Hi --

I'm experiencing a problem setting up SSL using mod_ssl.

I'm trying to get ssl running on my client's ISP-hosted virtual server:
Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b PHP/4.4.1

I have a cert from Comodo.

SSL works properly for my recent browsers (Firefox 1.07, IE 6.0) but an
older version of Opera doesn't recognize the cert and prompts the user to
accept it.

That situation should be fixed by installing the ca-bundle file supplied by
Comodo, and setting the SSLCACertificateFile parameter in httpd.conf.

However, when I add the line
SSLCACertificateFile /path/to/comodo-ca-bundle

Apache dies when restarting, and logs the following OpenSSL errors:

>[07/Feb/2006 11:57:08 25653] [error] Init: (www.domain.com:443) Unable to
>configure verify locations for client authentication (OpenSSL library
>error follows)
>[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:02001002:system
>library:fopen:No such file or directory
>[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:2006D002:BIO
>routines:BIO_new_file:system lib
>[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:0E064002:configuration
>file routines:CONF_load:system lib
>[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:0906D06C:PEM
>routines:PEM_read_bio:no start line [Hint: Bad file contents or format -
>or even just a forgotten SSLCertificateKeyFile?]
>[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:0B084009:x509
>certificate routines:X509_load_cert_crl_file:missing asn1 eos


I'm not sure what all that means. The SSLCertificateKeyFile is there, and
it works fine as long as there is no mention of SSLCACertificateFile.

Note that openssl itself is not installed on the server. The ISP has an
interface for generating the csr and creating the key. The second time I
generated the files on another similar server, but the end result is the same.
I'm wondering if possibly openssl is looking for its configuration file
openssl.cnf, and that is what is not being found.

Any ideas?

Liam



Liam Kirsher
415-456-4420
415-438-0384 (cell)
PGP: http://liam.numenet.com/pgp/


__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org