Ping a Specific Port

Question

jemminger

Asked: 2013-06-08 10:30:26 +0800 CST2013-06-08 10:30:26 +0800 CST 2013-06-08 10:30:26 +0800 CST

SSL chain verification problems

772

I've installed a new SSL certificate using SHA2 hashing instead of SHA1. My chain checks out using these online verifiers:

However this one tells me it can't find the Root CA:

http://www.geocerts.com/ssl_checker

How do I fix this?

Edit: Derp, here's the URL: secure.symt.us

This is on Apache2 on CentOS.

I have followed GoDaddy's setup instructions to the letter and restarted the server.

Edit 2, apache vhost conf:

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle-g2.crt

==== [SOLVED] ====

The problem turned out to be that my vhost was defined as <VirtualHost *:443>. Changing it to the server's IP address <VirtualHost xx.xx.xx.xx:443> fixed it.

There was a catch-all default <VirtualHost _default_:443> albeit without an SSLCertificateChainFile directive. Grepping /etc/httpd for SSLCertificateChainFile returned only my directive.

Perhaps apache has its own default SSLCertificateChainFile internally and refused to send mine when configured as *:443?

4 Answers

Voted

Chris S · Answer 1 · 2013-06-08T11:15:50+08:00

Best Answer

Chris S

2013-06-08T11:15:50+08:002013-06-08T11:15:50+08:00

You're missing the certificate chain. Follow GoDaddy's Instructions, make sure you install their Intermediate certificates (commonly called a chain, or bundle as well)

GoDaddy supports Internet Censorship. You should seriously reconsider funding them. Especially when you can get SSL Certificates for Free.

For Apache 2.2.x, you need all three of the following (for a standard configuration)

SSLCertificateFile /path/to/public/key_file
SSLCertificateKeyFile /path/to/private/key_file
SSLCertificateChainFile /path/to/chain/file

You're likely missing that last one.

4

Sergey Vlasov · Answer 2 · 2013-06-08T11:17:18+08:00

Sergey Vlasov

2013-06-08T11:17:18+08:002013-06-08T11:17:18+08:00

Your server is not properly configured to send the required intermediate certificate. See this answer for a more detailed description of why this is a problem, and why you (or even some SSL verifiers) may not notice it during testing.

The missing certificate in your case is http://certificates.godaddy.com/repository/gdig2.crt.

The SSL Labs online test shows this problem as a warning (and, BTW, finds several other problems with your server configuration).

0

Carlos Alberto García Guardia · Answer 3 · 2014-12-03T20:28:42+08:00

Carlos Alberto García Guardia

2014-12-03T20:28:42+08:002014-12-03T20:28:42+08:00

I have the same trouble, when I see the site with Android the page show an error of the certificate. I test the page with https://www.sslshopper.com/ssl-checker.html and the chain is broken, after a few tests I use this certificate http://certificates.godaddy.com/repository/gdig2.crt like intermediate certificate for this property SSLCertificateChainFile. All my hosts are configurated with and And this works perfect.

-1

Peter Wicke · Answer 4 · 2017-07-18T00:04:04+08:00

Peter Wicke

2017-07-18T00:04:04+08:002017-07-18T00:04:04+08:00

The problem took me hours of work. Had a wildcard certificate from Global Sign; see www.unfallkassesachsn.de. My mistake: configured SSL ... File in vhosts.d. After doing this in ssl-global.conf I'd got an A from Qualys.

-1

SSL chain verification problems

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?