DigitalOcean

Hi All

Anyone know how to get Origin Certificates to work on Digital Ocean
installed on a CentOS 7 drop httpd service fails to restart

Getting this error in the log file

[Fri Oct 18 05:12:14.017456 2019] [ssl:emerg] [pid 14156] AH01895: Unable to configure verify locations for client authentication

https://www.google.com/search?client=firefox-b-d&q=Unable+to+configure+verify+locations+for+client+authentication

Hi

I am not setting up client authentication, it already works with the existing DigiCert cert,
I am replacing the DigiCert SSL certs with CloudFlare Origin Certificates thats when I get the error.

Well, straight from the very first link of the search

Check your certs are in .pem format (which is ASCII text) not .der format (which is binary). I mean actually open them and look at them, don’t just look at the extensions.

The error you mention most often has to do with the SSLCertificateChainFile or the SSLCACertificateFile being unable to be read and parsed.

Hi sandro

Sorry but Google was my first of call on this and I have checked all the things there, that’s why I posted the question here.

The topic itself is a bit beyond the scope of the forum, as it rather is about configuring Apache than Cloudflare’s service.

I would recommend to check that you have the right files in the right format configured, with the right paths. One of those will be the issue here. Simply double check everything.

Hi

Thanks, I will open a ticket with Cloudflare, it is possibly something to do with the Digital Ocean
setup, hopefully they will have seen it before.

You can certainly open a ticket, but that wont make it more Cloudflare relevant :wink:

The issue really is on Apache’s side, respectively with a - presumably - invalid certificate format/configuration.

My best advice would be to start the configuration setup from scratch and make sure you exactly follow Apache’s configuration and make sure it is the right format along with the right file permissions.

Hi

Sorry but there are no problems with Apache, the site or the droplet, it all works
with a certificate issued from Digicert, the problem only happens when using the Cloudflare cert

Well, that is obviously an Apache error message :wink:

The question is why Apache cant read it but that is exactly what I have been referring to all along and that is - I am afraid - an Apache related question.

There, certainly, is a chance that Cloudflare gave you a corrupt certificate file, but that is rather unlikely. Also, that should be verifiable with standard system calls as well, which brings us back to verifying if the file is proper.

Hi

I have found the problem, I replaced the Root CA with the new one and it has worked?
This is from CF site https://support.cloudflare.com/hc/en-us/articles/115000479507#h_30cc332c-8f6e-42d8-9c59-6c1f06650639
Why it is a problem now I don’t know I could understand it if the old one had expired, but it still has month on it.

The previous version of root certificates expire on 2019-11-14T01:43:50Z for the RSA root and 2021-02-22T00:24:00Z for the ECC root. If your origin web server is using outdated root certificates, you must replace them with the latest version to avoid site disruptions.

Possibly the new certificate has been signed by a completely new root certificate. You’d need to check the certificate chain.

This topic was automatically closed after 30 days. New replies are no longer allowed.