[Modules] [error] GnuTLS: Hanshake Alert (48) 'CA is unknown'.

Ling-hua Tseng uranus at tinlans.org
Thu Sep 18 13:30:32 EDT 2008


Here is my environment:
    FreeBSD 7.1-PRERELEASE
    apache-worker-2.2.9_5
    mod_ssl/2.2.9 (bundled with apache2 in FreeBSD's package/ports system)
    OpenSSL/0.9.8e (OS bundled library)
    gnutls-2.4.1_1
    mod_gnutls-0.4.3 (0.5.2 is also tested)

There are 7 name-based SSL virtual hosts configured in my web server.
The following 2 lines are appeared in the error log of my default SSL site when every one is accessing any SSL sites:
[error] GnuTLS: Hanshake Alert (48) 'CA is unknown'.
[error] [client 220.133.199.45] GnuTLS: Handshake Failed (-12) 'A TLS fatal alert has been received.'

There IP address appeared in the log file of default site is always the same as my web server.
That is, it's always 220.133.199.45.

The settings of my virtual hosts are always following the examples in README file of each version.
When I using mod_gnutls-0.4.3, the settings look like:
<VirtualHost *:443>
    ...
    Servername tinlans.org:443
    ...
    GnuTLSEnable on
    GNUTLSExportCertificates on
    GnuTLSPriorities NORMAL
    GnuTLSClientVerify ignore
    GnuTLSClientCAFile <path of ca cert>
    GnuTLSCertificateFile <path of server's cert>
    GnuTLSKeyFile <path of server's private key>
    ...
</VirtualHost>
And when I using mod_gnutls-0.5.2, the settings look like:
<VirtualHost *:443>
    ...
    Servername tinlans.org:443
    ...
    GnuTLSEnable on
    GNUTLSExportCertificates on
    GnuTLSPriorities NORMAL
    GnuTLSClientVerify ignore
    GnuTLSX509CAFile <path of ca cert>
    GnuTLSX509CertificateFile <path of server's cert>
    GnuTLSX509KeyFile <path of server's private key>
    ...
</VirtualHost>

Both of the two versions & settings are produced the same errors.
To remove GnuTLSX509CAFile or GnuTLSClientCAFile still doesn't help anything.
In addition, the CA's cert is self-signed.
All of my certs are worked fine in apache2+SSL, postfix+TLS, qpopper+SSL, and other services.

My browsers are IE7 and Firefox 3 (all of them are run on Windows Vista 32-bit).
Although this error is occured every time, my browsers are also told me the connections were encrypted.
I cannot see what kind of encryption is used by IE7.
Firefox 3 shows that it uses Camellia-256.
Even the connections are still safe, the error messages really washed my log file.
Would anyone like to help me to solve this problem?

Thanks.



More information about the Modules mailing list