How to force Apache 2.2 to send the full certificate chain?
We are using Apache 2.2.25 with mod_ssl in the reverse proxy mode using mod_proxy. It has a server certificate we use for testing purposes, issued by GoDaddy. There are 3 certificates in the chain, server cert -> GoDaddy intermediate CA -> GoDaddy Root CA. The intermediate CA (Go Daddy Secure Certificate Authority - G2) is not always found in clients' list of trusted CA.
The SSL connection to the server works well for browsers (at least for some), but not for some other clients. We noticed that our server does not send the full certificate chain, by using the following command: openssl s_client -showcerts -connect SERVER_URL:443, and indeed the command reports the error Verify return code: 21 (unable to verify the first certificate)
We use the SSLCertificateFile directive in each VirtualHost:
SSLCertificateFile certificate.crt
Where the certificate.crt file contains the private key and all the certificates in the chain. We tried to split it into the following:
SSLCertificateFile server.crt
SSLCertificateKeyFile server.key
SSLCertificateChainFile chain.crt
But this didn't change anything.
Thanks for your help!
EDIT
The plot thickens - it seems to be some combination of the certificate and the server.
(testing is done with the SSL Shopper tool)
- Go Daddy certificate (as above) on Apache 2.2 (RHEL) - does not work
- same certificate, on IIS7 - works
- customer's certificate (from Comodo) on Apache 2.2 RHEL - works
Answer
You are on the right track.
SSLCertificateFile server.crt >> Your public certificate
SSLCertificateKeyFile server.key >> Your private key
SSLCertificateChainFile chain.crt >> List of intermediate certificates;
in your case, only one - GoDaddy intermediate CA
Check your server configuration with a tool like SSL Labs to determine if you are sending the correct intermediate certificate.