I'm looking on my blog counters and realize how lucky I'm. Recently I've found a small configuration issue in my Apache 2.4 SSL configuration. It may not affect you at all especially you have one hoop trust chain between you and your CA. But if stars have lined up in a bad way after system re-confguration you get this:
It means you have more then one certificates in the trust chain, so Firefox can't build it by hjmself. There is no information about trusted certificates. Normally it means HTTP server doesn't present the full chain but certificate and issuer information.
It's very easy to fix:
Get all your CA certificates in PEM format. Concatenate them into single file. Do not forget to put them in proper order. If you have chain like this:
server-cert.pem → sub-ca2-cert.pem → sub-ca1-cert.pem → root-ca.pem
then you should build your file as:
# cat sub-ca2-cert.pem cub-ca1-cert.pem root-ca.pem >/etc/httpd/conf/ssl.certs/ca-certs-chain.pem
Open your SSL Enabled site definition and put another command to the configuration
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca-certs-chain.pem
Save configuration files.
It's right time to notice - you may have as many chains as you need and maintain two virtual sites with non-matching trust chains, just put them into right place. Check configuration syntax
#/usr/local/apache2/bin/apachectl -t
Syntax is Ok.
With OHS severs you have no choice - full stop and start. It is fast, but it means service break. With Apache you have a neat option - graceful restart.
#/usr/local/apache2/bin/apachectl -k graceful
After a while all sessions will use new configuration.
Will Firefox trust you after? It depends on CA issuer notoriety, at least now you present all your credentials.
It means you have more then one certificates in the trust chain, so Firefox can't build it by hjmself. There is no information about trusted certificates. Normally it means HTTP server doesn't present the full chain but certificate and issuer information.
It's very easy to fix:
Get all your CA certificates in PEM format. Concatenate them into single file. Do not forget to put them in proper order. If you have chain like this:
server-cert.pem → sub-ca2-cert.pem → sub-ca1-cert.pem → root-ca.pem
then you should build your file as:
# cat sub-ca2-cert.pem cub-ca1-cert.pem root-ca.pem >/etc/httpd/conf/ssl.certs/ca-certs-chain.pem
Open your SSL Enabled site definition and put another command to the configuration
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca-certs-chain.pem
Save configuration files.
It's right time to notice - you may have as many chains as you need and maintain two virtual sites with non-matching trust chains, just put them into right place. Check configuration syntax
#/usr/local/apache2/bin/apachectl -t
Syntax is Ok.
With OHS severs you have no choice - full stop and start. It is fast, but it means service break. With Apache you have a neat option - graceful restart.
#/usr/local/apache2/bin/apachectl -k graceful
After a while all sessions will use new configuration.
Will Firefox trust you after? It depends on CA issuer notoriety, at least now you present all your credentials.
No comments:
Post a Comment