Hi,
I have a c4 server that I am trying to migrate an ssl site over to a new C5 machine with all of the updates. The certificate is an equifax cert and works as advertised on the C4 server. When I move it over to the C5 machine I get error in firefox that says error code -12227 which http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html says is an SSL_ERROR_HANDSHAKE_FAILURE_ALERT. In addition it says that this means that "SSL peer was unable to negotiate an acceptable set of security parameters."
If I try to open the site in IE, it prompts for a client certificate. This fails because I am not using client certs.
In the apache config for ssl.conf I have "SSLVerifyClient none". I have also tried setting it to "optional" with the same results.
In the past moving these sites to a different machine was as simple as copying the certs and the config files over to the new machine, reloading httpd and everyting just worked. Is there something different about ssl on C5? Does anyone know a good way to troubleshoot this.
Google and the docs are not helping.
What am I missing?
Regards,
Hi Tom,
the location of SSL certificates changed from C4 to C5, certificates are located in /etc/pki/tls on C5. Apache is also a newer version on C5 (2.2 , 2.0 in C4). You should check your configs manually and change them accordingly. I can help you if you post your C4 config.
Regards,
Michel van Deventer
On Fri, 2008-03-28 at 18:37 -0400, Tom Diehl wrote:
Hi,
I have a c4 server that I am trying to migrate an ssl site over to a new C5 machine with all of the updates. The certificate is an equifax cert and works as advertised on the C4 server. When I move it over to the C5 machine I get error in firefox that says error code -12227 which http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html says is an SSL_ERROR_HANDSHAKE_FAILURE_ALERT. In addition it says that this means that "SSL peer was unable to negotiate an acceptable set of security parameters."
If I try to open the site in IE, it prompts for a client certificate. This fails because I am not using client certs.
In the apache config for ssl.conf I have "SSLVerifyClient none". I have also tried setting it to "optional" with the same results.
In the past moving these sites to a different machine was as simple as copying the certs and the config files over to the new machine, reloading httpd and everyting just worked. Is there something different about ssl on C5? Does anyone know a good way to troubleshoot this.
Google and the docs are not helping.
What am I missing?
Regards,
Hi Michel,
On Sat, 29 Mar 2008, Michel van Deventer wrote:
Hi Tom,
the location of SSL certificates changed from C4 to C5, certificates are located in /etc/pki/tls on C5. Apache is also a newer version on C5 (2.2 , 2.0 in C4). You should check your configs manually and change them accordingly. I can help you if you post your C4 config.
Thanks for the offer. I figured out the problem after a few more hours. A while back I was trying to get Koji working on the same machine but I never succeeded. I gave up on it but forgot to nuke the broken ssl configs. Once I nuked the broken Koji configs, the ssl enabled virtual hosts started working. It turns out that with the exception of the ssl cert locations, the same settings I used on the C4 box will also work on the C5 box.
Regards,
-
Michel van Deventer -
Tom Diehl