On Tue, Mar 08, 2016, o haya wrote: > > Our websites are configured for SSL client authentication with CRLs in a directory pointed to by SSLCACertificateRevocationPath and SSLCARevocationCheck set to "chain". We then place our CRLs in the directory and create the hashes for them using an app or script that we wrote. I think that this essentially does something like: > > ln -s ca.crl `openssl crl -hash -noout -in ca.crl`.r0 > > However, when we did a test upgrade one of our production instances the requests are failing and, in the error logs, we are seeing the following messages: > > A couple of possibilities. One is that the time isn't properly set on the machine which has this problem. Another is that there may be multiple CRLs with the same hash: have you checked for that? If there are you need to use the form .r1, .r2 etc. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
