Perspective-1 :
Primarily we are looking at the following parameters in <SPS_HOME>/secure-proxy/httpd/conf/extra/httpd-ssl.conf
SSLCACertificatePath "/smuser_home/programfiles/CA-secure-proxy-server-1/secure-proxy/SSL/certs"
SSLCACertificateFile "/smuser_home/programfiles/CA-secure-proxy-server-1/secure-proxy/SSL/certs/rootBundle.cert"
#SSLCertificateChainFile "/smuser_home/programfiles/CA-secure-proxy-server-1/secure-proxy/SSL/certs/ca.crt"
SSLCertificateChainFile is obsolete or deprecated after 2.4.8. We can check the version of Apache being shipped with CA AG by going to <SPS_HOME>/secure-proxy/httpd/bin and running "./httpd -V" (source the ca_sps_env.sh first).
Thus when we add intermediate rootCA's certs to "SSLCACertificateFile" it should be added in a particular format i.e. "sorted from leaf to root". In our case the Intermediate Certificate signing the Server Certificate should be first, followed by the other intermediate root CA and lastly the Root CA.
Perspective-2 :
Steps to enable server logs in debug mode -
Go to SPS_HOME\secure-proxy\Tomcat\properties\logger.properties and modify the following lines from
log4j.rootCategory=INFO,SvrFileAppender
to
log4j.rootCategory=ALL,SvrFileAppender
Let us now see if we get a few more lines in the server.log to see what exactly the issue could be.
Perspective-3 :
If we intend to raise a support case, then also run a strace and upload the strace output e.g. "strace -Ff -t -i -v -o strace.log -s 16384 <command>".
strace -Ff -t -i -v -o strace.log -s 16384 ./sps-ctl startssl
Regards
Hubert