Re: invalid certificate

Sun, 22 Aug 1999 03:24:41 -0700 

On Aug 9,  3:54pm, Charles Tassell wrote:
} At 12:01 AM 8/9/99, you wrote:
} 
} >     I'm trying to get mod_ssl running.  I'm using NetBSD 1.3.3, Apache
} >1.3.6, and Openssl 0.9.3a.  It works for regular connections, but
} >doesn't work for secure connections.  When I try to make an https with
} >Communictor 4.61, it says that the server's certificate is invalid, so
} >I can't make a secure connection, and this is what is recorded in the
} >log file:
} >
} >[Sun Aug  8 19:28:29 1999] [error] mod_ssl: SSL handshake failed (client 
} >204.174.230.6, server www.fibrenet.com:443) (OpenSSL library error follows)
} >[Sun Aug  8 19:28:29 1999] [error] OpenSSL: error:0B07C065:x509 certificate 
} >routines:X509_STORE_add_cert:cert already in hash table
} >[Sun Aug  8 19:28:29 1999] [error] OpenSSL: error:14094412:SSL 
} >routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in 
} >certificate not server name!?]
} >
} >I generated the certificate using "make certificate" in the Apache src
} >directory and copied it into place.  The CN in the certificate does
} >match the server name, and the server didn't complain about a mismatch
} >at startup.
} 
} You've probably already checked this, but there are two places to put the
} ServerName, once at the top of httpd.conf, and then again inside the SSL
} VirtualHost block.  Are they both the same, and do they match the CN for
} the certificate?

     Yes, everything matches.  I meant to mention the version of
modssl, it was 2.3.11-1.3.6.  According to the release notes, that
version is supposed to check for inconsistencies with the CN at startup
time, and give a warning; it didn't.  Anyways, I tried the trick that
somebody else mentioned, "make certificate TYPE=custom" and that
worked.  Given the second error message, "cert already in hash table",
and the thread about the cache not being cleared on server restart, I'm
wondering if my problem could have been due to old stuff being in the
cache from my early trials.  It would be nice to find out, but some of
this is moot, because I now have a working server.

}-- End of excerpt from Charles Tassell

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to