Apache not sending SSL Intermediate Certificates

[jvdwilk]

Hi people,

I guess I need some help. Either something is seriously broken, or I am missing something that should have been too obvious.

I have a VPS, running CentOS 6.4 with a fresh installation of everything, including a new SSL certificate from RapidSSL.
DA and Custombuild 1.2 installed all fine, no errors, no odd issues.
Running Apache 2.4.6, OpenSSL 1.0.1e-1

Following 'normal procedure' I install the server certificate (servername budi.npnservers.net) and the key. Working fine, except that the intermediary certificates are not showing. Not when I paste them under the certificate, not when I place them in a separate file, nothing.

But when I paste the same certificate in DA to some fake domain (on it's own IP) => lala.npnservers.net, then all works fine (except for the hostname mismatch).
Intermediate certificates _are_ being sent using DA for setting it up.

So I point from /etc/httpd/conf/extra/httpd-ssl.conf to the _exact_ same files with keys, certs and intermediate certs, using the exact same keywords as in the DA created httpd.conf file (SSLCertificateFile / SSLCertificateKeyFile / SSLCACertificateFile) and then again it's not working.

Frustration, frustration... what am I missing..?

How can it not work from httpd-ssl.conf while it is working from a users httpd.conf.
Same OpenSSL, same Apache, same plugins, just a different location to start from.

And on another VPS server (madi.npnservers.net) with almost the same setup (older, installed initially with CentOS 6.2, but for the rest the same) is works just fine.

Any ideas, anything to check, how to troubleshoot? Please? It's driving me nuts...


Jorge.

 

[ditto]

It might not be the best way to do it, but this is how I install Intermediate CA certificate for server.hostname.com:

1: Create the file for Intermediate CA certificate for your host name:

touch /usr/local/directadmin/data/users/admin/domains/budi.npnservers.net.cacert

Change owner and groupt of the file budi.npnservers.net.cacert to be diradmin diradmin , and set file permission to 600

Add/past your Intermedia CA certificate into the file /usr/local/directadmin/data/users/admin/domains/budi.npnservers.net.cacert

2: Edit the file /etc/httpd/conf/extra/httpd-vhosts.conf and search for this line near the bottom:

SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

create a new line after the above line and add this new line:

SSLCACertificateFile /usr/local/directadmin/data/users/admin/domains/budi.npnservers.net.cacert

Then restart Apache and DirectAdmin:

service httpd restart
service directadmin restart

That is how I do it for Intermediate CA certificate for the server hostname. As said, it might not be the best way. Remember that every time you do ./build rewrite_confs, then the file httpd-vhosts.conf will be overwritten, and you would need to add the line back and restart Apache and DirectAdmin.

 

[jvdwilk]

Ditto, thanks a million..!
Your suggestions worked perfectly.

I prefer to keep the certificates in their original locations though, and tweaked your suggestions a bit.
With this I found that it also works if the CA certificates are kept in a /etc/httpd/conf/server-ca.crt file owned by root:root with 600 permissions.
Just as long as I refer to this file as 'SSLCACertificateFile /etc/httpd/conf/server-ca.crt' from /etc/httpd/conf/extra/httpd-vhosts.conf

What also works is adding 'SSLCACertificateFile /etc/httpd/conf/ssl.crt/server.crt' in the /etc/httpd/conf/extra/httpd-vhosts.conf file, as long as the server.crt file has the Intermediate certificates pasted under the actual server certificate.

And yes, drawback is that I would have to re-apply this after running a ./build rewrite_confs, but I hardly ever need to do that, and sofar I don't have any other way of getting the Intermediate certificates to show where needed...

Thanks again..!