A few computers, but not most, are rejecting the SSL certificate from my webserver. The problem seems to be that some computers are rejecting the CA certs. The problem seems to be manifesting on Mac OS X 10.6 when it is not fully updated.
According to http://www.sslshopper.com/index.php?q=ssl-checker.html#hostname=beta.asana.com -- there's no problem.
According to http://certlogik.com/sslchecker/, there's no intermediate certs being sent down.
My cert is from Starfield Technologies, and I'm using sf_bundle.crt from here: certs.godaddy.com/anonymous/repository.seam
I'm handling SSL on my server via stunnel with the following stunnel.conf:
cert = $CODEZ/admin/production/proxy/asana.pem
CAfile = $CODEZ/admin/production/proxy/sf_bundle.crt
pid =
client = no
[<forwarded port>]
accept = 443
connect = 8443
Any ideas what I could be doing wrong?
The
CAFileoption configures a CA to use for client authentication certificates; this isn't what you want.Instead, you want to craft the file in the
certoption to contain the entire applicable certificate chain. You'll want to save a backup copy of that file, then make a new one; basically combining the two files, formatted like this:This will force stunnel to present the full certificate chain to clients.
One further tidbit; the
openssl s_clientcommand is very useful for testing certificate chain issues and checking how your service is presenting its certificates.Edit: Ok.. that certificate bundle's chain is three-deep, but the trust chain looks two-deep. Something's not right.
The top certificate ("Starfield Secure Certification Authority") is signed by an issuer named "Starfield Class 2 Certification Authority" with a thumbprint starting with
ad7e1c28.. but the second cert in the bundle, named exactly the same as the first cert's signer, which should be the exact same certificate, has a thumbprint starting with363e4734, and an expiration date 10 years earlier. Then the third (root) cert is the signer of the included intermediate cert.. but neither of those two has any relation to the first one!If that didn't make sense, don't worry. Summary: sloppy work, someone seriously dropped the ball building this cert bundle. Your best bet, then, is to export the files in base-64 format from a browser that's successfully validating the chain, pasting them into the format that I listed from there.
Since that's a confusing mess through no fault of your own, I took a guess at your DNS name and grabbed the cert, and I think this should be the full chain you need: http://pastebin.com/Lnr3WHc8
Qualys SSLLabs is really handy for checking your configuration after changes.
https://www.ssllabs.com/ssldb/analyze.html
Checks that you've got
For anyone else facing this problem, Shane's post did the trick, although I also had to include the CAFile. Also when creating the chain, make sure you follow the file naming instructions as per this article
And if you're facing this problem bc you're trying to use websockets with android cordova, be sure to manually add wss to your cordova-whitelist stuff, as the * only includes http and https.