The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Intermediate SSL problem (Firefox only)

Discussion in 'General Discussion' started by jestep, May 22, 2007.

  1. jestep

    jestep Active Member

    Joined:
    Dec 18, 2006
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    I had to reinstall a Verisign cert last week. After cleaning out a mess of old certs, keys and csr's I finally got the thing to install properly.

    However, I get a "Website Certified by an Unknown Authority Error in Firefox".

    Everything including the intermediate crt is installed correctly as far as I can tell and I get no error in any version of IE.

    Here from the httpd.comf file:

    Code:
    <IfDefine SSL>
    <VirtualHost IPADDRESS:443>
    DocumentRoot /home/myuser/public_html
    ServerName www.mysite.com
    UserDir public_html
    
    User myuser
    Group mygroup
    ScriptAlias /cgi-bin/ /home/myuser/public_html/cgi-bin/
    
    SSLEnable
    SSLCertificateFile /usr/share/ssl/certs/www.mysite.com.crt
    SSLCertificateKeyFile /usr/share/ssl/private/www.mysite.com.key
    SSLCACertificateFile /usr/share/ssl/certs/www.mysite.com.cabundle
    SSLLogFile /usr/local/apache/domlogs/www.mysite.com-ssl_data_log
    CustomLog /usr/local/apache/domlogs/www.mysite.com-ssl_log combined
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    </VirtualHost>
    </IfDefine>
    
    The key matches the cert, and the cabundle is directly from Verisign.

    Has anyone had a similar problem with getting a Verisign or other intermediate cert to work properly? I've reissued the thing twice and so far nothing has changed. It's like the intermediate cert isn't being sent even though it is installed.

    When viewing the cert in firefox the Certificate Hierarchy only shows my domain. In internet explorer is shows Verisign Class 3 Public Primary CA -> Verisign Class 3 Secure Server CA -> My domain.

    Any help on this would be greatly appreciated.
     
  2. karlos

    karlos Member

    Joined:
    Oct 1, 2003
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    0
    problem with chained certificate

    look at /usr/local/apache/domlogs/www.mysite.com-ssl_data_log

    I had an

    OpenSSL: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown

    If you have the same error when you acces to your https site with firefox, edit httpd.conf and try to use SSLCertificateChainFile instead of SSLCACertificateFile

    SSLCertificateChainFile /usr/share/ssl/certs/www.mysite.com.cabundle

    and restart apache.
     
  3. garingas

    garingas Member

    Joined:
    Jan 12, 2004
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Copy the cert into exim.crt and exim.key

    This is an SMTP certificate issue.

    Exim uses its own copy of the certificate in
    /etc/exim.crt and
    /etc/exim.key.

    Edit the content of these files with a copy of the appropriate parts of your correct certificate and restart Exim (from WHM so SSL starts too!) and the issue will magically go away.

    This is cPanel 10 knowledge; rumor has it that certs may change location in cPanel 11; you can always look at your Exim config under WHM->Service Configuration->Exim Configuration Editor->Advanced to figure out where it is looking for the certs. Search for tls_certificate.

    Thanks!
     
  4. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    I think you completely miss the point, we're not talking about Exim, we're talking about Apache.
     
  5. garingas

    garingas Member

    Joined:
    Jan 12, 2004
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    I missed the boat!

    You are completely correct on that one!

    I saw Firefox and my brain mis-reported Thunderchicken so I thought it was the evil SMTP SSL warning issue.

    I blurted the answer to the wrong question. Ack!
     
  6. curriertech

    curriertech Active Member

    Joined:
    Jun 25, 2004
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    03819
    Adding the "SSLCertificateChainFile /usr/share/ssl/certs/www.mysite.com.cabundle" line in httpd.conf seems to have fixed this for me. :)
     
    #6 curriertech, Jul 19, 2007
    Last edited: Jul 19, 2007
  7. kdr

    kdr Registered

    Joined:
    Aug 8, 2002
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hi everyone,

    I just spent an afternoon trying to figure out why Firefox was throwing up an ugly security alert on my site with a Starfield SSL certificate, claiming the certificate was from an "unknown authority".

    I called Starfield and the tech support person was extremely helpful. She did some investigating and said that the problem stemmed from the intermediate certificate. She said that Starfield changed their intermediate certificate in February, and I could fix the problem by rekeying my certificate and installing the certificate and the new cabundle.

    I followed her instructions, rekeyed the certificate, installed the cert and the cabundle via WHM, and it worked! No more ugly security warning in Firefox.

    I am very pleased with the help that I received at Starfield.

    I hope this information helps someone else who had the Firefox security alert problem. I would recommend you call Starfield and let them help you get it all sorted out.

    Karen
     
Loading...

Share This Page