![]() ![]() The server should only be sending the first two certificates, not the 3rd which is the root. I:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authorityģ s:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority I:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2Ģ s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2 ![]() I:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU= Secure Certificate Authority - G2ġ s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU= Secure Certificate Authority - G2 This isn't a bug in Qt.Ġ s:/OU=Domain Control Validated/CN=*. ![]() It should be sending leaf and intermediate certificates, but not the root certificate since that needs to be in the trust store. Then I just specify this file as both the SSLCertificateFile and SSLCertificateChainFile.Richard Moore added a comment - 22/Oct/14 10:42 PM I personally like to keep all these certificates (personal certificate, followed by intermediate ones, followed by the root certificate) in the same file. Try appending these in this order (you can skip the first and last) so your intermediate chain looks something like this: -BEGIN CERTIFICATE. In other words, if your chain is Your cert -> cert A -> cert B -> Starfield Root cert. Make sure that your intermediate chain lists only the required certificates and in the correct order (it is easier if it is in PEM format). I have seen this also help when you get odd validation errors. Download these and compare their -hash against the -issuer_hash where you got stuck. If something is missing, you can check the other intermediate files here. Keep doing these checks until you find a certificate which has the same -hash and -issuer_hash. If none have this hash, then something is wrong right there. You may have to extract the certificates (or just copy paste them to the command): cat first_cert_from_sf_bundle.crt | openssl x509 -noout -hashĬheck all of them. i:/CUS/STArizona/LScottsdale/OStarfield Technologies, Inc./OUhttp:/ //repository/CNStarfield Secure Certification. Then try to find a certificate with this hash in the sf_bundle.crt file that you specified as SSLCertificateChainFile. Try this to get the issuer hash of your certificate: cat /path/to/cert/ | openssl x509 -noout -issuer_hash You should verify the "hash" and "issuer's hash" of every certificate in the chain with the openssl x509 -noout -hash and openssl x509 -noout -issuer_hash commands. You should check where you got your certificate from and that you got the correct intermediate bundle. My problem ended up being that I had forgotten to add the SSLCertificateChainFile line to the virtual host(s) in my nf and had only been editing those lines in ssl.conf instead, thanks for all the suggestions!Īs the error seems to indicate, there is something off about your intermediate certificate chain. Let me know if there is any other information needed that might help debugging this issue. What might I try next to remedy the untrusted certificate issue? You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Web sites using a Starfield certificate may be trying to authenticate the certificate using one of several protocols - including SEAL & OCSP. It says the domain is correctly listed on the certificate but comes up with an error that reads The certificate is not trusted in all web browsers. Starfield Technologies is a legitimate certificate authority, and is a division of GoDaddy, the web site hosting company. ![]() Following This ServerFault answer from Jim Phares - changing the ChainFile line to sf_intermediate.crt from Starfield's repository.Updating sf_bundle.crt from godaddy's cert repository and Starfield's repository versions.SSLCertificateChainFile /path/to/cert/sf_bundle.crtĮverything seemingly worked fine until the other night when I noticed the problem in OS X, I assume it's more browser version related, but have only been able to replicate it on that particular machine. SSLCertificateKeyFile /path/to/cert/mysite.key Installed using the instructions from godaddy's support pages.Starfield Technologies Wildcard SSL certificate.General LAMP setup - CentOS 6.3 - on a Godaddy VPS.The problem is that in certain browsers (Safari or the most-updated chrome you can get for OS X 10.5.8 for example) the certificate comes up as untrusted, even on the root domain. I am at a loss as to what else I might try in order to debug this issue with a Starfield Wildcard SSL Certificate. OBaltimore, CIE Issuer: OUStarfield Class 2 Certification Authority, OStarfield Technologies, Inc., CUS Issuer: CNChambers of Commerce Root. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |