I have a similar configuration that works:
# SSL
SSLEngine On
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/apache2/ssl/mydomain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/mydomain.com.key
ProxyPass / http://www.mydomain.com:3003/
ProxyPassReverse / http://www.mydomain.com:3003/
ProxyPreserveHost on
Hope it helps (although I can't explain every parameter). Perhaps you might want to use http instead of https for the ProxyPass, because it's just a redirect to localhost and mongrel doesn't support (?) or doesn't come with activated SSL support IMHO.
Two things you can do:
- Verify the intermediate chain
- Clean up the intermediate chain
Verify the intermediate chain
As the error seems to indicate, there is something off about your intermediate certificate chain. You should check where you got your certificate from and that you got the correct intermediate bundle.
You should verify the "hash" and "issuer's hash" of every certificate in the chain with the openssl x509 -noout -hash
and openssl x509 -noout -issuer_hash
commands. Try this to get the issuer hash of your certificate:
cat /path/to/cert/mysite.com.cert | openssl x509 -noout -issuer_hash
Then try to find a certificate with this hash in the sf_bundle.crt
file that you specified as SSLCertificateChainFile
. You may have to extract the certificates (or just copy paste them to the command):
cat first_cert_from_sf_bundle.crt | openssl x509 -noout -hash
Check all of them. If none have this hash, then something is wrong right there. Keep doing these checks until you find a certificate which has the same -hash
and -issuer_hash
. This is your root certificate.
If something is missing, you can check the other intermediate files here https://certs.starfieldtech.com/anonymous/repository.seam. Download these and compare their -hash
against the -issuer_hash
where you got stuck.
If everything is okay, then ....
Clean up the intermediate chain
I have seen this also help when you get odd validation errors. Make sure that your intermediate chain lists only the required certificates and in the correct order (it is easier if it is in PEM format). In other words, if your chain is Your cert -> cert A -> cert B -> Starfield Root cert
. Try appending these in this order (you can skip the first and last) so your intermediate chain looks something like this:
-----BEGIN CERTIFICATE-----
cert A
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
cert B
-----END CERTIFICATE-----
I personally like to keep all these certificates (personal certificate, followed by intermediate ones, followed by the root certificate) in the same file. Then I just specify this file as both the SSLCertificateFile
and SSLCertificateChainFile
.
Best Answer
Strictly speaking, you don't ever need the chain for SSL to function.
What you always need is an
SSLCertificateFile
with aSSLCertificateKeyFile
containing the correct key for that certificate.The trouble is, that if all you give Apache is the certificate, then all it has to give to connecting clients is the certificate - which doesn't tell the whole story about that SSL cert. It's saying, "I'm signed by someone, but I'm not going to tell you about them".
This usually works fine, as most client systems have a large store of CA certificates (both root and intermediate) which it can check through for a matching signing relationship to establish trust. However, sometimes this doesn't work; most often the issue you'll run into is a client that doesn't hold the cert for an intermediate CA that's signed your certificate.
That's where the chain comes in; it lets Apache show the client exactly what the trust relationship looks like, which can help a client fill in the blanks between your cert, a root they trust, and the intermediate that they don't know about. The chain can be included in your configuration in one of two ways:
SSLCertificateFile
, on new lines after the server certificate in order (the root should be at the bottom). If you set it up like this, you'll wantSSLCertificateChainFile
pointed to the exact same file asSSLCertificateFile
.SSLCertificateChainFile
directive; the CA certificate that issued the server's certificate should be first in the file, followed by any others up the the root.Check the certificate file that you have now - I'm betting that it doesn't have the chain data included. Which usually works fine, but will eventually cause an issue with some browser or other.