[SLL] unable to get local issuer certificate
Jeremy C. Reed
reed at reedmedia.net
Thu Oct 25 09:40:08 PDT 2007
On Thu, 25 Oct 2007, Brian Hatch wrote:
> On or about 2007-10-25 02:27 -0500, Jeremy C. Reed avered:
>
> > I am trying to research this MSIE error: "The security certificate
> > presented by this website was not issued by a trusted certificate
> > authority."
>
> You need to check the certificate authority 'database' (certificate
> store) in the client(s) that are complaining. You may have the cert
> trusted by one but not the other. You may also have manually trusted
> it in one of them (putting it in your store, not the global store.)
The customer complained about it. I am not sure how to get them to change
their clients (and their customer's web clients).
> What's the machine:port in question that's giving you errors? I can
> check it out.
Emailed off-list. Thanks.
I was hoping this could be done on the Apache/mod_ssl server side.
I see the same Thawte is listed in my conf/ssl.crt/ca-bundle.crt and so I
umcommented my SSLCACertificateFile config to use that, but then my SSL
errors changed and said it was self-signed. So I commented that back out.
It is not self-signed. It is signed by Thawte Premium Server Certificate.
I also read that the CA's cert can be appended to the certificate, so I
appended it to my SSLCertificateFile file. But that made no change (after
restarting apache) -- still "unable to get local issuer certificate".
> Some command line clients don't check certs at all, depending on
> version.
>
> You might want to 'strace -efile' and see what files it's opening to
> see what files it tries to open. Anything in /etc/ssl or such could
> be useful. Note that 'stat' without 'open' could be important too,
> as it may try to open up a file based on the CN's hash, if it doesn't
> find the cert in the big huge cert store.
My concern is for the customer who uses MSIE. :(
Jeremy C. Reed
More information about the linux-list
mailing list