[Novalug] problem with new ssl certificate

Derek LaHousse dlahouss@mtu.edu
Wed Apr 15 18:46:57 EDT 2015


On April 15, 2015 5:57:58 PM EDT, John Covici via Novalug <novalug@firemountain.net> wrote:
>Because the one from ssl.com does not have the problem -- only the one
>from Network solutions had the problem.
>
>Keith Howell via Novalug <novalug@firemountain.net> wrote:
>
>> I would say this is a client side problem.
>> 
>> Your server certificate has been signed by "ssl.com" CA.
>> 
>> If the browser in question does not have this root certificate in
>their
>> trust store, then you will get an error.
>> 
>> What platform are the clients on? If it is windows, then Firefox has
>its
>> own internal cert store. If it is Chrome, then it uses the Windows
>> certificate store.
>> 
>> Make sure your client web browsers are up to date. I just connected
>to
>> your website with no problem.
>> 
>> To check the trust chain, then just click on the SSL padlock icon on
>the
>> browser.
>> 
>> 
>> --
>> Keith
>> 
>> 
>> 
>> On 04/15/2015 01:59 AM, covici--- via Novalug wrote:
>> > Hi.  I am running apache 2.4 and when I renewed my ssl certificate
>> > purchased from Network Solutions,some versions of firefox and
>possibly
>> > Google chrone are having troubles connecting to my owncloud site.
>> > Network solutions gives you 3 files to download, the actual
>certificate,
>> > an intermediate file called NetworkSolutionsDVServerCA.crt and a
>bundle
>> > called AddTrustExternalCARoot.crt .  Now what I have in the
>> > SSLCertificateChainFile directive is a concatenation of the last
>two
>> > files.  Now what I get if I use the s_client from openssl client is
>the
>> > following:
>> > CONNECTED(00000003)
>> > depth=1 C = US, ST = VA, L = Herndon, O = Network Solutions L.L.C.,
>CN =
>> > Network Solutions DV Server CA 2
>> > verify error:num=20:unable to get local issuer certificate
>> > 
>> > So how can I fix this, or should I get an ssl cert from somewhere
>else?
>> > 
>> > Any assistance would be appreciated.
>> > 
>> > 
>> 
>>
>**********************************************************************
>> The Novalug mailing list is hosted by firemountain.net.
>> 
>> To unsubscribe or change delivery options:
>> http://www.firemountain.net/mailman/listinfo/novalug

But the one from Network Solutions didn't have the problem in Firefox, just in openssl.  There's no reason you couldn't build the chain, just you might have needed to cast about on Google for the proper certs.

The SSL cert from NetSol was pretty good, with a SHA-256 sig.  But beyond that, why'd you buy a cert at all?  To whom are you hosting data?  If it's just you, you can do better than $50 security from a public CA.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.



More information about the Novalug mailing list