Apache 2.4 / SSL certificates error: AH01903: Failed to configure CA certificate chain

apache-2.4mod-sslssl-certificate

I recently had to renew one of my SSL certificates on an Apache 2.4/Mod_ssl server.

I have 2 Vhosts, no SNI, each running on a separate NIC.
Until now the certificates were both Globalsign OrganizationSSL, one specific to an URL, the other one is a wildcard.
All this was running fine.

My client wanted to have an Extended Validation SSL. I downloaded the root CA and Intermediate cert required for this chain to operate.
But upon switching the certs, my Apache refuses to initialize the chain.

I have the following errors:

  • Apache log: [ssl:emerg] [pid 7394:tid 140377904683136] AH02311: Fatal error initialising mod_ssl, exiting.
  • Vhost log: [ssl:emerg] [pid 7394:tid 140377904683136] AH01903: Failed to configure CA certificate chain!

My Vhost SSL conf:

Vhost 1 (Organization SSL):

SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ALL:!ADH:!EDH:!DHE:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLHonorCipherOrder     on
    SSLCertificateFile /path/to/organization.crt
    SSLCertificateKeyFile /path/to/server.key
    SSLCertificateChainFile /path/to/intermediate.pem

Vhost 2 (Extended Validation SSL):

SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCACertificateFile /path/to/gs_root_ca.crt
    SSLCertificateChainFile /path/to/intermediate.crt
    SSLCertificateFile /path/to/extended_validation.crt
    SSLCertificateKeyFile /path/to/server2.key

I'm no SSL specialist, and I don't understand why Extended Validation and Organization SSL certs cannot cohabit..

I tried to remove one Vhost and the other, it's working perfectly.
So I was forced to disable to least used vhost for my main production backoffice to work.

Have you ever encountered such error? Is it a normal behavior? What can I do to have both my sites running again?

Thanks for your expertise!

Best Answer

You are setting it up incorrectly.

Let's recollect:

  • SSLCertificateKeyFile loads the private key (you are doing this fine)
  • SSLCertificateFile loads the server certificate chain. That is the server certificate and its signing CA's sorted from leaf (certificate) to root (higher lvl CA).
  • SSLCertificateChainFile is deprecated in apache 2.4, so remove this one.
  • SSLCACertificateFile loads the CAs for clients that will authenticate through SSL with client certificate. THIS IS THE ONE YOU WANT TO USE FOR SSL CLIENT AUTH then.

Sidenote: Your Ciphersuite seems very incorrect and insecure at first sight. Worth checking for a change in that one too.

Edit based on comments. For 2.4.6 and earlier you should:

  • SSLCertificateFile loads the server certificate.
  • SSLCertificateChainFile loads the server certificate CA chain.
  • SSLCACertificateFile loads the CAs for clients that will authenticate through SSL with client certificate. THIS IS THE ONE YOU WANT TO USE FOR SSL CLIENT AUTH then.
Related Topic