https://issues.apache.org/bugzilla/show_bug.cgi?id=56566
Bug ID: 56566
Summary: Spurious "Failed to configure CA certificate chain!"
errors
Product: Apache httpd-2
Version: 2.4.6
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
Created attachment 31663
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31663&action=edit
Patch
I have an Apache cluster of 16 machines all with identical config. Half the
vhosts are SSL-enabled and half use SSL to connect to mod_proxy backends.
I sometimes see the "Failed to configure CA certificate chain" error when
gracefully reloading Apache on the cluster: the result is that Apache reloads
fine on most nodes, but dies on one or two of the nodes (not so great when the
nodes are handling production traffic!).
I recently added a vhost which had client SSL auth enabled (in particular, it
contains the SSLCACertificatePath directive, which no other vhost has), and
this was when this problem really came out. After adding the vhost, the error
message seemed to start to appear more frequently on reloading (as described
above), and in addition, on two out of the 16 boxes in the cluster, Apache just
would not start, with the same error; the remaining 14 boxes were fine. (Yes,
the config and certs were absolutely identical, I checked and double-checked
and triple-checked that, and even went as far as checksumming everything on the
disk of a failing node and the disk of a working node, and there were no
significant differences.)
I haven't been able to reproduce this issue in my test environment.
Googling around, I came across bug <a
href="https://issues.apache.org/bugzilla/show_bug.cgi?id=21160";>21160</a>,
where the reporter was seeing remarkably similar issues.
Following the logic of that bug fix, I patched my Apache as attached, and this
seems to have fixed the problem. I'm sure I haven't addressed the root cause,
though.
I have a feeling it might be something to do with the SSL error queue not being
cleared when loading CA certificates in the path specified by
SSLCACertificatePath. In case it's relevant, some of my vhosts give warnings
like this:
[ssl:warn] [pid 19690:tid 140658685736768] AH01909: RSA certificate
configured for vhost12:443 does NOT include an ID which matches the server name
(this is due to the slightly odd way the vhosts are configured).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
