AH01896: Unable to determine list of acceptable CA certificates for client authentication in Apache v2.4 SSLCACertificatePath directive

Question

I am using Apache v2.4

In ssl.conf file I am using SSLCACertificatePath directive with parameter like /var/dat/certificates/ssl.intermediate where ssl.intermediate is an empty directory with following permissions:

drwxr-xr-x  2 root   root 4096 Oct 23 23:10 ssl.intermediate

Now when I restart apache I get the following error in ssl error log:

[Thu Oct 23 23:11:08.706227 2014] [ssl:info] [pid 17421] AH02200: Loading certificate & private key of SSL-aware server 'somehost.com:443'

[Thu Oct 23 23:11:08.706726 2014] [ssl:info] [pid 17421] AH01914: Configuring server somehost.com:443 for SSL protocol

[Thu Oct 23 23:11:08.706831 2014] [ssl:emerg] [pid 17421] AH01896: Unable to determine list of acceptable CA certificates for client authentication

Thanks in advance

score 0 · Answer 1 · answered Feb 12 '22 at 23:30

0

My problem was that SSLCACertificatePath was without public certificate inside

answered Feb 12 '22 at 23:30

Vitalicus

99
1

score 0 · Answer 2 · answered Oct 24 '14 at 06:42

0

Not to state the obvious, but if you're not accepting client certificates (otherwise that directory would not be empty, right?), why don't you simply remove the offending directive from your config.

answered Oct 24 '14 at 06:42

HBruijn

77,029
24
135
201

HBruijn, Thanks for the reply and sorry for my late response. I dont know how SSLCACertificatePath is working, but all I can say is, this same configuration was working with apache 2.2. Now apache 2.4 is throwing this error when directory is empty. – Jophine Oct 27 '14 at 06:40

score 0 · Answer 3 · answered Apr 05 '17 at 19:48

I have found that Apache HTTP Server 2.4 has broken the SSLCADNRequestFile directive. This allowed one define the list of acceptable CA's apart from the CA list used to authenticate the cert. This is needed when a root CA makes more CA's acceptable than desired. The SSLCADNRequestFile allows the specification of strictly intermediate CA's that the server will accept issued certificates from.

The SSACACertificateFile list will still be used to authenticate the certificate chain used actually used by the client (and thus deemed acceptable for use).

score -1 · Answer 4 · answered Oct 05 '18 at 18:04

You have to create a hash symbolic link for the file:

https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycacertificatepath

The files in this directory have to be PEM-encoded and are accessed through hash filenames. So usually you can't just place the Certificate files there: you also have to create symbolic links named hash-value.N. And you should always make sure this directory contains the appropriate symbolic links.

So the directory should at least also look like

drwxr-xr-x  2 root   root 4096 Oct 23 23:10 ssl.intermediate
drwxr-xr-x  2 root   root 4096 Oct 23 23:10 ae002233.0 -> ssl.intermediate

To whomever: It is good etiquette when downvoting an answer to leave a comment indicating why so that the poster can learn from the situation. — duct_tape_coder, Mar 14 '22 at 14:17

AH01896: Unable to determine list of acceptable CA certificates for client authentication in Apache v2.4 SSLCACertificatePath directive

4 Answers4