Adding some more info - just now saw this transient error from Chrome: "Error 126 (net::ERR_SSL_BAD_RECORD_MAC_ALERT): Unknown error." On Wed, Sep 8, 2010 at 1:03 PM, Yang Zhang <yanghatespam@xxxxxxxxx> wrote: > I'm running a (self-signed) SSL cert site on Apache/2.2.14 on Ubuntu > 10.04, but various browsers are giving errors on half the connection > attempts, and wget too: > > $ wget --no-check-certificate https://dev.partyondata.com/deps/ > --2010-09-08 19:30:26-- https://dev.partyondata.com/deps/ > Resolving dev.partyondata.com... 184.72.53.220 > Connecting to dev.partyondata.com|184.72.53.220|:443... connected. > OpenSSL: error:0407006A:rsa > routines:RSA_padding_check_PKCS1_type_1:block type is not 01 > OpenSSL: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed > OpenSSL: error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature > Unable to establish SSL connection. > > Run it right away again and it works: > > $ wget --no-check-certificate https://dev.partyondata.com/deps/ > --2010-09-08 19:30:29-- https://dev.partyondata.com/deps/ > Resolving dev.partyondata.com... 184.72.53.220 > Connecting to dev.partyondata.com|184.72.53.220|:443... connected. > WARNING: cannot verify dev.partyondata.com's certificate, issued by > `/CN=dev.partyondata.com': > Self-signed certificate encountered. > HTTP request sent, awaiting response... 200 OK > Length: 3157 (3.1K) [text/html] > Saving to: `index.html' > > 100%[======================================>] 3,157 --.-K/s in 0s > > 2010-09-08 19:30:29 (48.6 MB/s) - `index.html' saved [3157/3157] > > In my sites-enabled/default-ssl: > > SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem > SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key > > The cert: > > -----BEGIN CERTIFICATE----- > MIIBszCCARwCCQCa0TzNwqLgsTANBgkqhkiG9w0BAQUFADAeMRwwGgYDVQQDExNk > ZXYucGFydHlvbmRhdGEuY29tMB4XDTEwMDgyNzA2MzA1N1oXDTIwMDgyNDA2MzA1 > N1owHjEcMBoGA1UEAxMTZGV2LnBhcnR5b25kYXRhLmNvbTCBnzANBgkqhkiG9w0B > AQEFAAOBjQAwgYkCgYEAzXDEULpCUqIc9hV/ESFapkckR2uoYINA81DvG2aQZ9Ot > Q30OwX2ae2CC4bSzJEIVlahU8vjVrWpmpa28NEhQbqh4ywwbl1XDrEVYI6Gkfimf > snJhOKyaVrEhlwutYtBjmsz3ZIqwymMPm/6smVcSS5dJIynlSmtltxX6ivPcO8UC > AwEAATANBgkqhkiG9w0BAQUFAAOBgQBGxHVkpSSOnZjzuySRepjhAlV/yhe9Fx23 > fh12WrjQMEi98B7JEuNSLXDWckUN7O6XRc3RzKmazcGHJqzhn0Ov6gAmAE2XjZ/x > VW21xmaLwk+KgYKFJbJJaP3jMSpU7I3aa11wqAkR2Zd4Nkm9N0YXYIzcBdfztTVI > Et8mEHBFdg== > -----END CERTIFICATE----- > > The cert is in turn generated via: > > $ make-ssl-cert generate-default-snakeoil --force-overwrite > > Apache version. > > $ apache2 -V > Server version: Apache/2.2.14 (Ubuntu) > Server built: Apr 13 2010 20:22:19 > Server's Module Magic Number: 20051115:23 > Server loaded: APR 1.3.8, APR-Util 1.3.9 > Compiled using: APR 1.3.8, APR-Util 1.3.9 > Architecture: 64-bit > Server MPM: Worker > threaded: yes (fixed thread count) > forked: yes (variable process count) > Server compiled with.... > -D APACHE_MPM_DIR="server/mpm/worker" > -D APR_HAS_SENDFILE > -D APR_HAS_MMAP > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > -D APR_USE_SYSVSEM_SERIALIZE > -D APR_USE_PTHREAD_SERIALIZE > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D APR_HAS_OTHER_CHILD > -D AP_HAVE_RELIABLE_PIPED_LOGS > -D DYNAMIC_MODULE_LIMIT=128 > -D HTTPD_ROOT="" > -D SUEXEC_BIN="/usr/lib/apache2/suexec" > -D DEFAULT_PIDLOG="/var/run/apache2.pid" > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > -D DEFAULT_ERRORLOG="logs/error_log" > -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types" > -D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf" > > Any ideas? Thanks in advance for any help. > -- > Yang Zhang > http://yz.mit.edu/ > -- Yang Zhang http://yz.mit.edu/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|