Fix unknown ca error in apache SSL

I have a PHP application with apache and SSL.

It was failing on authentication.

The ssl error logs were as below

AH02008: SSL library error 1 in handshake
SSL Library Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (SSL alert number 48)

The apache ssl configuration was fine as below.

SSLCertificateFile Certificate file path
SSLCertificateKeyFile Key file path
SSLCertificateChainFile Intermediate bundle path

I tested the SSL with the site – https://www.sslshopper.com/ssl-checker.html

It reported as below

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GoDaddy’s Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.

The intermediate certificate, aka bundle file may be an issue.

To verify it, ran the following commands.

openssl verify /etc/ssl/certs/cert.pem

gives me the following error:

error 20 at 0 depth lookup:unable to get local issuer certificate

We have to give the path of the intermediate CA certificate to verify the pem file.

openssl verify -CAfile /etc/apache2/ssl.crt/sf_bundle-g2-g1.crt /etc/ssl/certs/cert.pem

It gave the error as

Error loading file /etc/apache2/ssl.crt/sf_bundle-g2-g1.crt

It seems that there are some issues with sf_bundle-g2-g1.crt

I downloaded a fresh sf_bundle-g2-g1.crt file from GoDaddy site.

https://certs.godaddy.com/repository/
https://certs.godaddy.com/repository/sf_bundle-g2-g1.crt

and placed in /etc/apache2/ssl.crt/

Now the command works fine.

openssl verify -CAfile /etc/apache2/ssl.crt/sf_bundle-g2-g1.crt /etc/ssl/certs/cert.pem
/etc/ssl/certs/cert.pem: OK

And now, the web application can allows the users to login.

Thanks to the following links.

http://w3facility.org/question/trouble-connecting-to-ssl-encrypted-web-service-with-php/
http://www.herongyang.com/Cryptography/OpenSSL-Certificate-Path-Validation-Tests.html
http://stackoverflow.com/questions/26260445/openssl-unable-to-get-local-issuer-certificate-debian
http://serverfault.com/questions/582438/how-to-verify-signed-certificate
https://www.sslshopper.com/ssl-checker.html
https://certs.godaddy.com/repository/
http://serverfault.com/questions/655995/roundcube-postfix-smtp-ssl-routinesssl3-read-bytestlsv1-alert-unknown-cas3

2 thoughts on “Fix unknown ca error in apache SSL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s