SSL：无法加载CA证书文件/etc/pki/tls/certs/ca-bundle.crt

Question

On my local dev machine (osx), I'm using jboss to server web services on 8443. When I hit the urls directly I get the json responses I'm looking for. The architecture we have at work includes a middle layer (apache/php) that does authentication and routing. If things authenticate then it forwards the request to the backend.

When I was working with apache on port 80 and jboss on 8081 (using http). Everything worked fine for me. Now that I'm trying to use 8443, things aren't working.

I recently changed the backend to server through https (8443) instead of http (8081). I can hit the requests on https 8443 directly and get the json response. When I hit apache and it authenticates then tries to redirect to the https 8443 I get the following message from chrome's inspector: "SSL: can't load CA certificate file /etc/pki/tls/certs/ca-bundle.crt".

My vhost is setup to catch *:80 requests. I think I might need to setup vhosts to accept 443 requests or install ca-certificates like talked about in How do I deal with certificates using cURL while trying to access an HTTPS url? . I'm looking to see if anyone knows what the proper direction should be.

When I look on the file system, the file /etc/pki/tls/certs/ca-bundle.crt doesn't exist. When I make the request to the middle layer, I see the request hit /var/log/apache2/access_log and nothing comes up in /var/log/apache2/error_log .

What is needed to resolve this issue? Is it a configuration of vhosts to catch request to 443? Is it to install ca-cert stuff like in the link? A combination of both? Or something else? Please provide enough info on how to solve it, or provide links that provide enough info.

Answer 1

I solved my issue and am doing a post for documentation purposes, in case anyone else has similar issues. There was a couple of issues I had to resolve to fix this.

PHP Install

My /etc/apache2/httpd.conf referenced my default osx php install instead of my home brew install of php. Solution was to edit the httpd.conf and point it to the right install.

#LoadModule php5_module /usr/local/opt/php53/libexec/apache2/libphp5.so
LoadModule php5_module /usr/local/Cellar/php53/5.3.29_4/libexec/apache2/libphp5.so

You can create a similar setup of php using home brew by the following commands:

brew install homebrew/php/php53
brew install homebrew/php/php53-igbinary --build-from-source
brew install homebrew/php/php53-intl
brew install homebrew/php/php53-mcrypt
brew install homebrew/php/php53-memcached
brew install homebrew/php/php53-mongo
brew install homebrew/php/php53-xdebug

Create the CA Cert Bundle File

The system is looking for /etc/pki/tls/certs/ca-bundle.cert which is a standard path on linux, but not on osx. We get around this by generating the file.

I generated the .keystore file using keytool and used jboss for my alias. In order to build the ca bundle file, we need it to be in the pem format, so we need to add the -rfc to our export statement. Below are the commands:

cd /usr/local/jboss-eap-6.4/standalone/configuration
keytool -export -alias jboss -file local-sbx.dev.yourcompany.com.crt -keystore .keystore -rfc

After you have the file, you can cat it out and verify that the file has the BEGIN CERTIFICATE and END CERTIFICATE stuff in it. If so, its in the right format.

Lastly, create the directory structure, move the cert to act like the bundle (which is just a bunch of certs appended to each other) and then restart apache:

mkdir -p /etc/pki/tls/certs/
sudo cp local-sbx.dev.yourcompany.com.crt /etc/pki/tls/certs/ca-bundle.crt
sudo apachectl restart