Why isn’t the full certificate chain provided by my web server?


Good question, simple answer though: Probably you’re still on Ubuntu 14.04 (Trusty) and thus your Apache version is too old (2.4.7) and does not provide the full certificate chain from the file specified as SSLCertificateFile. The nasty thing: It does not throw a warning nor an error; not on the console nor in the error.log.

Solution: Use the SSLCertificateChainFile option instead to point to the intermediate certificates of your CA.

But watch out when you update your server: SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

Apache, authnz_ldap and Active Directory


After spending several hours of debugging into an Apache Active Directory LDAP authentication issue, I finally found the hint I was looking for. The error I was constantly getting in the error.log was:

[debug] mod_authnz_ldap.c(379): [client] [29481] auth_ldap authenticate: using URL ldap://dc001.mydomain.local:389/DC=mydomain,DC=local?sAMAccountName?sub?(objectClass=*)
[info] [client] [29481] auth_ldap authenticate: user tuxevara authentication failed; URI / [ldap_search_ext_s() for user failed][Operations error]

and regarding to some other sites [ldap_search_ext_s() for user failed][Operations error] must be related to authnz_ldap not handling referrals. The solution to this was just too obvious: Changing the LDAP port to 3268 (Global Catalog) solved it.

Here is the content of the htaccess file only grants access to members of a specific group:

AuthBasicProvider ldap
AuthType Basic
AuthName "Protected"
AuthLDAPURL "ldap://dc001.mydomain.local:3268/DC=mydomain,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthzLDAPAuthoritative on

AuthLDAPBindDN "svc-apache@mydomain.local"
AuthLDAPBindPassword "thisissupposedtobesecret"

AuthLDAPGroupAttributeIsDN on
require ldap-group CN=Support,OU=Groups,DC=mydomain,DC=local