Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! #94

Closed
djc opened this issue Jun 27, 2018 · 7 comments

Comments

Projects
None yet
2 participants
@djc
Copy link

commented Jun 27, 2018

After setting up MDomain for two more domains, as in MDomain example.com v6.example.com:

[Wed Jun 27 13:39:09.695269 2018] [ssl:warn] [pid 27485:tid 139819554624000] AH10085: Init: v6.example.com:443 will respond with '503 Service Unavailable' for now. This host is part of a Managed Domain, but no SSL certificate is available (yet).
[Wed Jun 27 13:39:09.695467 2018] [ssl:error] [pid 27485:tid 139819554624000] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=Apache Managed Domain Fallback / issuer: CN=Apache Managed Domain Fallback / serial: AF605A50CDDF59CFA141F5847A67CF1871176FAA / notbefore: Jun 27 11:39:09 2018 GMT / notafter: Jul 11 11:39:09 2018 GMT]
[Wed Jun 27 13:39:09.695472 2018] [ssl:error] [pid 27485:tid 139819554624000] AH02604: Unable to configure certificate v6.example.com:443:0 for stapling
[Wed Jun 27 13:39:09.695508 2018] [ssl:warn] [pid 27485:tid 139819554624000] AH10085: Init: example.com:443 will respond with '503 Service Unavailable' for now. This host is part of a Managed Domain, but no SSL certificate is available (yet).
[Wed Jun 27 13:39:09.695671 2018] [ssl:error] [pid 27485:tid 139819554624000] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=Apache Managed Domain Fallback / issuer: CN=Apache Managed Domain Fallback / serial: AF605A50CDDF59CFA141F5847A67CF1871176FAA / notbefore: Jun 27 11:39:09 2018 GMT / notafter: Jul 11 11:39:09 2018 GMT]
[Wed Jun 27 13:39:09.695675 2018] [ssl:error] [pid 27485:tid 139819554624000] AH02604: Unable to configure certificate example.com:443:0 for stapling
@djc

This comment has been minimized.

Copy link
Author

commented Jun 27, 2018

(Never mind, this seems to have happened because I disabled MDomain without re-enabling the certificate configuration.)

@icing

This comment has been minimized.

Copy link
Owner

commented Jun 27, 2018

How does your SSL* specific configuation look for those hosts so that I may reproduce the problem?

@djc

This comment has been minimized.

Copy link
Author

commented Jun 27, 2018

Global:

SSLProtocol             All -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACH$
SSLHonorCipherOrder     On
SSLCompression          Off
SSLSessionTickets	Off

SSLUseStapling On
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors Off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

VHost:

    SSLEngine on
    SSLCertificateFile /etc/ssl/apache2/vjkleidersblad.nl.crt
    SSLCertificateKeyFile /etc/ssl/apache2/vjkleidersblad.nl.key
    SSLCertificateChainFile /etc/ssl/apache2/le-intermediate-x3.pem
@icing

This comment has been minimized.

Copy link
Owner

commented Jun 27, 2018

I am confused. You report errors with MDomain, yet have explicit certificates and chain configured?

@djc

This comment has been minimized.

Copy link
Author

commented Jun 27, 2018

Right now, when I disabled MDomain again, yes -- they were disabled when I was testing.

@icing

This comment has been minimized.

Copy link
Owner

commented Jun 27, 2018

Ok, the errors you reported from mod_ssl are on the intermediate certificates (before mod_md gets the real ones) and are not stopping the server from working. It would be nice to teach mod_ssl to not try such things on intermediate certs, but that is how things are right now.

@icing icing closed this Jun 27, 2018

@djc

This comment has been minimized.

Copy link
Author

commented Jun 27, 2018

Okay, it does seem to work. I was thrown off by the "unknown issuer" errors that my browser gives me if I load the domain up shortly after restarting the web server. Thanks, and sorry for the noise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.