Bug 56566 - Spurious "Failed to configure CA certificate chain!" errors
Summary: Spurious "Failed to configure CA certificate chain!" errors
Status: RESOLVED DUPLICATE of bug 56410
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.6
Hardware: PC Linux
: P2 major (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2014-05-26 11:18 UTC by Alex Frolkin
Modified: 2014-05-26 11:22 UTC (History)
0 users

Patch (443 bytes, patch)
2014-05-26 11:18 UTC, Alex Frolkin
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Frolkin 2014-05-26 11:18:27 UTC
Created attachment 31663 [details]

I have an Apache cluster of 16 machines all with identical config.  Half the vhosts are SSL-enabled and half use SSL to connect to mod_proxy backends.

I sometimes see the "Failed to configure CA certificate chain" error when gracefully reloading Apache on the cluster: the result is that Apache reloads fine on most nodes, but dies on one or two of the nodes (not so great when the nodes are handling production traffic!).

I recently added a vhost which had client SSL auth enabled (in particular, it contains the SSLCACertificatePath directive, which no other vhost has), and this was when this problem really came out.  After adding the vhost, the error message seemed to start to appear more frequently on reloading (as described above), and in addition, on two out of the 16 boxes in the cluster, Apache just would not start, with the same error; the remaining 14 boxes were fine.  (Yes, the config and certs were absolutely identical, I checked and double-checked and triple-checked that, and even went as far as checksumming everything on the disk of a failing node and the disk of a working node, and there were no significant differences.)

I haven't been able to reproduce this issue in my test environment.

Googling around, I came across bug <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=21160">21160</a>, where the reporter was seeing remarkably similar issues.

Following the logic of that bug fix, I patched my Apache as attached, and this seems to have fixed the problem.  I'm sure I haven't addressed the root cause, though.

I have a feeling it might be something to do with the SSL error queue not being cleared when loading CA certificates in the path specified by SSLCACertificatePath.  In case it's relevant, some of my vhosts give warnings like this:

  [ssl:warn] [pid 19690:tid 140658685736768] AH01909: RSA certificate configured for vhost12:443 does NOT include an ID which matches the server name

(this is due to the slightly odd way the vhosts are configured).
Comment 1 Yann Ylavic 2014-05-26 11:22:55 UTC
Thanks for the report, already fixed for upcoming 2.4.10.

*** This bug has been marked as a duplicate of bug 56410 ***