The Linux Page
Home

Apache and weird errors

Submitted by on Wed, 12/24/2008 - 23:03

Error about a local certificate?!

The other day, I got a new certificate from godaddy.com. I installed the certificate by replacing the files and simply restarting Apache. I then checked in Sea Monkey and it worked great. Checking the certificate it told me "valid for another 3 years."

A few days later I got an error from eFax saying that our certificate could not be verified. Weird... I tried with wget and got the error! Hmmm... I tried again with SeaMonkey, just fine. Then I tried with FireFox, error too! The error with wget is like this:

ERROR: Certificate verification error for secure.m2osw.com:
         unable to get local issuer certificate

I searched around and I found one post mentioning that error that mentioned that the local issuer certificate is the chain file. That gave me the clue I needed to fix the problem.

The old chain was named sf_issuing.crt whereas the new one is gd_intermediate_bunder.crt. My .conf files needed to be changed with the new filename and it works again.

More specifically, on a Debian/Ubuntu system, change the Apache parameter as follow:

SSLCertificateChainFile /etc/apache2/ssl/gd_intermediate_bundle.crt

Your file names may not be the same, but the principal will be the same. The intermediate bundle is a list of certificates between yours and some official root.

Tons of "that just can't happen" errors in your logs?

In the past, I have often seen "attacks" to our Apache server. It never really bothered me that much since Apache never have a problem with those (Except maybe by using a bit too much resources once in a while, but these were not DOS attacks.)

Now, in the past two months, we somehow got bombarded by the million! Yes! There is a first time for everything, and our server got over 1.2 million hits last month. Nothing to be proud of. These were at the bottom of the page, showing that we got 1.2+ million... errors!!!

Looking at the logs, it is clear that these are email address spiders. By guys who want our email addresses to send us all sorts of spam, scam, and much much more. Thus, if there was a way to stop those, it would be a good thing! Well... there is an easy solution. It's called mod-security.

A good place to start your Apache setup (if you don't have one yet) and/or if you never bothered about security and are thinking about it now, check this blog: 20 ways to Secure your Apache Configuration

Someone posted a message mentioning mod-security and the fact that there are people out there who actively update (every day!) their mod-security setup (that may be a little much unless you have millions of hits all the time!)