SSLCertificateChainFile Deprecation Warning on Apache 2.4.8+
Solution 1
I had the same issue. I just replaced these lines in /etc/apache2/site-enabled/default-ssl.conf
SSLCertificateFile /etc/ssl/certs/domain.crt
SSLCertificateKeyFile /etc/ssl/private/domain.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/chain.crt
As you see, I just commented out the SSLCertificateChainFile
. Then, seeing the same error as you, I concatenated the content of my chain.crt
at the end of the domain.crt
, like so:
root@host~: cat /etc/apache2/ssl.crt/chain.crt >> /etc/ssl/certs/domain.crt
And it worked like a charm.
Solution 2
I use the following script to create a certificate bundle that contains the chained certificate.
#!/bin/sh
#
# Convert PEM Certificate to ca-bundle.crt format
#
test ! $1 && printf "Usage: `basename $0` certificate" && exit 1
# Friendly Name and Underline Friendly Name with equal signs
openssl x509 -in $1 -text -noout | sed -e 's/^ *Subject:.*CN=\([^,]*\).*/\1/p;t c' -e 'd;:c' -e 's/./=/g'
# Output Fingerprint and swap = for :
openssl x509 -in $1 -noout -fingerprint | sed -e 's/=/: /'
# Output PEM Data:
echo 'PEM Data:'
# Output Certificate
openssl x509 -in $1
# Output Certificate text swapping Certificate with Certificate Ingredients
openssl x509 -in $1 -text -noout | sed -e 's/^Certificate:/Certificate Ingredients:/'
To use it, starting with the server certificate and sequentially through any intermediary certificates in the certificate chain back to the root certificate.
./bundle.sh myserver.crt >myserver.chain
./bundle.sh intermediate.crt >>myserver.chain
./bundle.sh root.crt >>myserver.chain
where the appropriate certificate names are replaced with your real certificate name.
Solution 3
Have the site certificate, the intermediates as well in a file specified by the SSLCertificateFile directive and the private key concatenated in a file specified by SSLCertificateKeyFile and you should be all set. Although you could have the private key in the same file as the certificates but that is discouraged. Please check the documentation for more details:
http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatefile
I would recommend that the root CA certificate is not a part of the SSLCertificateFile since the client should have the root CA certificate as trusted in order for the certificate validation to work as designed.
Also, if there is nothing in the apache error logs then one could put the error log to a finer granularity as in http://httpd.apache.org/docs/current/mod/core.html#loglevel
Related videos on Youtube
DOOManiac
Just some guy who does PHP, JS, & MySQL web development.
Updated on September 18, 2022Comments
-
DOOManiac over 1 year
We have an SSL Certificate for our website from Network Solutions. After upgrading Apache/OpenSSL to version 2.4.9, I now get the following warning when starting HTTPD:
AH02559: The SSLCertificateChainFile directive (/etc/httpd/conf.d/ssl.conf:105) is deprecated, SSLCertificateFile should be used instead
According to the Apache manual for mod_ssl this is indeed the case:
SSLCertificateChainFile is deprecated
SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.
Looking up the documentation for SSLCertificateFile, it looked like I just needed to replace my call to SSLCertificateChainFile with SSLCertificateFile.
This change turned my ssl.conf from this:
SSLCertificateFile /etc/ssl/STAR.EXAMPLE.COM.crt SSLCertificateKeyFile /etc/ssl/server.key SSLCertificateChainFile /etc/ssl/Apache_Plesk_Install.txt
to this:
SSLCertificateFile /etc/ssl/STAR.EXAMPLE.COM.crt SSLCertificateFile /etc/ssl/Apache_Plesk_Install.txt SSLCertificateKeyFile /etc/ssl/server.key
... but this doesn't work. Apache simply refuses to start without any error message.
I'm not sure what else to try here, as I'm not that familiar with mod_ssl or SSL certificates in general. I do remember we needed to add the Apache_Plesk_Install.txt file for Internet Explorer to not have an SSL warning on our site, but other than this I have no clue.
Any help would be greatly appreciated. Thanks.
-
dawud about 10 yearsYou need to concatenate all certificates, the client certificate and the intermediate certificate(s)
-
-
ssl over 9 yearsReally? The private key? That seems like a bad idea. Just wondering, because, my strong assumption is that this is private.
-
Khanna111 over 9 yearsYou are right - things have changed from what I remembered from the documentation and also what documentation exists in the httpd-ssl.conf file for these two directives. Although allowed but the practice of having the private key in the file specified by SSLCertificateFile is discouraged. Reply is now edited to cater to this fact.
-
acheo over 8 yearsperfectly valid too according to comments in apache config: "Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convenience."