза грешка, обаче в error log-а на Apache-то ми блъска нон-стоп подобни грешки:

Цитат

[Fri Jun 10 10:34:29 2011] [notice] caught SIGTERM, shutting down
[Fri Jun 10 10:34:33 2011] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Fri Jun 10 10:34:34 2011] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Fri Jun 10 10:34:34 2011] [notice] Apache/2.2.14 (Ubuntu) PHP/5.2.10-2ubuntu6.7 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k configured -- resuming normal operations

Предполагам че заради тези проблеми в този тест openssl s_client -host 213.145.124.4 -port 443 -showcerts

Цитат

CONNECTED(00000003)
depth=0 /O=support.nextpointhost.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=support.nextpointhost.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=support.nextpointhost.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=support.nextpointhost.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=support.nextpointhost.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=support.nextpointhost.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/O=support.nextpointhost.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=support.nextpointhost.com
i:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
-----BEGIN CERTIFICATE-----
MIIETjCCAzagAwIBAgIQWIYknSaZZRr6R6TvHNqEtzANBgkqhkiG9w0BAQUFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE
b21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3RlIERWIFNTTCBDQTAe
Fw0xMTA2MDkwMDAwMDBaFw0xMjA3MDgyMzU5NTlaMIHEMSIwIAYDVQQKFBlzdXBw
b3J0Lm5leHRwb2ludGhvc3QuY29tMTswOQYDVQQLEzJHbyB0byBodHRwczovL3d3
dy50aGF3dGUuY29tL3JlcG9zaXRvcnkvaW5kZXguaHRtbDEiMCAGA1UECxMZVGhh
d3RlIFNTTDEyMyBjZXJ0aWZpY2F0ZTEZMBcGA1UECxMQRG9tYWluIFZhbGlkYXRl
ZDEiMCAGA1UEAxQZc3VwcG9ydC5uZXh0cG9pbnRob3N0LmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANfa8CSAB8CU50fbLt+BPZcZJushhML+JBM4
AxjYkSONutdw18AZXkiKkMVLCeyKXuSJtxX1VxF4Wnb0fT6YF96yRlUm8MD0TLCI
9AkpLAyvjlM4lAw6mSjCCGOp/ZTo+HhGn0WHYpRjJc05GViLraTN6fMD/fxuI8fU
XsyJopDFVEDJHV2i1jH7Jjh6Z7bPphc0qgZp1+BPFpKF8o0NkfVvUJgbxPkzK1CZ
Pvu3ZanqBac46ScGc+sp+ZdjpvJQ++xv+E8BckGiKeaGbDYOl5DfGoy6iBVDHif9
zXEKYUBEnp8zn1zc2ef5I/jdeRjcOe4GpUloLg+oRE+rrHnU2S8CAwEAAaOBoDCB
nTAMBgNVHRMBAf8EAjAAMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9zdnItZHYt
Y3JsLnRoYXd0ZS5jb20vVGhhd3RlRFYuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9v
Y3NwLnRoYXd0ZS5jb20wDQYJKoZIhvcNAQEFBQADggEBAMdfffm4cboBcR75qyVN
rIJOYJ3JhcJMQbOXR1x0ejuV0YR2oPmauu5ac1pLmnKMBu3JC0/Fe4fis/Hf6FFb
WngaANsXuq3booJyRMsxtMtETIrH2rN6Da/P7UlspgvRjytYdzbVAvCr91oB5xb2
OEz9Dt1D+ZObey89IrS5rUuJwH9R/31MCpEKz7l3cuMHPoK0F3kO7U0ffjkEfc17
9S9v2UC+qbxI7rY8CqlS7vtUfHegN3/Ajf7PzUuXSx8QjdBvL0lyLRUg+tqypU54
0xvnn9ictLgO948A07ro3OhuzkXhy3SWliUaTnyQe9nBsX3d2uJ+CNN6KRaJmTtg
AcM=
-----END CERTIFICATE-----
---
Server certificate
subject=/O=support.nextpointhost.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=support.nextpointhost.com
issuer=/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1798 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: FEF23FA5B76319FF75735325A11CF4E226A469C0366EB0D6E9FB3C3525EF5CAD
Session-ID-ctx:
Master-Key: A5A987C3D34FCD71ACE5A389C496C54636521943268044C311FDA63004CEC4D57D2A3F1DA3D2FF9F55B3BD1BC0BC405B
Key-Arg : None
Start Time: 1307785095
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---

closed

Конфигурацията на Vhost-а съм добавил тези редове:

Цитат

SSLEngine on
SSLCertificateFile /etc/ssl/certs/support.nextpointhost.com.pem
SSLCertificateKeyFile /etc/ssl/private/support.nextpointhost.com.key
SSLCACertificatePath /etc/ssl/certs/
SSLCACertificateFile /etc/ssl/certs/SSL123_CA_Bundle.pem

Въпроса ми е защо апачето не хваща root сертификата? Тъй като ако направя openssl s_client -CApath /etc/ssl/certs/ -connect support.nextpointhost.com:443 всичко е наред:

Цитат

CONNECTED(00000003)
depth=3 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
verify return:1
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify return:1
depth=1 /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
verify return:1
depth=0 /O=support.nextpointhost.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=support.nextpointhost.com
verify return:1
---
Certificate chain
0 s:/O=support.nextpointhost.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=support.nextpointhost.com
i:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIETjCCAzagAwIBAgIQWIYknSaZZRr6R6TvHNqEtzANBgkqhkiG9w0BAQUFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE
b21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3RlIERWIFNTTCBDQTAe
Fw0xMTA2MDkwMDAwMDBaFw0xMjA3MDgyMzU5NTlaMIHEMSIwIAYDVQQKFBlzdXBw
b3J0Lm5leHRwb2ludGhvc3QuY29tMTswOQYDVQQLEzJHbyB0byBodHRwczovL3d3
dy50aGF3dGUuY29tL3JlcG9zaXRvcnkvaW5kZXguaHRtbDEiMCAGA1UECxMZVGhh
d3RlIFNTTDEyMyBjZXJ0aWZpY2F0ZTEZMBcGA1UECxMQRG9tYWluIFZhbGlkYXRl
ZDEiMCAGA1UEAxQZc3VwcG9ydC5uZXh0cG9pbnRob3N0LmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANfa8CSAB8CU50fbLt+BPZcZJushhML+JBM4
AxjYkSONutdw18AZXkiKkMVLCeyKXuSJtxX1VxF4Wnb0fT6YF96yRlUm8MD0TLCI
9AkpLAyvjlM4lAw6mSjCCGOp/ZTo+HhGn0WHYpRjJc05GViLraTN6fMD/fxuI8fU
XsyJopDFVEDJHV2i1jH7Jjh6Z7bPphc0qgZp1+BPFpKF8o0NkfVvUJgbxPkzK1CZ
Pvu3ZanqBac46ScGc+sp+ZdjpvJQ++xv+E8BckGiKeaGbDYOl5DfGoy6iBVDHif9
zXEKYUBEnp8zn1zc2ef5I/jdeRjcOe4GpUloLg+oRE+rrHnU2S8CAwEAAaOBoDCB
nTAMBgNVHRMBAf8EAjAAMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9zdnItZHYt
Y3JsLnRoYXd0ZS5jb20vVGhhd3RlRFYuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9v
Y3NwLnRoYXd0ZS5jb20wDQYJKoZIhvcNAQEFBQADggEBAMdfffm4cboBcR75qyVN
rIJOYJ3JhcJMQbOXR1x0ejuV0YR2oPmauu5ac1pLmnKMBu3JC0/Fe4fis/Hf6FFb
WngaANsXuq3booJyRMsxtMtETIrH2rN6Da/P7UlspgvRjytYdzbVAvCr91oB5xb2
OEz9Dt1D+ZObey89IrS5rUuJwH9R/31MCpEKz7l3cuMHPoK0F3kO7U0ffjkEfc17
9S9v2UC+qbxI7rY8CqlS7vtUfHegN3/Ajf7PzUuXSx8QjdBvL0lyLRUg+tqypU54
0xvnn9ictLgO948A07ro3OhuzkXhy3SWliUaTnyQe9nBsX3d2uJ+CNN6KRaJmTtg
AcM=
-----END CERTIFICATE-----
subject=/O=support.nextpointhost.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=support.nextpointhost.com
issuer=/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1798 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: B3B1119B5E771BABD31E060F9326CF86341644637F4815F9CB14E46E693D72A5
Session-ID-ctx:
Master-Key: 1591812D02364F458DC7EDC58E8ADB27B4DC0D5B6EAED53333C7DFFD5430DD4542290CAA854A8C2E4A04138E21F35E62
Key-Arg : None
Start Time: 1307785427
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

closed

Предварително благодаря на всички които ще ми кажат къде бъркам или ще ми дадат някакви насоки за размисъл.

Подобни теми
	Заглавие	Започната от	Отговора	Прегледи	Последна публикация
	Apache doc Преводи на документация	kennedy	3	6322	Apr 26, 2002, 18:43 от kennedy
	Apache Настройка на програми	mozly	3	4769	Nov 23, 2002, 15:19 от mozly
	Help za Apache??? Настройка на програми	spooky	2	2866	Aug 06, 2003, 14:57 от spooky
	Apache Настройка на програми	HipH0p	1	2434	Dec 20, 2003, 13:51 от n_antonov
	какво точно е Certificate Authority Системна Сигурност	rumen78	23	8400	Feb 11, 2015, 14:41 от Acho

Автор Тема: Apache + SSL не иска да ми прочете certification authority-то (Прочетена 1322 пъти)

abadon

Apache + SSL не иска да ми прочете certification authority-то