Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

"Unable to configure verify locations for client authentication"

3,459 views

Skip to first unread message

Bill Moseley

unread,

Aug 12, 2010, 4:02:57 PM8/12/10

I am not trying to set up client auth on Apache, just install a new SSL certificate.

The instructions[1] for the new certificate says to install and intermediate certificate:

SSLCACertificateFile /usr/local/ssl/crt/intermediate.crt

I've done that, confirmed the paths and the certificate, but apache reports:

[error] Unable to configure verify locations for client authentication

If I comment out that directive in httpd.conf the server starts fine and the site works ok for some newer browsers but older browsers (including FF3.6.8) report that the CA is unknown.

Searching Google for that error message I find mostly people trying to set up client auth, which I'm not trying to do.

For example: http://www.mail-archive.com/modssl...@modssl.org/msg17547.html, but again that user was trying to set up client auth, plus SSLCADNRequestFile is not a known config setting in my environment.

Running an old version of Apache, unfortunately:

Apache/2.0.54 (Debian GNU/Linux) mod_ssl/2.0.54 OpenSSL/0.9.7e

Any ideas?

Thanks,

[1] https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO15167

--
Bill Moseley
mos...@hank.org

Bill Moseley

unread,

Aug 12, 2010, 6:07:02 PM8/12/10

On Thu, Aug 12, 2010 at 1:56 PM, <aero...@gmail.com> wrote:

You're looking at a couple of issues here. (First, please be aware that this is the OpenSSL users list, not necessary a mod_ssl support list; however, since they're intertwined, we do have some knowledge of mod_ssl.)

Plus, single-to-noise ration is quite good here. ;)

What you need to do is change that from 'SSLCACertificateFile' to 'SSLCACertificateChainFile'.

So you mean combine my certificate and the intermediate certificate?

cat my_site.crt intermediate.crt > bundle.crt

SSLCACertificateChainFile /etc/apache2/ssl/bundle.crt

Invalid command 'SSLCACertificateChainFile', perhaps mis-spelled or defined by a module not included in the server configuration

There's SSLCertificateChainFile, but if I set that w/o SSLCertificateFile I get:

[error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]

And with SSLCertificateFile and SSLCertificateChainFile set I still have the same issue that some browsers report:

The certificate is not trusted because the issuer certificate is unknown.

(Error code: sec_error_unknown_issuer)

In Firefox, but Chrome accepts it fine.

Again, I am not using client authentication.

Thanks,

--
Bill Moseley
mos...@hank.org

0 new messages