Титла: Apache + SSL не иска да ми прочете certification authority-то
Публикувано от: abadon в Jun 11, 2011, 12:43
Здравейте, Вчера ми изтече Rapid SSL сертификата на сайтчето, затова си взех нов Thawte 123 certificate. До тук добре. Обаче новия сертификат изисква и certification authority, което стария не изискваше. Сложих си новия сертификат и вече в браузърите на клиента не им излиза грешка, обаче в error log-а на Apache-то ми блъска нон-стоп подобни грешки: [Fri Jun 10 10:34:29 2011] [notice] caught SIGTERM, shutting down
[Fri Jun 10 10:34:33 2011] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Fri Jun 10 10:34:34 2011] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Fri Jun 10 10:34:34 2011] [notice] Apache/2.2.14 (Ubuntu) PHP/5.2.10-2ubuntu6.7 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k configured -- resuming normal operations
Предполагам че заради тези проблеми в този тест openssl s_client -host 213.145.124.4 -port 443 -showcertsCONNECTED(00000003)
depth=0 /O=support.nextpointhost.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=support.nextpointhost.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=support.nextpointhost.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=support.nextpointhost.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=support.nextpointhost.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=support.nextpointhost.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/O=support.nextpointhost.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=support.nextpointhost.com
i:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
-----BEGIN CERTIFICATE-----
MIIETjCCAzagAwIBAgIQWIYknSaZZRr6R6TvHNqEtzANBgkqhkiG9w0BAQUFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE
b21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3RlIERWIFNTTCBDQTAe
Fw0xMTA2MDkwMDAwMDBaFw0xMjA3MDgyMzU5NTlaMIHEMSIwIAYDVQQKFBlzdXBw
b3J0Lm5leHRwb2ludGhvc3QuY29tMTswOQYDVQQLEzJHbyB0byBodHRwczovL3d3
dy50aGF3dGUuY29tL3JlcG9zaXRvcnkvaW5kZXguaHRtbDEiMCAGA1UECxMZVGhh
d3RlIFNTTDEyMyBjZXJ0aWZpY2F0ZTEZMBcGA1UECxMQRG9tYWluIFZhbGlkYXRl
ZDEiMCAGA1UEAxQZc3VwcG9ydC5uZXh0cG9pbnRob3N0LmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANfa8CSAB8CU50fbLt+BPZcZJushhML+JBM4
AxjYkSONutdw18AZXkiKkMVLCeyKXuSJtxX1VxF4Wnb0fT6YF96yRlUm8MD0TLCI
9AkpLAyvjlM4lAw6mSjCCGOp/ZTo+HhGn0WHYpRjJc05GViLraTN6fMD/fxuI8fU
XsyJopDFVEDJHV2i1jH7Jjh6Z7bPphc0qgZp1+BPFpKF8o0NkfVvUJgbxPkzK1CZ
Pvu3ZanqBac46ScGc+sp+ZdjpvJQ++xv+E8BckGiKeaGbDYOl5DfGoy6iBVDHif9
zXEKYUBEnp8zn1zc2ef5I/jdeRjcOe4GpUloLg+oRE+rrHnU2S8CAwEAAaOBoDCB
nTAMBgNVHRMBAf8EAjAAMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9zdnItZHYt
Y3JsLnRoYXd0ZS5jb20vVGhhd3RlRFYuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9v
Y3NwLnRoYXd0ZS5jb20wDQYJKoZIhvcNAQEFBQADggEBAMdfffm4cboBcR75qyVN
rIJOYJ3JhcJMQbOXR1x0ejuV0YR2oPmauu5ac1pLmnKMBu3JC0/Fe4fis/Hf6FFb
WngaANsXuq3booJyRMsxtMtETIrH2rN6Da/P7UlspgvRjytYdzbVAvCr91oB5xb2
OEz9Dt1D+ZObey89IrS5rUuJwH9R/31MCpEKz7l3cuMHPoK0F3kO7U0ffjkEfc17
9S9v2UC+qbxI7rY8CqlS7vtUfHegN3/Ajf7PzUuXSx8QjdBvL0lyLRUg+tqypU54
0xvnn9ictLgO948A07ro3OhuzkXhy3SWliUaTnyQe9nBsX3d2uJ+CNN6KRaJmTtg
AcM=
-----END CERTIFICATE-----
---
Server certificate
subject=/O=support.nextpointhost.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=support.nextpointhost.com
issuer=/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1798 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: FEF23FA5B76319FF75735325A11CF4E226A469C0366EB0D6E9FB3C3525EF5CAD
Session-ID-ctx:
Master-Key: A5A987C3D34FCD71ACE5A389C496C54636521943268044C311FDA63004CEC4D57D2A3F1DA3D2FF9F55B3BD1BC0BC405B
Key-Arg : None
Start Time: 1307785095
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
closed
Конфигурацията на Vhost-а съм добавил тези редове: SSLEngine on
SSLCertificateFile /etc/ssl/certs/support.nextpointhost.com.pem
SSLCertificateKeyFile /etc/ssl/private/support.nextpointhost.com.key
SSLCACertificatePath /etc/ssl/certs/
SSLCACertificateFile /etc/ssl/certs/SSL123_CA_Bundle.pem
Въпроса ми е защо апачето не хваща root сертификата? Тъй като ако направя openssl s_client -CApath /etc/ssl/certs/ -connect support.nextpointhost.com:443 всичко е наред: CONNECTED(00000003)
depth=3 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
verify return:1
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify return:1
depth=1 /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
verify return:1
depth=0 /O=support.nextpointhost.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=support.nextpointhost.com
verify return:1
---
Certificate chain
0 s:/O=support.nextpointhost.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=support.nextpointhost.com
i:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIETjCCAzagAwIBAgIQWIYknSaZZRr6R6TvHNqEtzANBgkqhkiG9w0BAQUFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE
b21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3RlIERWIFNTTCBDQTAe
Fw0xMTA2MDkwMDAwMDBaFw0xMjA3MDgyMzU5NTlaMIHEMSIwIAYDVQQKFBlzdXBw
b3J0Lm5leHRwb2ludGhvc3QuY29tMTswOQYDVQQLEzJHbyB0byBodHRwczovL3d3
dy50aGF3dGUuY29tL3JlcG9zaXRvcnkvaW5kZXguaHRtbDEiMCAGA1UECxMZVGhh
d3RlIFNTTDEyMyBjZXJ0aWZpY2F0ZTEZMBcGA1UECxMQRG9tYWluIFZhbGlkYXRl
ZDEiMCAGA1UEAxQZc3VwcG9ydC5uZXh0cG9pbnRob3N0LmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANfa8CSAB8CU50fbLt+BPZcZJushhML+JBM4
AxjYkSONutdw18AZXkiKkMVLCeyKXuSJtxX1VxF4Wnb0fT6YF96yRlUm8MD0TLCI
9AkpLAyvjlM4lAw6mSjCCGOp/ZTo+HhGn0WHYpRjJc05GViLraTN6fMD/fxuI8fU
XsyJopDFVEDJHV2i1jH7Jjh6Z7bPphc0qgZp1+BPFpKF8o0NkfVvUJgbxPkzK1CZ
Pvu3ZanqBac46ScGc+sp+ZdjpvJQ++xv+E8BckGiKeaGbDYOl5DfGoy6iBVDHif9
zXEKYUBEnp8zn1zc2ef5I/jdeRjcOe4GpUloLg+oRE+rrHnU2S8CAwEAAaOBoDCB
nTAMBgNVHRMBAf8EAjAAMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9zdnItZHYt
Y3JsLnRoYXd0ZS5jb20vVGhhd3RlRFYuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9v
Y3NwLnRoYXd0ZS5jb20wDQYJKoZIhvcNAQEFBQADggEBAMdfffm4cboBcR75qyVN
rIJOYJ3JhcJMQbOXR1x0ejuV0YR2oPmauu5ac1pLmnKMBu3JC0/Fe4fis/Hf6FFb
WngaANsXuq3booJyRMsxtMtETIrH2rN6Da/P7UlspgvRjytYdzbVAvCr91oB5xb2
OEz9Dt1D+ZObey89IrS5rUuJwH9R/31MCpEKz7l3cuMHPoK0F3kO7U0ffjkEfc17
9S9v2UC+qbxI7rY8CqlS7vtUfHegN3/Ajf7PzUuXSx8QjdBvL0lyLRUg+tqypU54
0xvnn9ictLgO948A07ro3OhuzkXhy3SWliUaTnyQe9nBsX3d2uJ+CNN6KRaJmTtg
AcM=
-----END CERTIFICATE-----
subject=/O=support.nextpointhost.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=support.nextpointhost.com
issuer=/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1798 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: B3B1119B5E771BABD31E060F9326CF86341644637F4815F9CB14E46E693D72A5
Session-ID-ctx:
Master-Key: 1591812D02364F458DC7EDC58E8ADB27B4DC0D5B6EAED53333C7DFFD5430DD4542290CAA854A8C2E4A04138E21F35E62
Key-Arg : None
Start Time: 1307785427
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
Предварително благодаря на всички които ще ми кажат къде бъркам или ще ми дадат някакви насоки за размисъл.
|