From: Jeff Trawick <trawick@apache.org>
Date: Thu, 23 Oct 2014 11:32:40 +0000 (+0000)
Subject: trying to enable OCSP Stapling without certificate chain
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=abd1ec4ac4ec52f5fa387601d4cc7304fb2626a8;p=thirdparty%2Fapache%2Fhttpd.git

trying to enable OCSP Stapling without certificate chain

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1633793 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/ssl/ssl_howto.xml b/docs/manual/ssl/ssl_howto.xml
index 3c45b59c5f6..66f04dcbd87 100644
--- a/docs/manual/ssl/ssl_howto.xml
+++ b/docs/manual/ssl/ssl_howto.xml
@@ -200,6 +200,22 @@ to the documentation for the
 directives.</p>
 </section>
 
+<section>
+<title>If mod_ssl logs error AH02217</title>
+<pre>
+AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
+</pre>
+<p>In order to support OCSP Stapling when a particular server certificate is
+used, the certificate chain for that certificate must be configured.  If it 
+was not configured as part of enabling SSL, the AH02217 error will be issued
+when stapling is enabled, and an OCSP response will not be provided for clients
+using the certificate.</p>
+
+<p>Refer to the <directive module="mod_ssl">SSLCertificateChainFile</directive>
+and <directive module="mod_ssl">SSLCertificateFile</directive> for instructions
+for configuring the certificate chain.</p>
+</section>
+
 </section>
 <!-- /ocspstapling -->