We just setup new Windows machine as a web server, with Apache 2.2.19 with openssl installed and we want to move our existing web including the SSL certificate (Verisign) from the old setup, Linux, Apache 2.2.3.
Now, if I search online, all I can find is to copy and paste the cert files to the new server. But when I have done all the configurations, Apache failed to start with nothing printed in error log, only a prompt saying The Requested Operation has failed.
I tried to run
httpd.exe -e debug and saw it stopped on
Loaded module ssl_module and these lines printed in the error.log:
[Thu Aug 18 18:18:18 2011] [info] Init: Initialized OpenSSL library The system cannot find the path specified. The system cannot find the path specified. The system cannot find the path specified. The system cannot find the path specified.
And from Windows event viewer:
Faulting application httpd.exe, version 18.104.22.168, time stamp 0x4dd6eda8, faulting module libapr-1.dll, version 22.214.171.124, time stamp 0x4dd6ed65, exception code 0xc0000005, fault offset 0x0000fc39, process id 0xe08, application start time 0x01cc5b07b33b8a60.
I'm sure that I configured the path to crt files correctly, since this is what I get if I tried to put a wrong path:
[Thu Aug 18 18:13:35 2011] [debug] mod_so.c(246): loaded module ssl_module Syntax error on line 133 of C:/Apache2.2/conf/extra/httpd-ssl.conf: SSLCACertificateFile: file 'C:/Apache2.2/conf/ssla/intermediate.crt' does not exist or is empty
Apache runs perfectly if I use a self signed certificate. What might be gone wrong?
Checking using openssl verify command as @polynomial suggested in his answer:
> openssl verify /path/to/file.pem > error 20 at 0 depth lookup:unable to get local issuer certificate
openssl version -d shows that
Does OPENSSLDIR caused the error? If yes, how do I solve this?
It sounds like perhaps the certificate you have is munged or the OpenSSL install on your windows box is having a hard time understanding it for some reason. If you try to verify the certificate or extract information from it using the openssl command line on your windows box does it work?
Some command info:
openssl verify /path/to/file.pem openssl x509 -text -in /path/to/cert.pem
SSL certificates are generated for a specific server at a specific address, you can't just copy them from one server to another [even if the IP address is the same]
Your paths and setup is probably correct [hence your self signed cert working]. What you need to do is generate a new CSR, contact your SSL certificate provider and have a new certificate issued, generlly you would not have to pay for that.
User contributions licensed under CC BY-SA 3.0