[CentOS] Re: SSl Certificate problem (SOLVED)

Sun Mar 30 03:10:12 UTC 2008
Tom Diehl <tdiehl at rogueind.com>

Hi Michel,

On Sat, 29 Mar 2008, Michel van Deventer wrote:

> Hi Tom,
>
> the location of SSL certificates changed from C4 to C5, certificates are
> located in /etc/pki/tls on C5. Apache is also a newer version on C5
> (2.2 , 2.0 in C4). You should check your configs manually and change
> them accordingly. I can help you if you post your C4 config.

Thanks for the offer. I figured out the problem after a few more hours.
A while back I was trying to get Koji working on the same machine but I never
succeeded. I gave up on it but forgot to nuke the broken ssl configs. Once I
nuked the broken Koji configs, the ssl enabled virtual hosts started working.
It turns out that with the exception of the ssl cert locations, the same
settings I used on the C4 box will also work on the C5 box.

Regards,

-- 
Tom Diehl		tdiehl at rogueind.com		Spamtrap address mtd123 at rogueind.com

>
> 	Regards,
>
> 	Michel van Deventer
>
> On Fri, 2008-03-28 at 18:37 -0400, Tom Diehl wrote:
>> Hi,
>>
>> I have a c4 server that I am trying to migrate an ssl site over to a new C5
>> machine with all of the updates. The certificate is an equifax cert and works
>> as advertised on the C4 server. When I move it over to the C5 machine I get
>> error in firefox that says error code -12227 which
>> http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html says is
>> an SSL_ERROR_HANDSHAKE_FAILURE_ALERT. In addition it says that this means
>> that "SSL peer was unable to negotiate an acceptable set of security
>> parameters."
>>
>> If I try to open the site in IE, it prompts for a client certificate. This
>> fails because I am not using client certs.
>>
>> In the apache config for ssl.conf I have "SSLVerifyClient none". I have also
>> tried setting it to "optional" with the same results.
>>
>> In the past moving these sites to a different machine was as simple as
>> copying the certs and the config files over to the new machine, reloading
>> httpd and everyting just worked. Is there something different about ssl on
>> C5? Does anyone know a good way to troubleshoot this.
>>
>> Google and the docs are not helping.
>>
>> What am I missing?
>>
>> Regards,
>>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>