[SOLVED] Apache 2.2 and RapidSSL Wildcard chain issues

nullifi · 09-24-2012, 01:56 PM

Greetings,

I'm having a terrible time setting up Apache 2.2 to use my RapidSSL wildcard certificate. I'm moving our website from a working Apache installation on Windows, to a CentOS 6.3 VM. Everything is working fine on the Windows box, but when I setup Apache and started moving the site over, SSL wasn't validating properly.

I've specified the relevant server.crt/server.key and downloaded RapidSSL's CA bundle and specified that (I've tried SSLCACertificateFile and SSLCertificateChainFile.)

No matter what I do, my browser (Chrome, Firefox and IE) only receive the server.crt, claiming it's a self signed certificate. When I ran the OpenSSL verify command, it returned saying it was a self signed certificate as well. If I verified the CA bundle, it verified ok, though.

Does anyone have any advice on where I need to look to find out what's going on here?

Relevant virtual hosts declaration:

Code:

        # Site specific SSL stuff
        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLProtocol all -SSLv2
        SSLCertificateFile /etc/httpd/conf/server.crt
        SSLCertificateKeyFile /etc/httpd/conf/server.key
        SSLCertificateChainFile /etc/httpd/conf/rapidssl.crt
        #SSLCACertificateFile /etc/httpd/conf/rapidssl.crt
        CustomLog logs/ssl_request.log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
        BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

For the CA chain file, I've tried just using what RapidSSL provides (It includes the root GeoTrust cert and RapidSSL's cert), I've tried just using RapidSSL's cert.

Any pointers would be greatly appreciated!

Berhanie · 09-25-2012, 08:44 AM

Most likely, apache is presenting the first certificate configured for an name virtual host, the one listed in the <VirtualHost _default_:443> stanza. Using a browser, you can see exactly which certificate is being presented to it. Then, compare it to both /etc/httpd/conf/server.crt and the certificate mentioned in the _default_ stanza above. Use the "openssl x509" to examine your server certs, for example:

Code:

openssl x509  -in /etc/httpd/conf/server.crt -noout -text

If this is the problem, you can alter the SSL setup for the _default_ ssl virtual host.

You may also want to read about SNI.

nullifi · 10-01-2012, 12:43 PM

Thanks, it was indeed the wrong certificate. It looked right (It was a wildcard for the domain) but when I compared the fingerprints they were different. I re-copied the file and it worked fine after that. Not quite sure what I did wrong.