I've got a setup where I need to control https access to several Linux
servers, and so I've generated my own CA certificate and users have
certificates signed against this. I've set up Apache on these servers
to access my certificate:
<VirtualHost *:443>
DocumentRoot /data
# self-signed server certificate
SSLCertificateFile /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificatePath /etc/apache2/certs
SSLCACertificateFile /etc/apache2/certs/cacert.pem
</VirtualHost>
Files are downloaded with:
curl -k --cert ./pass.pem https://server/file.zip -o file.zip
...for 4/6 servers this is fine, but for the other two I get:
curl: (60) Peer certificate cannot be authenticated with known CA certificates
But, on all servers...
openssl verify -CAfile /etc/apache2/certs/cacert.pem ./pass.pem
...verifies the certificate as expected. Setting SSLVerifyClient to
"none" allows downloads but defeats the point of having the
certificate. Has anyone any idea what the problem might be? Of the two
dodgy machines one is Debian 4.0 and the other is RHEL4. The working
ones are Gentoo, OpenSuSE and Debian 3.1.
LogLevel is set to "debug" but I can't see any entries when I try to
download a file and the connection is refused.
Thanks.
--
"One of the greatest delusions in the world is the hope that the evils in this
world are to be cured by legislation." - Thomas B. Reed 1886
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|