[ww-devel] The library browser not updating problem

Jason Aubrey aubreyja at gmail.com
Wed Aug 27 12:05:00 EDT 2014 

Here is a good excerpt from my system administrator:

This link gives the answer.
http://serverfault.com/questions/382633/difference-between-sslcertificatefile-and-sslcertificatechainfile

Specifically it says "if all you give Apache is the certificate, then all it
has to give to connecting clients is the certificate - It's saying, "I'm
signed by someone, but I'm not going to tell you about them".
This usually works fine, as most client systems have a large store of CA
certificates (both root and intermediate) which it can check through for a
matching signing relationship to establish trust. However, sometimes this
doesn't work; -- with a client that doesn't hold the cert for an
intermediate
CA that's signed your certificate."

Browsers would work because they have the Incommon CA intermediate and/or
root
CAs installed, but with the internal web service the server is the client
too, and has fewer
default CAs.


On Wed, Aug 27, 2014 at 8:50 AM, John Jones <jj at asu.edu> wrote:

> Can someone write a version of this explanation a la an apache for dummies?
>
> Arnie, can you check to see if this fixes the problem you encountered
> during mathfest?
>
> John
>
>
>
> On Wed, Aug 27, 2014 at 8:40 AM, Jason Aubrey <aubreyja at gmail.com> wrote:
>
>> Thanks Matt - that worked!
>>
>> Jason
>>
>>
>> On Tue, Aug 26, 2014 at 4:56 PM, Matt Haught <matt_haught at ncsu.edu>
>> wrote:
>>
>>> Same problem here on our devel server but not our production. I have
>>> been scratching my head with it today.  Our devel server also uses the
>>> incommon certs while the production is using godaddy from before we
>>> could get incommon.  So that got me thinking...  I have something for
>>> you to try that appears to have worked for us.
>>>
>>> Add a SSLCACertificateFile apache conf line and have it use the
>>> intermediate/root only cert (2nd link down in the InCommon email)
>>>
>>> Matt Haught
>>> North Carolina State University
>>>
>>>
>>> On Tue, Aug 26, 2014 at 5:49 PM, Jason Aubrey <aubreyja at gmail.com>
>>> wrote:
>>> > Well, at this point I think the error has something to do with how my
>>> ssl is
>>> > configured.  Here is some evidence from my apache log with LogLevel
>>> info:
>>> >
>>> > There were a lot of errors: 500 Can't connect to
>>> > webwork.math.arizona.edu:443 at
>>> /opt/webwork/webwork2/lib/WebworkClient.pm
>>> > line 158
>>> >
>>> > [Tue Aug 26 14:35:13 2014] [info] [client 127.0.0.1] SSL library error
>>> 1 in
>>> > handshake (server webwork.math.arizona.edu:443)
>>> > [Tue Aug 26 14:35:13 2014] [info] SSL Library Error: 336151576
>>> > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>>> > [Tue Aug 26 14:35:13 2014] [info] [client 127.0.0.1] Connection closed
>>> to
>>> > child 0 with abortive shutdown (server webwork.math.arizona.edu:443)
>>> >
>>> > So, you can see (1) that 'it' can't connect to
>>> webwork.math.arizona.edu:443
>>> > and (2) the ssl handshake seems to be dying due to an unknown
>>> certificate
>>> > authority.  But if you looked at my server, you would see (3) that my
>>> > certificate authority is in fact well known:
>>> >>
>>> >> Issued By
>>> >>
>>> >> Common Name (CN) InCommon Server CA
>>> >>
>>> >> Organizaton (O) Internet2
>>> >>
>>> >> etc...
>>> >
>>> > Also, there is the fact that (4) my web browsers have no problem
>>> connecting
>>> > to the https site.
>>> > So,
>>> > (a) Maybe the perl module(s) running the webservice calls (LWP?) don't
>>> > recognize the certificate authority.
>>> > (b) Maybe the way my redirect to ssl is set up is messing with the web
>>> > service calls. (Permanent redirect to a *:443 vhost)
>>> > (c) Maybe there is some other configuration problem with my ssl set up.
>>> > (d) Maybe this is completely unrelated to the actual problem.
>>> >
>>> > Thanks for any ideas.
>>> > Jason
>>> >
>>> _______________________________________________
>>> webwork-devel mailing list
>>> webwork-devel at webwork.maa.org
>>> http://webwork.maa.org/mailman/listinfo/webwork-devel
>>>
>>
>>
>> _______________________________________________
>> webwork-devel mailing list
>> webwork-devel at webwork.maa.org
>> http://webwork.maa.org/mailman/listinfo/webwork-devel
>>
>>
>
> _______________________________________________
> webwork-devel mailing list
> webwork-devel at webwork.maa.org
> http://webwork.maa.org/mailman/listinfo/webwork-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://webwork.maa.org/pipermail/webwork-devel/attachments/20140827/1884858f/attachment.html>

More information about the webwork-devel mailing list