Re: Apache2 on 5.7 = certificate error

[Stefan Sperling]

On Mon, May 18, 2015 at 10:04:03AM -0400, John Merriam wrote:
 I get the following error in the error_log when I try to start Apache2:
 
 [Mon May 18 09:51:43 2015] [error] Failed to configure CA certificate 
 chain!
 
 The certificate is a wildcard certificate from RapidSSL.
 
 I have their 'intermediate CA bundle' from here:
 
 https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=contentactp=CROSSLINKid=SO26459
 
 in a file that is pointed to with the SSLCertificateChainFile directive in 
 my Apache2 config.

What does this file contain exactly? I believe mod_ssl expects the server
certificate followed by any intermediate CA certificates up to the root
CA cert, all in PEM format, in one file.

It's very odd that the behaviour between 5.6 and 5.7 changed.
None of the upstream changes between 2.2.27 and 2.2.29 seem to apply.
http://www.apache.org/dist/httpd/CHANGES_2.2

Given your error message, the point of failure in mod_ssl is a call to
SSL_CTX_use_certificate_chain(), a function name which exists in mod_ssl
and also existed in LibreSSL for a brief period before 5.7.
During which time mod_ssl's version was renamed in our ports tree.
Before release, LibreSSL's function was renamed and mod_ssl's version
renamed back to its original name. This should not matter at all unless
something unexpected happened during release package builds (unlikely).

Can you make it work by using alternative configuration options, such as
SSLCertificateFile and SSLCACertificateFile or SSLCACertificatePath?

Re: Apache2 on 5.7 = certificate error

[John Merriam]

On Mon, 18 May 2015, Stefan Sperling wrote:
 On Mon, May 18, 2015 at 10:04:03AM -0400, John Merriam wrote:
  I get the following error in the error_log when I try to start Apache2:
  
  [Mon May 18 09:51:43 2015] [error] Failed to configure CA certificate 
  chain!
  
  The certificate is a wildcard certificate from RapidSSL.
  
  I have their 'intermediate CA bundle' from here:
  
  https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=contentactp=CROSSLINKid=SO26459
  
  in a file that is pointed to with the SSLCertificateChainFile directive in 
  my Apache2 config.
 
 What does this file contain exactly? I believe mod_ssl expects the server
 certificate followed by any intermediate CA certificates up to the root
 CA cert, all in PEM format, in one file.
 
 It's very odd that the behaviour between 5.6 and 5.7 changed.
 None of the upstream changes between 2.2.27 and 2.2.29 seem to apply.
 http://www.apache.org/dist/httpd/CHANGES_2.2
 
 Given your error message, the point of failure in mod_ssl is a call to
 SSL_CTX_use_certificate_chain(), a function name which exists in mod_ssl
 and also existed in LibreSSL for a brief period before 5.7.
 During which time mod_ssl's version was renamed in our ports tree.
 Before release, LibreSSL's function was renamed and mod_ssl's version
 renamed back to its original name. This should not matter at all unless
 something unexpected happened during release package builds (unlikely).
 
 Can you make it work by using alternative configuration options, such as
 SSLCertificateFile and SSLCACertificateFile or SSLCACertificatePath?
 

Yes, it was very odd to me as well that it didn't work after the upgrade.  
I didn't change a single bit of my Apache2 config.  I checked 
/usr/local/share/examples/apache2/conf/* for changes after the upgrade.  
Since there were none I didn't change anything.

I just changed SSLCertificateChainFile to SSLCACertificateFile in my 
httpd-ssl.conf and it works!  I should have thought of trying something 
like that...

The file pointed to in my SSLCertificateChainFile (and now 
SSLCACertificateFile) directives contains:

-BEGIN CERTIFICATE-
MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg
U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp
SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS
1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ
DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM
QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp
YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry
dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs
rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp
fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B
kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH
uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O
ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
gP8L8mJMcCaY
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-END CERTIFICATE-

which is the RapidSSL 'RSA SHA-2 (under SHA-1 Root) intermediate CA 
bundle' which was copied 

Apache2 on 5.7 = certificate error

[John Merriam]

Hello.  I have upgraded my home server from OpenBSD 5.6 to 5.7.  It is 
amd64 and it is on -stable with -stable ports.

Everything is working fine after the upgrade except SSL in Apache2 
(apache-httpd package/port).

I get the following error in the error_log when I try to start Apache2:

[Mon May 18 09:51:43 2015] [error] Failed to configure CA certificate 
chain!

The certificate is a wildcard certificate from RapidSSL.

I have their 'intermediate CA bundle' from here:

https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=contentactp=CROSSLINKid=SO26459

in a file that is pointed to with the SSLCertificateChainFile directive in 
my Apache2 config.

This worked fine with the old Apache2 in 5.6.

I've tried several different things to try to convince it to work but 
nothing has done the trick yet.

I use the same certificate in sendmail and dovecot on the same server and 
it is working fine with those two daemons.

Any ideas or suggestions as to what the problem may be or where I should 
start digging?  Thanks!

-- 

John Merriam