(solved) SSL cert chaining w/ multiple CA files (bundled not working)?

  • Our Thawte SSL123 cert expired and so we renewed but now they require a chained CA file (boo) and I cannot get it to work.

    I have done the following (this is on 1.2.3, hdd install):

    • downloaded pem bundled CA file from thawte article AR1372 1
    • copied above file to pfSense box and made corresponding ssl.ca-file entry in lighty-CaptivePortal-SSL.conf file per the article 2 on this forum
    • restarted lighttpd

    with no luck, clients still get certificate not trusted errors.

    On the same Thawte article there is a link to non-bundled CA files so I'm thinking maybe lighttpd doesn't support bundled CA files but I cannot find out how to include two CA files in the lighty-CaptivePortal-SSL.conf file.

    Any help would be greatly appreciated (on either what I did wrong w/ the bundled version of the CA file or on how to add a second CA file to the config - I don't want to risk messing up the box so I didn't just try adding another line for the second file).

    Thanks in advance.

  • Man, almost a whole day of messing with this and it turns out that the CA/chain file I downloaded was in DOS format (CRLF rather than just CR).  I ran it through "dos2unix" and re-copied it and all is well.  cat -v is your friend!

Log in to reply