DO NOT REPLY [Bug 52630] Firefox can't access SSL websites with client authentication and when using a symlink to a directory of CA certs

Fri, 10 Feb 2012 22:48:14 -0800 

https://issues.apache.org/bugzilla/show_bug.cgi?id=52630

Kaspar Brand <[email protected]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                URL|https://bugzilla.mozilla.or |
                   |g/show_bug.cgi?id=725652    |
            Version|2.2.22                      |2.2.16
         Resolution|                            |INVALID
           Severity|major                       |normal

--- Comment #5 from Kaspar Brand <[email protected]> 2012-02-11 06:47:34 UTC ---
This is a configuration issue. From your httpd log on Mozilla's Bugzilla (which
is definitely the wrong place to post it to):

[Thu Feb 09 15:54:43 2012] [error] [client 192.168.180.174] Certificate
Verification: Error (20): unable to get local issuer certificate

Either your client/browser isn't sending any intermediate CAs in the handshake,
or mod_ssl can't locate them locally either. (Or third, if you're using a
single-tier CA hierarchy, mod_ssl can't locate the root cert itself.)

> I have basically this configuration for client auth:
>         SSLCACertificatePath
> pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.crt.d
>         SSLCADNRequestPath
> pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d
>         SSLCARevocationPath
> pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.crl.d
> 
> All these three files are actually symbolic links to the directory
> /etc/grid-security/certificates

There's no point in setting SSLCACertificatePath and SSLCADNRequestPath to the
exact same directory (see
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcadnrequestfile).

Looking at the directives quoted above, it should be noted that they specify
*relative* paths. Unless there's a "pki" subdirectory in your HTTPD_ROOT (see
httpd -V), mod_ssl won't be able to find the CA certs this way.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to