(solved) SSL cert chaining w/ multiple CA files (bundled not working)?
-
Our Thawte SSL123 cert expired and so we renewed but now they require a chained CA file (boo) and I cannot get it to work.
I have done the following (this is on 1.2.3, hdd install):
- downloaded pem bundled CA file from thawte article AR1372 1
- copied above file to pfSense box and made corresponding ssl.ca-file entry in lighty-CaptivePortal-SSL.conf file per the article 2 on this forum
- restarted lighttpd
with no luck, clients still get certificate not trusted errors.
On the same Thawte article there is a link to non-bundled CA files so I'm thinking maybe lighttpd doesn't support bundled CA files but I cannot find out how to include two CA files in the lighty-CaptivePortal-SSL.conf file.
Any help would be greatly appreciated (on either what I did wrong w/ the bundled version of the CA file or on how to add a second CA file to the config - I don't want to risk messing up the box so I didn't just try adding another line for the second file).
Thanks in advance.
-
Man, almost a whole day of messing with this and it turns out that the CA/chain file I downloaded was in DOS format (CRLF rather than just CR). I ran it through "dos2unix" and re-copied it and all is well. cat -v is your friend!