Hi Tom,
the location of SSL certificates changed from C4 to C5, certificates are located in /etc/pki/tls on C5. Apache is also a newer version on C5 (2.2 , 2.0 in C4). You should check your configs manually and change them accordingly. I can help you if you post your C4 config.
Regards,
Michel van Deventer
On Fri, 2008-03-28 at 18:37 -0400, Tom Diehl wrote:
Hi,
I have a c4 server that I am trying to migrate an ssl site over to a new C5 machine with all of the updates. The certificate is an equifax cert and works as advertised on the C4 server. When I move it over to the C5 machine I get error in firefox that says error code -12227 which http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html says is an SSL_ERROR_HANDSHAKE_FAILURE_ALERT. In addition it says that this means that "SSL peer was unable to negotiate an acceptable set of security parameters."
If I try to open the site in IE, it prompts for a client certificate. This fails because I am not using client certs.
In the apache config for ssl.conf I have "SSLVerifyClient none". I have also tried setting it to "optional" with the same results.
In the past moving these sites to a different machine was as simple as copying the certs and the config files over to the new machine, reloading httpd and everyting just worked. Is there something different about ssl on C5? Does anyone know a good way to troubleshoot this.
Google and the docs are not helping.
What am I missing?
Regards,