Intermediate SSL problem (Firefox only)

[jestep]

I had to reinstall a Verisign cert last week. After cleaning out a mess of old certs, keys and csr's I finally got the thing to install properly.

However, I get a "Website Certified by an Unknown Authority Error in Firefox".

Everything including the intermediate crt is installed correctly as far as I can tell and I get no error in any version of IE.

Here from the httpd.comf file:

Code:

<IfDefine SSL>
<VirtualHost IPADDRESS:443>
DocumentRoot /home/myuser/public_html
ServerName www.mysite.com
UserDir public_html

User myuser
Group mygroup
ScriptAlias /cgi-bin/ /home/myuser/public_html/cgi-bin/

SSLEnable
SSLCertificateFile /usr/share/ssl/certs/www.mysite.com.crt
SSLCertificateKeyFile /usr/share/ssl/private/www.mysite.com.key
SSLCACertificateFile /usr/share/ssl/certs/www.mysite.com.cabundle
SSLLogFile /usr/local/apache/domlogs/www.mysite.com-ssl_data_log
CustomLog /usr/local/apache/domlogs/www.mysite.com-ssl_log combined
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>
</IfDefine>

The key matches the cert, and the cabundle is directly from Verisign.

Has anyone had a similar problem with getting a Verisign or other intermediate cert to work properly? I've reissued the thing twice and so far nothing has changed. It's like the intermediate cert isn't being sent even though it is installed.

When viewing the cert in firefox the Certificate Hierarchy only shows my domain. In internet explorer is shows Verisign Class 3 Public Primary CA -> Verisign Class 3 Secure Server CA -> My domain.

Any help on this would be greatly appreciated.

[karlos]

look at /usr/local/apache/domlogs/www.mysite.com-ssl_data_log

I had an

OpenSSL: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown

If you have the same error when you acces to your https site with firefox, edit httpd.conf and try to use SSLCertificateChainFile instead of SSLCACertificateFile

SSLCertificateChainFile /usr/share/ssl/certs/www.mysite.com.cabundle

and restart apache.

[garingas]

This is an SMTP certificate issue.

Exim uses its own copy of the certificate in
/etc/exim.crt and
/etc/exim.key.

Edit the content of these files with a copy of the appropriate parts of your correct certificate and restart Exim (from WHM so SSL starts too!) and the issue will magically go away.

This is cPanel 10 knowledge; rumor has it that certs may change location in cPanel 11; you can always look at your Exim config under WHM->Service Configuration->Exim Configuration Editor->Advanced to figure out where it is looking for the certs. Search for tls_certificate.

Thanks!

[jrehmer]

This is an SMTP certificate issue.

Exim uses its own copy of the certificate in
/etc/exim.crt and
/etc/exim.key.

Edit the content of these files with a copy of the appropriate parts of your correct certificate and restart Exim (from WHM so SSL starts too!) and the issue will magically go away.

This is cPanel 10 knowledge; rumor has it that certs may change location in cPanel 11; you can always look at your Exim config under WHM->Service Configuration->Exim Configuration Editor->Advanced to figure out where it is looking for the certs. Search for tls_certificate.

Thanks!

I think you completely miss the point, we're not talking about Exim, we're talking about Apache.

[garingas]

You are completely correct on that one!

I saw Firefox and my brain mis-reported Thunderchicken so I thought it was the evil SMTP SSL warning issue.

I blurted the answer to the wrong question. Ack!

[curriertech]

Adding the "SSLCertificateChainFile /usr/share/ssl/certs/www.mysite.com.cabundle" line in httpd.conf seems to have fixed this for me.

[kdr]

Hi everyone,

I just spent an afternoon trying to figure out why Firefox was throwing up an ugly security alert on my site with a Starfield SSL certificate, claiming the certificate was from an "unknown authority".

I called Starfield and the tech support person was extremely helpful. She did some investigating and said that the problem stemmed from the intermediate certificate. She said that Starfield changed their intermediate certificate in February, and I could fix the problem by rekeying my certificate and installing the certificate and the new cabundle.

I followed her instructions, rekeyed the certificate, installed the cert and the cabundle via WHM, and it worked! No more ugly security warning in Firefox.

I am very pleased with the help that I received at Starfield.

I hope this information helps someone else who had the Firefox security alert problem. I would recommend you call Starfield and let them help you get it all sorted out.

Karen