15

We have an SSL Certificate for our website from Network Solutions. After upgrading Apache/OpenSSL to version 2.4.9, I now get the following warning when starting HTTPD:

AH02559: The SSLCertificateChainFile directive (/etc/httpd/conf.d/ssl.conf:105) is deprecated, SSLCertificateFile should be used instead

According to the Apache manual for mod_ssl this is indeed the case:

SSLCertificateChainFile is deprecated

SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

Looking up the documentation for SSLCertificateFile, it looked like I just needed to replace my call to SSLCertificateChainFile with SSLCertificateFile.

This change turned my ssl.conf from this:

SSLCertificateFile /etc/ssl/STAR.EXAMPLE.COM.crt
SSLCertificateKeyFile /etc/ssl/server.key
SSLCertificateChainFile /etc/ssl/Apache_Plesk_Install.txt

to this:

SSLCertificateFile /etc/ssl/STAR.EXAMPLE.COM.crt
SSLCertificateFile /etc/ssl/Apache_Plesk_Install.txt
SSLCertificateKeyFile /etc/ssl/server.key

... but this doesn't work. Apache simply refuses to start without any error message.

I'm not sure what else to try here, as I'm not that familiar with mod_ssl or SSL certificates in general. I do remember we needed to add the Apache_Plesk_Install.txt file for Internet Explorer to not have an SSL warning on our site, but other than this I have no clue.

Any help would be greatly appreciated. Thanks.

DOOManiac
  • 781
  • 6
  • 12
  • 25
  • 6
    You need to concatenate all certificates, the client certificate and the intermediate certificate(s) – dawud Apr 14 '14 at 20:26

3 Answers3

9

I had the same issue. I just replaced these lines in /etc/apache2/site-enabled/default-ssl.conf

SSLCertificateFile    /etc/ssl/certs/domain.crt
SSLCertificateKeyFile /etc/ssl/private/domain.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/chain.crt

As you see, I just commented out the SSLCertificateChainFile. Then, seeing the same error as you, I concatenated the content of my chain.crt at the end of the domain.crt, like so:

root@host~: cat /etc/apache2/ssl.crt/chain.crt >> /etc/ssl/certs/domain.crt

And it worked like a charm.

Jeff Puckett
  • 229
  • 5
  • 15
user306141
  • 91
  • 1
  • 1
  • perfectly valid too according to comments in apache config: "Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convenience." – acheo Dec 06 '15 at 12:35
6

I use the following script to create a certificate bundle that contains the chained certificate.

#!/bin/sh
#
# Convert PEM Certificate to ca-bundle.crt format
#

test ! $1 && printf "Usage: `basename $0` certificate" && exit 1

# Friendly Name and Underline Friendly Name with equal signs
openssl x509 -in $1 -text -noout | sed -e 's/^  *Subject:.*CN=\([^,]*\).*/\1/p;t  c' -e 'd;:c' -e 's/./=/g'
# Output Fingerprint and swap = for :
openssl x509 -in $1 -noout -fingerprint | sed -e 's/=/: /'
# Output PEM Data:
echo 'PEM Data:'
# Output Certificate
openssl x509 -in $1
# Output Certificate text swapping Certificate with Certificate Ingredients
openssl x509 -in $1 -text -noout | sed -e 's/^Certificate:/Certificate Ingredients:/'

To use it, starting with the server certificate and sequentially through any intermediary certificates in the certificate chain back to the root certificate.

./bundle.sh myserver.crt >myserver.chain
./bundle.sh intermediate.crt >>myserver.chain
./bundle.sh root.crt >>myserver.chain

where the appropriate certificate names are replaced with your real certificate name.

sweetfa
  • 447
  • 4
  • 8
4

Have the site certificate, the intermediates as well in a file specified by the SSLCertificateFile directive and the private key concatenated in a file specified by SSLCertificateKeyFile and you should be all set. Although you could have the private key in the same file as the certificates but that is discouraged. Please check the documentation for more details:
http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatefile
I would recommend that the root CA certificate is not a part of the SSLCertificateFile since the client should have the root CA certificate as trusted in order for the certificate validation to work as designed.
Also, if there is nothing in the apache error logs then one could put the error log to a finer granularity as in http://httpd.apache.org/docs/current/mod/core.html#loglevel

Khanna111
  • 224
  • 2
  • 6
  • 1
    Really? The private key? That seems like a bad idea. Just wondering, because, my strong assumption is that this is private. – ssl Aug 27 '14 at 01:08
  • 2
    You are right - things have changed from what I remembered from the documentation and also what documentation exists in the httpd-ssl.conf file for these two directives. Although allowed but the practice of having the private key in the file specified by SSLCertificateFile is discouraged. Reply is now edited to cater to this fact. – Khanna111 Aug 27 '14 at 06:42