I recently had to renew one of my SSL certificates on an Apache 2.4/Mod_ssl server.
I have 2 Vhosts, no SNI, each running on a separate NIC.
Until now the certificates were both Globalsign OrganizationSSL, one specific to an URL, the other one is a wildcard.
All this was running fine.
My client wanted to have an Extended Validation SSL. I downloaded the root CA and Intermediate cert required for this chain to operate.
But upon switching the certs, my Apache refuses to initialize the chain.
I have the following errors:
- Apache log: [ssl:emerg] [pid 7394:tid 140377904683136] AH02311: Fatal error initialising mod_ssl, exiting.
- Vhost log: [ssl:emerg] [pid 7394:tid 140377904683136] AH01903: Failed to configure CA certificate chain!
My Vhost SSL conf:
Vhost 1 (Organization SSL):
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EDH:!DHE:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLHonorCipherOrder on
SSLCertificateFile /path/to/organization.crt
SSLCertificateKeyFile /path/to/server.key
SSLCertificateChainFile /path/to/intermediate.pem
Vhost 2 (Extended Validation SSL):
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCACertificateFile /path/to/gs_root_ca.crt
SSLCertificateChainFile /path/to/intermediate.crt
SSLCertificateFile /path/to/extended_validation.crt
SSLCertificateKeyFile /path/to/server2.key
I'm no SSL specialist, and I don't understand why Extended Validation and Organization SSL certs cannot cohabit..
I tried to remove one Vhost and the other, it's working perfectly.
So I was forced to disable to least used vhost for my main production backoffice to work.
Have you ever encountered such error? Is it a normal behavior? What can I do to have both my sites running again?
Thanks for your expertise!
Best Answer
You are setting it up incorrectly.
Let's recollect:
Sidenote: Your Ciphersuite seems very incorrect and insecure at first sight. Worth checking for a change in that one too.
Edit based on comments. For 2.4.6 and earlier you should: