https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #22 from Mark Thomas ---
No need to switch from APR/Native to NIO2.
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe,
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #21 from Arnaud Kleinveld ---
(In reply to Mark Thomas from comment #20)
> Yes. For the Sertigo key/cert use certificateChainFile="/path/to/dv/bundle".
>
> For the letsencrypt key, if you convert it from PKCS#1 to PKCS#8 (opensssl
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #20 from Mark Thomas ---
Yes. For the Sertigo key/cert use certificateChainFile="/path/to/dv/bundle".
For the letsencrypt key, if you convert it from PKCS#1 to PKCS#8 (opensssl can
do this) that should be OK as well.
--
You are
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #19 from Arnaud Kleinveld ---
Great and thank you for your excellent support. Looking forward to AWS update
announcement. This may take a while I guess. Do I understand correctly that in
the meantime I can solve the problem by
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|---
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #17 from Mark Thomas ---
There are two separate issues here.
The first is that the mechanism we are using to translate keys and certs to a
common format internally is stricter than OpenSSL and requires a valid
certificate chain. I
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
Mark Thomas changed:
What|Removed |Added
Status|NEEDINFO|NEW
--- Comment #16 from Mark Thomas
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #15 from Mark Thomas ---
My public keys for ma...@apache.org are listed here:
http://people.apache.org/keys/committer/
The first one (A9C5 ...) is my preferred one.
--
You are receiving this mail because:
You are the assignee
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #14 from Arnaud Kleinveld ---
Perhaps I can send to your email if you have a personal public key.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #13 from Mark Thomas ---
There isn't much in the way of logging to enable that would help here. What we
really need is a set of keys/certs to reproduce the issue.
The simple solution (send me the keys/certs you are having the
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #12 from Arnaud Kleinveld ---
Hi, sorry for my late reply. I have gone through various options but I don't
see how I can reproduce this error. The Apache httpd server is using the same
certificates without any issues. Is there some
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
Mark Thomas changed:
What|Removed |Added
Status|NEW |NEEDINFO
--- Comment #11 from Mark
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #10 from Christopher Schultz ---
I realize that this conversation is headed in another direction, but...
(In reply to Mark Thomas from comment #4)
> OpenSSL can handle DER quite happily but the code we added to enable you to
>
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #9 from Mark Thomas ---
Thanks. That looks like a PEM encoded PKCS#1 key and a PEM encoded X509 cert.
When I start 8.5.40 with those I don't see the error you see. I've tested with
the oldest and latest versions of OpenSSL.
I
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #8 from Arnaud Kleinveld ---
(In reply to Mark Thomas from comment #7)
> There should be lines of headers / footers in each file starting "---". Can
> you list all the headers and footers present in each file please (this
> should
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #7 from Mark Thomas ---
There should be lines of headers / footers in each file starting "---". Can you
list all the headers and footers present in each file please (this should help
to ID the format being used).
--
You are
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #6 from Arnaud Kleinveld ---
(In reply to Mark Thomas from comment #4)
> Success! From a certain point of view. I have been able to recreate this.
> You will see this error if you certs are in DER rather than PEM format.
>
>
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #5 from Arnaud Kleinveld ---
Hi Mark, thank you for your quick and comprehensive replies. I am not using
Beanstalk and have instead manually configured Tomcat. As far as I know my
certificates are in PEM format because I can read
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #4 from Mark Thomas ---
Success! From a certain point of view. I have been able to recreate this. You
will see this error if you certs are in DER rather than PEM format.
OpenSSL can handle DER quite happily but the code we added
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #3 from Mark Thomas ---
Looking at this a bit more I haven't been able to reproduce it yet. I suspect
it is related to the cert files being used. Is it possible for you to create a
set of test files that reproduces the issue?
--
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #2 from Mark Thomas ---
That sounds very much like bug 62526. That should be fixed in 8.5.40 though.
Are you using AWS Elastic Beanstalk? If not can you provide more environment
details please. We may need to re-create this on AWS
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
--- Comment #1 from Arnaud Kleinveld ---
The domain1 configuration is also in use by a httpd server which is working
fine. Upgraded lets-encrypt-x1-cross-signed.pem to
lets-encrypt-x3-cross-signed.pem for domain2, unfortunately that didn't
22 matches
Mail list logo
