Bug 62880

Summary: "Failed to configure CA certificate chain" because OpenSSL's error queue is not cleared
Product: Apache httpd-2 Reporter: Michael Kaufmann <apache-bugzilla>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal Keywords: PatchAvailable
Priority: P2    
Version: 2.4.37   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: Bugfix (clear the error queue before loading CA chains)

Description Michael Kaufmann 2018-11-02 16:23:32 UTC 
Created attachment 36241 [details]
Bugfix (clear the error queue before loading CA chains)

When using mod_ssl and mod_md in a complex setup (some virtual hosts managed by mod_md, some not), I got this error from mod_ssl:

AH01903: Failed to configure CA certificate chain!

Before loading the certificate chain, mod_ssl does not clear OpenSSL's error queue. After loading the certificate chain, mod_ssl inspects the whole error queue, and finds something. Probably an OpenSSL function called by mod_md has added something to the error queue.

See also https://github.com/icing/mod_md/issues/84#issuecomment-375959559

The attached patch fixes the bug.
Comment 1 Stefan Eissing 2018-11-05 10:39:44 UTC 
Thanks for the patch! Added to trunk in r1845768.
Will propose for backport to 2.4.x
Comment 2 Michael Kaufmann 2018-11-05 19:31:26 UTC 
Great, thanks!
Comment 3 Graham Leggett 2018-11-23 15:00:27 UTC 
Backported to v2.4.38.