[CentOS] SSl Certificate problem

Sat Mar 29 06:48:46 UTC 2008
Michel van Deventer <michel at van.deventer.cx>

Hi Tom,

the location of SSL certificates changed from C4 to C5, certificates are
located in /etc/pki/tls on C5. Apache is also a newer version on C5
(2.2 , 2.0 in C4). You should check your configs manually and change
them accordingly. I can help you if you post your C4 config.

	Regards,

	Michel van Deventer

On Fri, 2008-03-28 at 18:37 -0400, Tom Diehl wrote:
> Hi,
> 
> I have a c4 server that I am trying to migrate an ssl site over to a new C5
> machine with all of the updates. The certificate is an equifax cert and works
> as advertised on the C4 server. When I move it over to the C5 machine I get
> error in firefox that says error code -12227 which 
> http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html says is
> an SSL_ERROR_HANDSHAKE_FAILURE_ALERT. In addition it says that this means 
> that "SSL peer was unable to negotiate an acceptable set of security
> parameters."
> 
> If I try to open the site in IE, it prompts for a client certificate. This
> fails because I am not using client certs.
> 
> In the apache config for ssl.conf I have "SSLVerifyClient none". I have also
> tried setting it to "optional" with the same results.
> 
> In the past moving these sites to a different machine was as simple as
> copying the certs and the config files over to the new machine, reloading
> httpd and everyting just worked. Is there something different about ssl on
> C5? Does anyone know a good way to troubleshoot this.
> 
> Google and the docs are not helping.
> 
> What am I missing?
> 
> Regards,
>